Edit tour

Windows Analysis Report
9VbeqQbgU4.exe

Overview

General Information

Sample name:	9VbeqQbgU4.exe renamed because original name is a hash value
Original sample name:	a91b4875630c4f702ab63f94ed633da4.exe
Analysis ID:	1564404
MD5:	a91b4875630c4f702ab63f94ed633da4
SHA1:	d485e90a501aa11f89f684063e5fbe235937f0bf
SHA256:	d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c
Tags:	exeuser-smica83
Infos:

Detection

RedLine, SectopRAT

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	48
Range:	0 - 100

Signatures

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

Yara detected SectopRAT

AI detected suspicious sample

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Contains functionality to register a low level keyboard hook

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Sigma detected: Use Short Name Path in Command Line

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

9VbeqQbgU4.exe (PID: 6404 cmdline: "C:\Users\user\Desktop\9VbeqQbgU4.exe" MD5: A91B4875630C4F702AB63F94ED633DA4)

9VbeqQbgU4.tmp (PID: 3956 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" MD5: 6AB2AF20157D2F440E8B22982F6247C5)

powershell.exe (PID: 1516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dobi.exe (PID: 5580 cmdline: "C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe" MD5: A439025E40533F6E78C74FE8E9CE9875)

more.com (PID: 6212 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 3664 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

svchost.exe (PID: 2340 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

coml.exe (PID: 4208 cmdline: "C:\Users\user\AppData\Roaming\sto\coml.exe" MD5: A439025E40533F6E78C74FE8E9CE9875)

more.com (PID: 1588 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 4132 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\mebamtoyxy	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\mebamtoyxy	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\mebamtoyxy	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.2441564536.0000000005B90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2441564536.0000000005B90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.2196810054.00000000062A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2196810054.00000000062A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000011.00000002.2441992162.0000000000C02000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2441992162.0000000000C02000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 1516	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xc5d4e7:$b1: ::WriteAllBytes( 0xc5d4b4:$b2: ::FromBase64String( 0x660154:$s1: -join 0xc688fc:$s1: -join 0xc759d1:$s1: -join 0xc78da3:$s1: -join 0xc79455:$s1: -join 0xc7af46:$s1: -join 0xc7d14c:$s1: -join 0xc7d973:$s1: -join 0xc7e1e3:$s1: -join 0xc7e91e:$s1: -join 0xc7e950:$s1: -join 0xc7e998:$s1: -join 0xc7e9b7:$s1: -join 0xc7f207:$s1: -join 0xc7f383:$s1: -join 0xc7f3fb:$s1: -join 0xc7f48e:$s1: -join 0xc7f6f4:$s1: -join 0xc8188a:$s1: -join
Process Memory Space: more.com PID: 6212	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: more.com PID: 6212	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 3664	JoeSecurity_SectopRAT	Yara detected SectopRAT	Joe Security
Process Memory Space: more.com PID: 1588	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: more.com PID: 1588	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 4132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 4132	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.more.com.5b900c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.more.com.5b900c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.more.com.5b900c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
10.2.more.com.62a00c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.more.com.62a00c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.more.com.62a00c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
17.2.MSBuild.exe.c00000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.MSBuild.exe.c00000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.MSBuild.exe.c00000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
15.2.more.com.5b900c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.more.com.5b900c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.more.com.5b900c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
10.2.more.com.62a00c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.more.com.62a00c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.more.com.62a00c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 10 entries

Other

Source	Rule	Description	Author	Strings
amsi32_1516.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x57db01:$b1: ::WriteAllBytes( 0x57dacd:$b2: ::FromBase64String( 0x58a0c2:$s1: -join 0x58386e:$s4: += 0x583930:$s4: += 0x587b57:$s4: += 0x589c74:$s4: += 0x589f5e:$s4: += 0x58a0a4:$s4: += 0x58d8ba:$s4: += 0x58d9be:$s4: += 0x590e1a:$s4: += 0x5914fa:$s4: += 0x5919b0:$s4: += 0x591a05:$s4: += 0x591c79:$s4: += 0x591ca8:$s4: += 0x5921f0:$s4: += 0x59221f:$s4: += 0x5922fe:$s4: += 0x594595:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp, ParentProcessId: 3956, ParentProcessName: 9VbeqQbgU4.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", ProcessId: 1516, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp, ParentProcessId: 3956, ParentProcessName: 9VbeqQbgU4.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", ProcessId: 1516, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp, ParentProcessId: 3956, ParentProcessName: 9VbeqQbgU4.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", ProcessId: 1516, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1516, TargetFilename: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 2340, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT3EC5.tmp

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp, ParentCommandLine: "C:\Users\user\Desktop\9VbeqQbgU4.exe", ParentImage: C:\Users\user\Desktop\9VbeqQbgU4.exe, ParentProcessId: 6404, ParentProcessName: 9VbeqQbgU4.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , ProcessId: 3956, ProcessName: 9VbeqQbgU4.tmp

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp, ParentProcessId: 3956, ParentProcessName: 9VbeqQbgU4.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1", ProcessId: 1516, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2340, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T10:05:53.330123+0100	2029217	1	Malware Command and Control Activity Detected	45.141.84.168	15647	192.168.2.7	49887	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T10:05:52.148906+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49887	45.141.84.168	15647	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T10:05:57.247711+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49896	45.141.84.168	9000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\mebamtoyxy	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Roaming\sto\BIT3445.tmp	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Roaming\sto\coml.exe (copy)	ReversingLabs: Detection: 37%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.8% probability

Compliance

Uses 32bit PE files

Source: 9VbeqQbgU4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: 9VbeqQbgU4.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49847 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 9VbeqQbgU4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1994206987.0000000008B80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: dobi.exe, 00000007.00000002.2036823237.0000018064BA7000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2115155764.00000180673B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: more.com, 0000000A.00000002.2196255608.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000A.00000002.2195856917.0000000004CC6000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2440909941.0000000004DCD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441286289.00000000052A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: dobi.exe, 00000007.00000002.2036823237.0000018064BA7000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2115155764.00000180673B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: more.com, 0000000A.00000002.2196255608.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000A.00000002.2195856917.0000000004CC6000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2440909941.0000000004DCD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441286289.00000000052A0000.00000004.00001000.00020000.00000000.sdmp

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 06ABEDC5h		13_2_06ABE79D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 06ABEDC5h		13_2_06ABEDA1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:49887 -> 45.141.84.168:15647
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.7:49887
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49896 -> 45.141.84.168:9000

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 45.141.84.168 ports 9000,1,4,5,6,7,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49896

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49887 -> 45.141.84.168:15647

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MEDIALAND-ASRU MEDIALAND-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.133
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.20.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.133
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.20.226
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3266250140.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.141.84.168:9000
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3260449809.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.141.84.168:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE
Source: MSBuild.exe, 0000000D.00000002.3260449809.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.141.84.168:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE.G
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.141.84.168:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AEP
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000004.00000002.1996930254.000000000A941000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.000001806718E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: powershell.exe, 00000004.00000002.1996930254.000000000A941000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.000001806718E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: powershell.exe, 00000004.00000002.1994433535.0000000008C09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000004.00000002.1981936282.0000000007B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: svchost.exe, 0000000C.00000003.2038242908.00000210CFDD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://int3.de/
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://jedwatson.github.io/classnames
Source: powershell.exe, 00000004.00000002.1943881761.0000000006AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: dobi.exe, 00000007.00000002.2050527233.000001806718E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000004.00000002.1937136728.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000004.00000002.1937136728.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.1937136728.0000000005061000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3266250140.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1937136728.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B2E000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	String found in binary or memory: http://vovsoft.com
Source: dobi.exe, 00000007.00000000.1875791170.0000000001499000.00000002.00000001.01000000.0000000A.sdmp, dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.00000180670CF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, svchost.exe, 0000000C.00000003.2083606999.00000210D12DE000.00000004.00000020.00020000.00000000.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B3A000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	String found in binary or memory: http://vovsoft.com/
Source: dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B2E000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	String found in binary or memory: http://vovsoft.com/blog/how-to-activate-using-license-key/open
Source: dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B3A000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	String found in binary or memory: http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/
Source: dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, dobi.exe.4.dr	String found in binary or memory: http://vovsoft.com/help/
Source: dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B34000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	String found in binary or memory: http://vovsoft.comopen
Source: powershell.exe, 00000004.00000002.1937136728.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: dobi.exe, 00000007.00000002.2032606953.0000018064556000.00000004.00001000.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000002.2385507200.00000274BC0CE000.00000004.00001000.00020000.00000000.sdmp, dobi.exe.4.dr	String found in binary or memory: http://www.indyproject.org/
Source: dobi.exe, 00000007.00000002.2133818177.0000018067888000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.000000000502F000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.0000000005125000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: powershell.exe, 00000004.00000002.1937136728.0000000005061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.1943881761.0000000006AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1943881761.0000000006AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1943881761.0000000006AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 0000000C.00000003.2038242908.00000210CFE29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000C.00000003.2038242908.00000210CFDD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000004.00000002.1937136728.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/focus-trap/tabbable/blob/master/LICENSE
Source: 9VbeqQbgU4.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000004.00000002.1943881761.0000000006AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: MSBuild.exe, 00000011.00000002.2451008934.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/cLika3dt
Source: MSBuild.exe, 00000011.00000002.2451008934.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/cLika3dtPO
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicon-1.ico
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_default.svg
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_docs.svg
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_presentations.svg
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_print.svg
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_sites.svg
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_social_media.svg
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_video.svg
Source: 9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static.canva.com/static/images/favicons/favicon_app_whiteboards.svg
Source: dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B3A000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	String found in binary or memory: https://vovsoft.com/blog/credits-and-acknowledgements/H
Source: powershell.exe, 00000004.00000002.1996930254.000000000AE61000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.000001806718E000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1875791170.0000000001558000.00000002.00000001.01000000.0000000A.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B69000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	String found in binary or memory: https://vovsoft.com/translation/
Source: 9VbeqQbgU4.exe, 00000000.00000003.2181522833.0000000002CB3000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000002.00000003.2166140812.0000000001703000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.canva.com
Source: 9VbeqQbgU4.exe, 00000000.00000003.2181522833.0000000002CC1000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000002.00000003.2166140812.0000000001711000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.canva.com/download
Source: 9VbeqQbgU4.exe, 00000000.00000003.2181522833.0000000002C96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.canva.com/help
Source: dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 9VbeqQbgU4.exe, 00000000.00000003.1397774698.000000007E28B000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.exe, 00000000.00000003.1397272912.0000000003150000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000002.00000000.1400596788.0000000000C11000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: powershell.exe, 00000004.00000002.1996930254.000000000A941000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.000001806718E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.karenware.com/powertools/ptwhois0
Source: 9VbeqQbgU4.exe, 00000000.00000003.1397774698.000000007E28B000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.exe, 00000000.00000003.1397272912.0000000003150000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000002.00000000.1400596788.0000000000C11000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49847 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 13_2_06AB28C8 SetWindowsHookExW 0000000D,00000000,?,?

13_2_06AB28C8

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_1516.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 15.2.more.com.5b900c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 10.2.more.com.62a00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 17.2.MSBuild.exe.c00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 15.2.more.com.5b900c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 10.2.more.com.62a00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1516, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\mebamtoyxy, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe

Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe

Code function: 7_2_00CF446E NtQuerySystemInformation,

7_2_00CF446E

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07A55E50	4_2_07A55E50
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Code function: 7_2_00CF7E91	7_2_00CF7E91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9C880	13_2_00E9C880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E91070	13_2_00E91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9B01F	13_2_00E9B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9D110	13_2_00E9D110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E915E0	13_2_00E915E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9A8FB	13_2_00E9A8FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9C843	13_2_00E9C843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9A908	13_2_00E9A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9D0F3	13_2_00E9D0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9B09E	13_2_00E9B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E91060	13_2_00E91060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E915C3	13_2_00E915C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9BD64	13_2_00E9BD64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9BD78	13_2_00E9BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0693D7C8	13_2_0693D7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06930F28	13_2_06930F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0693CD08	13_2_0693CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06938AF8	13_2_06938AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0693A0A0	13_2_0693A0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_069366F0	13_2_069366F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0693D7BA	13_2_0693D7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0693EFF0	13_2_0693EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06930F13	13_2_06930F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0693C4D8	13_2_0693C4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0693CCF8	13_2_0693CCF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0693ED31	13_2_0693ED31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0693ED40	13_2_0693ED40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06933D67	13_2_06933D67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_069382E0	13_2_069382E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06935BBD	13_2_06935BBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06935BD8	13_2_06935BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0693A092	13_2_0693A092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AAE4B9	13_2_06AAE4B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AAE4C8	13_2_06AAE4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AAD220	13_2_06AAD220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AA58C0	13_2_06AA58C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB46F8	13_2_06AB46F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB57F0	13_2_06AB57F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB7700	13_2_06AB7700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB2CB8	13_2_06AB2CB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06ABDCEC	13_2_06ABDCEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB3D60	13_2_06AB3D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06ABB2F0	13_2_06ABB2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB52C8	13_2_06AB52C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB6248	13_2_06AB6248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB6B88	13_2_06AB6B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB1370	13_2_06AB1370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB0040	13_2_06AB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06ABC688	13_2_06ABC688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06ABC679	13_2_06ABC679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB57D6	13_2_06AB57D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06ABE70E	13_2_06ABE70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB2CA8	13_2_06AB2CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB3448	13_2_06AB3448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB3446	13_2_06AB3446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB3451	13_2_06AB3451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06ABBDB8	13_2_06ABBDB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB3D51	13_2_06AB3D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB52B8	13_2_06AB52B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AB83DA	13_2_06AB83DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_0127B01F	17_2_0127B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_01271070	17_2_01271070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_012715E0	17_2_012715E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_01271060	17_2_01271060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_0127B09E	17_2_0127B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_012715C3	17_2_012715C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_0127A908	17_2_0127A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_0127BD78	17_2_0127BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 17_2_0127BD45	17_2_0127BD45

PE file contains executable resources (Code or Archives)

Source: 9VbeqQbgU4.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-SR6MP.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: dobi.exe.4.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: BIT3445.tmp.12.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file contains more sections than normal

Source: 9VbeqQbgU4.exe	Static PE information: Number of sections : 11 > 10
Source: is-N7DP5.tmp.2.dr	Static PE information: Number of sections : 14 > 10
Source: dobi.exe.4.dr	Static PE information: Number of sections : 11 > 10
Source: 9VbeqQbgU4.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: is-SR6MP.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: BIT3445.tmp.12.dr	Static PE information: Number of sections : 11 > 10

PE file contains strange resources

Source: 9VbeqQbgU4.exe	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: 9VbeqQbgU4.tmp.0.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: is-SR6MP.tmp.2.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: is-N7DP5.tmp.2.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: is-B2DEV.tmp.2.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 9VbeqQbgU4.exe, 00000000.00000000.1389530627.0000000000CC9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs 9VbeqQbgU4.exe
Source: 9VbeqQbgU4.exe, 00000000.00000003.1397272912.000000000325F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 9VbeqQbgU4.exe
Source: 9VbeqQbgU4.exe, 00000000.00000003.1397774698.000000007E57B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 9VbeqQbgU4.exe
Source: 9VbeqQbgU4.exe	Binary or memory string: OriginalFileName vs 9VbeqQbgU4.exe

Uses 32bit PE files

Source: 9VbeqQbgU4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: amsi32_1516.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 15.2.more.com.5b900c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 10.2.more.com.62a00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 17.2.MSBuild.exe.c00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 15.2.more.com.5b900c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 10.2.more.com.62a00c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: Process Memory Space: powershell.exe PID: 1516, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\user\AppData\Local\Temp\mebamtoyxy, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 10.2.more.com.62a00c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.2.more.com.5b900c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@20/185@1/2

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp

File created: C:\Program Files (x86)\Canva

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Package.zip

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Mutant created: \Sessions\1\BaseNamedObjects\VOVSOFT_Window_Resizer
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\a381c7bea27345e09604787bfabaa590
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2864:120:WilError_03

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe

File created: C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp

Jump to behavior

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: 9VbeqQbgU4.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe

File read: C:\Users\user\Desktop\9VbeqQbgU4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9VbeqQbgU4.exe "C:\Users\user\Desktop\9VbeqQbgU4.exe"
Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp "C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe "C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe"
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sto\coml.exe "C:\Users\user\AppData\Roaming\sto\coml.exe"
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp "C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe "C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Canva.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\Canva\Canva.exe
Source: sfaldnatxf.10.dr	LNK file: ..\..\..\..\user\AppData\Roaming\sto\coml.exe
Source: BIT3EC5.tmp.12.dr	LNK file: ..\..\..\..\user\AppData\Roaming\sto\coml.exe

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Automated click: Next

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: 9VbeqQbgU4.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: 9VbeqQbgU4.exe

Static file information: File size 87653216 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 9VbeqQbgU4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: 9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1994206987.0000000008B80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: dobi.exe, 00000007.00000002.2036823237.0000018064BA7000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2115155764.00000180673B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: more.com, 0000000A.00000002.2196255608.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000A.00000002.2195856917.0000000004CC6000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2440909941.0000000004DCD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441286289.00000000052A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: dobi.exe, 00000007.00000002.2036823237.0000018064BA7000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2115155764.00000180673B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: more.com, 0000000A.00000002.2196255608.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000A.00000002.2195856917.0000000004CC6000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2440909941.0000000004DCD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441286289.00000000052A0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($encodedData);[System.IO.File]::WriteAllBytes($archiveFile, $decodedBytes);New-Item -ItemType Directory -Path $installPath;Expand-Archive -Path $archiveFile -DestinationPath $installP

PE file contains sections with non-standard names

Source: 9VbeqQbgU4.exe	Static PE information: section name: .didata
Source: 9VbeqQbgU4.tmp.0.dr	Static PE information: section name: .didata
Source: is-U9DO2.tmp.2.dr	Static PE information: section name: .gxfg
Source: is-U9DO2.tmp.2.dr	Static PE information: section name: .retplne
Source: is-U9DO2.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-UK1KN.tmp.2.dr	Static PE information: section name: .gxfg
Source: is-UK1KN.tmp.2.dr	Static PE information: section name: .retplne
Source: is-UK1KN.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-UNVOH.tmp.2.dr	Static PE information: section name: .gxfg
Source: is-UNVOH.tmp.2.dr	Static PE information: section name: .retplne
Source: is-UNVOH.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-SR6MP.tmp.2.dr	Static PE information: section name: .didata
Source: is-N7DP5.tmp.2.dr	Static PE information: section name: .gxfg
Source: is-N7DP5.tmp.2.dr	Static PE information: section name: .retplne
Source: is-N7DP5.tmp.2.dr	Static PE information: section name: .rodata
Source: is-N7DP5.tmp.2.dr	Static PE information: section name: CPADinfo
Source: is-N7DP5.tmp.2.dr	Static PE information: section name: LZMADEC
Source: is-N7DP5.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-N7DP5.tmp.2.dr	Static PE information: section name: malloc_h
Source: is-EHJBJ.tmp.2.dr	Static PE information: section name: .gxfg
Source: is-EHJBJ.tmp.2.dr	Static PE information: section name: .retplne
Source: is-EHJBJ.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-ON0A3.tmp.2.dr	Static PE information: section name: .gxfg
Source: is-ON0A3.tmp.2.dr	Static PE information: section name: .retplne
Source: is-ON0A3.tmp.2.dr	Static PE information: section name: _RDATA
Source: dobi.exe.4.dr	Static PE information: section name: .didata
Source: BIT3445.tmp.12.dr	Static PE information: section name: .didata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07A53231 pushad ; retf	4_2_07A5323D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07A5AB5B pushad ; retf	4_2_07A5AB61
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07CF4D10 push eax; iretd	4_2_07CF509E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07CF1E9D push ds; iretd	4_2_07CF1E9E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07CF0E4C push cs; iretd	4_2_07CF0E4E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07CF0608 push es; iretd	4_2_07CF06EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07CF55D8 push edi; iretd	4_2_07CF5726
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07CF9CAC pushfd ; iretd	4_2_07CF9CB6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07CF51B0 push ebx; iretd	4_2_07CF53FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00E9EC5D push eax; iretd	13_2_00E9EC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06932429 push esp; ret	13_2_06932431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AAB0FA push es; ret	13_2_06AAB100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AA6EE8 push es; iretd	13_2_06AA6EF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06AA0B30 push es; ret	13_2_06AA0B40
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_000000A1F45CE910 pushad ; retf	14_2_000000A1F45CE911
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_00000274BA82B8C7 push ebx; iretd	14_2_00000274BA82B8CC
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_00000274BA8258E0 push eax; iretd	14_2_00000274BA8258E1
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Code function: 14_2_00000274BA8258E8 pushad ; iretd	14_2_00000274BA8258E9

Source: ggejkdxocdbcf.10.dr	Static PE information: section name: .text entropy: 6.816467095523557
Source: mebamtoyxy.15.dr	Static PE information: section name: .text entropy: 6.816467095523557

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	File created: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-UK1KN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\d3dcompiler_47.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\vk_swiftshader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\vulkan-1.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\mebamtoyxy	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-SR6MP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\Uninstall Canva.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-B2DEV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\resources\is-NK1KE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\resources\elevate.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Roaming\sto\BIT3445.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-PO2CC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-N7DP5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\Canva.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\ffmpeg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-U9DO2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-EHJBJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-UNVOH.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Roaming\sto\coml.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\is-ON0A3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Users\user\AppData\Local\Temp\is-6VQJV.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\Program Files (x86)\Canva\libGLESv2.dll (copy)	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\mebamtoyxy			Jump to dropped file

Boot Survival

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT3EC5.tmp

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canva	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canva\Canva.lnk	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT3EC5.tmp	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\GGEJKDXOCDBCF
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\MEBAMTOYXY

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49896

Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9VbeqQbgU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\more.com

API/Special instruction interceptor: Address: 769C3B54

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4C30000 memory reserve \| memory write watch

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\AppData\Roaming\sto\coml.exe

Code function: 14_2_000000A1F45CAD80 sldt word ptr [eax]

14_2_000000A1F45CAD80

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7002	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1550	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 789	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 696	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\resources\is-NK1KE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-UK1KN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\resources\elevate.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\d3dcompiler_47.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\vk_swiftshader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-PO2CC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-N7DP5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\vulkan-1.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mebamtoyxy	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\Canva.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\ffmpeg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-U9DO2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-EHJBJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-SR6MP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-UNVOH.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-B2DEV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\Uninstall Canva.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\is-ON0A3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6VQJV.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Canva\libGLESv2.dll (copy)	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6316	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3700	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6224	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6224	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6536	Thread sleep time: -59872s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2196	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2196	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6536	Thread sleep time: -41280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6016	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 724	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59872	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: powershell.exe, 00000004.00000002.1935712293.0000000003524000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\M<k.
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: svchost.exe, 0000000C.00000002.3259180253.00000210CA82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3260766267.00000210CFE48000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3260822359.00000210CFE59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: MSBuild.exe, 0000000D.00000002.3266250140.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: MSBuild.exe, 0000000D.00000002.3260449809.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\svchost.exe

File created: BIT3445.tmp.12.dr

Jump to dropped file

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1"

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtProtectVirtualMemory: Direct from: 0x18710	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtClose: Direct from: 0x16F5
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtProtectVirtualMemory: Direct from: 0x274BF2FE37E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtAllocateVirtualMemory: Direct from: 0x7FFB2BC260D4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtReadFile: Direct from: 0x2C8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtProtectVirtualMemory: Direct from: 0xFDBF0FB7C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtCreateFile: Direct from: 0xA100000080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtProtectVirtualMemory: Direct from: 0xFF131FB5D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtAllocateVirtualMemory: Direct from: 0x2CC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtCreateFile: Direct from: 0x18000000080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtCreateFile: Direct from: 0x27400000080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtClose: Direct from: 0x219
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtProtectVirtualMemory: Direct from: 0x18067A6A37E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtClose: Direct from: 0x1F1
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtCreateFile: Direct from: 0x6400000080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtQuerySystemInformation: Direct from: 0x7FFB2BC26118	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtDelayExecution: Direct from: 0xA1F45CE340	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtAllocateVirtualMemory: Direct from: 0x2F8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtProtectVirtualMemory: Direct from: 0x274BA827000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtClose: Direct from: 0x7FFB2BC2CDF8
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtReadFile: Direct from: 0x1EF590	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtReadFile: Direct from: 0x2DC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtClose: Direct from: 0x101
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtProtectVirtualMemory: Direct from: 0x1806623B7F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtProtectVirtualMemory: Direct from: 0x3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtAllocateVirtualMemory: Direct from: 0x7FFB2BC38E14	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	NtAllocateVirtualMemory: Direct from: 0x40	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	NtDelayExecution: Direct from: 0x648A74E450	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 70101000	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9FF008	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 70101000
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: ACE008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe "C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B6C000.00000020.00000001.01000000.00000012.sdmp

Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\dac5e65e VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\f0a9efc8 VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 15.2.more.com.5b900c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.more.com.62a00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.more.com.5b900c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.more.com.62a00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2441564536.0000000005B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2196810054.00000000062A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2441992162.0000000000C02000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: more.com PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 1588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mebamtoyxy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 3664, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 15.2.more.com.5b900c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.more.com.62a00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.more.com.5b900c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.more.com.62a00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2441564536.0000000005B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2196810054.00000000062A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2441992162.0000000000C02000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: more.com PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 1588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mebamtoyxy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 15.2.more.com.5b900c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.more.com.62a00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.more.com.5b900c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.more.com.62a00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2441564536.0000000005B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2196810054.00000000062A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2441992162.0000000000C02000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: more.com PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 1588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mebamtoyxy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 3664, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	2 Registry Run Keys / Startup Folder	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	223 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	212 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	431 Security Software Discovery	SMB/Windows Admin Shares	11 Input Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Masquerading	DCSync	2 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	261 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9VbeqQbgU4.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Canva\Canva.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\Uninstall Canva.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\d3dcompiler_47.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\ffmpeg.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-B2DEV.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-EHJBJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-N7DP5.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-ON0A3.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-PO2CC.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-U9DO2.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-UK1KN.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\is-UNVOH.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\libEGL.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\libGLESv2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\resources\elevate.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\resources\is-NK1KE.tmp	0%	ReversingLabs
C:\Program Files (x86)\Canva\vk_swiftshader.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Canva\vulkan-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf	71%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
C:\Users\user\AppData\Local\Temp\is-6VQJV.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\mebamtoyxy	71%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe	38%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\sto\BIT3445.tmp	38%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\sto\coml.exe (copy)	38%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
http://vovsoft.com/blog/how-to-activate-using-license-key/open	0%	Avira URL Cloud	safe
http://vovsoft.comopen	0%	Avira URL Cloud	safe
http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/	0%	Avira URL Cloud	safe
https://vovsoft.com/blog/credits-and-acknowledgements/H	0%	Avira URL Cloud	safe
http://45.141.84.168:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE.G	0%	Avira URL Cloud	safe
https://vovsoft.com/translation/	0%	Avira URL Cloud	safe
https://www.karenware.com/powertools/ptwhois0	0%	Avira URL Cloud	safe
http://45.141.84.168:9000	0%	Avira URL Cloud	safe
http://45.141.84.168:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AEP	0%	Avira URL Cloud	safe
http://45.141.84.168:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high
time.windows.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.141.84.168:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://vovsoft.comopen	dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B34000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	9VbeqQbgU4.exe	false		high
http://www.vmware.com/0	dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000004.00000002.1981936282.0000000007B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000004.00000002.1943881761.0000000006AC4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/	dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B3A000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	false		high
http://vovsoft.com/blog/how-to-activate-using-license-key/open	dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B2E000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	dobi.exe, 00000007.00000002.2032606953.0000018064556000.00000004.00001000.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000002.2385507200.00000274BC0CE000.00000004.00001000.00020000.00000000.sdmp, dobi.exe.4.dr	false		high
https://static.canva.com/static/images/favicons/favicon_app_sites.svg	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/cLika3dt	MSBuild.exe, 00000011.00000002.2451008934.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_print.svg	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_whiteboards.svg	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high
http://int3.de/	9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	false		high
https://github.com/focus-trap/tabbable/blob/master/LICENSE	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high
http://vovsoft.com/	dobi.exe, 00000007.00000000.1875791170.0000000001499000.00000002.00000001.01000000.0000000A.sdmp, dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.00000180670CF000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, svchost.exe, 0000000C.00000003.2083606999.00000210D12DE000.00000004.00000020.00020000.00000000.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B3A000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	false		high
http://45.141.84.168:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE.G	MSBuild.exe, 0000000D.00000002.3260449809.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.canva.com/static/images/favicon-1.ico	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.1937136728.0000000005061000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vovsoft.com/blog/credits-and-acknowledgements/H	dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B3A000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://www.remobjects.com/ps	9VbeqQbgU4.exe, 00000000.00000003.1397774698.000000007E28B000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.exe, 00000000.00000003.1397272912.0000000003150000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000002.00000000.1400596788.0000000000C11000.00000020.00000001.01000000.00000004.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.1943881761.0000000006AC4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1943881761.0000000006AC4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.innosetup.com/	9VbeqQbgU4.exe, 00000000.00000003.1397774698.000000007E28B000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.exe, 00000000.00000003.1397272912.0000000003150000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000002.00000000.1400596788.0000000000C11000.00000020.00000001.01000000.00000004.sdmp	false		high
https://www.canva.com/help	9VbeqQbgU4.exe, 00000000.00000003.2181522833.0000000002C96000.00000004.00001000.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_docs.svg	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_video.svg	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.1937136728.0000000005061000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3266250140.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.canva.com/download	9VbeqQbgU4.exe, 00000000.00000003.2181522833.0000000002CC1000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000002.00000003.2166140812.0000000001711000.00000004.00001000.00020000.00000000.sdmp	false		high
http://jedwatson.github.io/classnames	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1943881761.0000000006AC4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://vovsoft.com	dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B2E000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.1937136728.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/cLika3dtPO	MSBuild.exe, 00000011.00000002.2451008934.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.1937136728.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.1937136728.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vovsoft.com/translation/	powershell.exe, 00000004.00000002.1996930254.000000000AE61000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.000001806718E000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1875791170.0000000001558000.00000002.00000001.01000000.0000000A.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, coml.exe, 0000000E.00000000.2224200323.0000000000B69000.00000020.00000001.01000000.00000012.sdmp, dobi.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.1943881761.0000000006AC4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_social_media.svg	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.canva.com	9VbeqQbgU4.exe, 00000000.00000003.2181522833.0000000002CB3000.00000004.00001000.00020000.00000000.sdmp, 9VbeqQbgU4.tmp, 00000002.00000003.2166140812.0000000001703000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.vmware.com/0/	dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 0000000C.00000003.2038242908.00000210CFDD0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.141.84.168:9000	MSBuild.exe, 0000000D.00000002.3266250140.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3266250140.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.karenware.com/powertools/ptwhois0	powershell.exe, 00000004.00000002.1996930254.000000000A941000.00000004.00000800.00020000.00000000.sdmp, dobi.exe, 00000007.00000002.2050527233.000001806718E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://vovsoft.com/help/	dobi.exe, 00000007.00000002.2050527233.0000018066801000.00000004.00000020.00020000.00000000.sdmp, dobi.exe, 00000007.00000000.1859011510.0000000000BA1000.00000020.00000001.01000000.0000000A.sdmp, dobi.exe.4.dr	false		high
http://www.symauth.com/cps0(	dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.1937136728.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod1C:	svchost.exe, 0000000C.00000003.2038242908.00000210CFE29000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.141.84.168:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AEP	MSBuild.exe, 0000000D.00000002.3266250140.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 00000004.00000002.1994433535.0000000008C09000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	9VbeqQbgU4.tmp, 00000002.00000002.2177075982.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	dobi.exe, 00000007.00000002.2133818177.0000018067AB1000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.0000000005077000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.000000000516D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.1937136728.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.info-zip.org/	dobi.exe, 00000007.00000002.2133818177.0000018067888000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000A.00000002.2196053721.000000000502F000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000F.00000002.2441086238.0000000005125000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_default.svg	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high
https://static.canva.com/static/images/favicons/favicon_app_presentations.svg	9VbeqQbgU4.tmp, 00000002.00000003.2151405085.0000000005920000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.141.84.168	unknown	Russian Federation		206728	MEDIALAND-ASRU	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564404
Start date and time:	2024-11-28 10:03:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9VbeqQbgU4.exe renamed because original name is a hash value
Original Sample Name:	a91b4875630c4f702ab63f94ed633da4.exe
Detection:	MAL
Classification:	mal80.troj.spyw.evad.winEXE@20/185@1/2
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 99% Number of executed functions: 120 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 40.81.94.65, 20.109.210.53, 2.22.50.144, 2.22.50.131, 20.242.39.171, 23.206.197.43, 23.206.197.8, 23.206.197.50, 23.206.197.51, 23.206.197.58, 23.206.197.56, 23.206.197.49, 23.206.197.48, 23.206.197.42
Excluded domains from analysis (whitelisted): www.bing.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, twc.trafficmanager.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, www-www.bing.com.trafficmanager.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 4132 because it is empty
Execution Graph export aborted for target coml.exe, PID 4208 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 1516 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 9VbeqQbgU4.exe

Simulations

Behavior and APIs

Time	Type	Description
10:05:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coml.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	DarkGate_Loader.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://public-fra.mkt.dynamics.com/api/orgs/85a8c477-bea7-ef11-8a66-0022483994f9/r/MKSqoVs73k-RUO5uHPfRswIAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fassets-fra.mkt.dynamics.com%252F85a8c477-bea7-ef11-8a66-0022483994f9%252Fdigitalassets%252Fstandaloneforms%252F46042089-b8ac-ef11-a72d-6045bd6e29e8%22%2C%22RedirectOptions%22%3A%7B%226%22%3A%22mktprf9fb729cc84d74db3bce9a30da7409e87eoprf%22%2C%221%22%3Anull%7D%7D&digest=juexwq7Jl6DCR7CneIIynCjAtNPRJ1FxLmm99rnbDLA%3D&secretVersion=02e7c83d621d4269af2f08a8e4e233cf	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://www.google.rs/url?q=160CHARtTPSJ3J3wDyycT&sa=t&esrc=TYsrCFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=HARlDJVS0YXpPkDfJ6C&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/aloperdehatti.com/on/wTARVgfa92/%61%6C%65%73%73%69%61%2E%64%61%6E%69%65%6C%65%40%74%6F%6E%69%6E%63%61%73%61%2E%69%74&ugs=n8CoFFz5hZ4Yaxn3ZJryvKlaQxQ-BOyvjZ0GlahI9shjnWfTZ1du_w==	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.63
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.63
	chutmarao.ps1	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	invoice-1664809283.pdf (1).js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	invoice-1664809283.pdf .js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	hotel11-27.ps1	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MEDIALAND-ASRU	SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe	Get hash	malicious	RedLine, SectopRAT	Browse	45.141.86.82
	ExeFile (236).exe	Get hash	malicious	Oski	Browse	45.141.84.184
	bLNr5K5U7B.elf	Get hash	malicious	Mirai	Browse	45.141.84.241
	aqua.arm7	Get hash	malicious	Mirai	Browse	45.141.84.246
	5xPf2c2uL7.exe	Get hash	malicious	RedLine SmokeLoader	Browse	45.141.84.21
	VsaIxu42Ks.exe	Get hash	malicious	Raccoon RedLine SmokeLoader	Browse	45.141.84.21
	16vbR3UTik.exe	Get hash	malicious	Raccoon RedLine SmokeLoader	Browse	45.141.84.21
	VJHkHNoW68.exe	Get hash	malicious	Raccoon RedLine SmokeLoader	Browse	45.141.84.21
	SF45gO3Bc8.exe	Get hash	malicious	Raccoon RedLine SmokeLoader	Browse	45.141.84.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Scan_6090402.pdf	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://public-fra.mkt.dynamics.com/api/orgs/85a8c477-bea7-ef11-8a66-0022483994f9/r/MKSqoVs73k-RUO5uHPfRswIAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fassets-fra.mkt.dynamics.com%252F85a8c477-bea7-ef11-8a66-0022483994f9%252Fdigitalassets%252Fstandaloneforms%252F46042089-b8ac-ef11-a72d-6045bd6e29e8%22%2C%22RedirectOptions%22%3A%7B%226%22%3A%22mktprf9fb729cc84d74db3bce9a30da7409e87eoprf%22%2C%221%22%3Anull%7D%7D&digest=juexwq7Jl6DCR7CneIIynCjAtNPRJ1FxLmm99rnbDLA%3D&secretVersion=02e7c83d621d4269af2f08a8e4e233cf	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://www.google.rs/url?q=160CHARtTPSJ3J3wDyycT&sa=t&esrc=TYsrCFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=HARlDJVS0YXpPkDfJ6C&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/aloperdehatti.com/on/wTARVgfa92/%61%6C%65%73%73%69%61%2E%64%61%6E%69%65%6C%65%40%74%6F%6E%69%6E%63%61%73%61%2E%69%74&ugs=n8CoFFz5hZ4Yaxn3ZJryvKlaQxQ-BOyvjZ0GlahI9shjnWfTZ1du_w==	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.63
	https://hcm55.sapsf.eu/sf/liveprofile?company=jernimomarP2&blockId=block2109&_s.crb=USKEprAmKRumsjVSyLJPCEVj9GAzHD70l0UaoJsp%252f50%253d	Get hash	malicious	Unknown	Browse	13.107.246.63
	chutmarao.ps1	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	invoice-1664809283.pdf (1).js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	invoice-1664809283.pdf .js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	hotel11-27.ps1	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Canva\d3dcompiler_47.dll (copy)	ivySCI-5.6.3.exe	Get hash	malicious	Unknown	Browse
	ivySCI-5.6.3.exe	Get hash	malicious	Unknown	Browse
	MayitaV16.exe	Get hash	malicious	Unknown	Browse
	Xa04iTOvv5.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse
	Launcher 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Launcher 1.0.0.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176670344
Entropy (8bit):	6.752951259704491
Encrypted:	false
SSDEEP:	1572864:XgRMg/aKxl4b7qCDQtjovZT78wLF2pArKgDz6ObiISXD+Dyj3eRalD2kGpTe/2Hh:ng/geeFXzGa9cz
MD5:	762DF055F5A0FCDE30E96F0D6B84D6F0
SHA1:	9F669E5FCA1AE9C2EFD505FCD80D1948B2BB79F8
SHA-256:	8C2D451098E847FA5498E3BFFC8DDF93CDBC150355A7B6568E0984568EED4FAA
SHA-512:	68107C096A6E18C0DEB68CCDB2513F47038CC618313F4E9A858DC8367D372B3EAA81973AE00385DD1E5DC542EACEC4FE695847C47E85C571E9D8AEE06E8E646D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......4.....................@.............................`.......{....`.........................................G....j..4...T....0..<W...pe...F..n...X......................................(...@o..@.......................`....................text...U2.......4.................. ..`.rdata.......P.......8..............@..@.data.....D..p ......P .............@....pdata....F..pe...F...).............@..@.gxfg....A...P...B....p.............@..@.retplne............. q..................rodata.............."q............. ..`.tls....i...........4q.............@...CPADinfo8...........:q.............@...LZMADEC.............<q............. ..`_RDATA..\............Nq.............@..@malloc_h..... .......Pq............. ..`.rsrc...<W...0...X...Rq.............@..@.reloc................x.............@..B........................................................

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7548815576547433
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqd:2JIB/wUKUKQncEmYRTwh00
MD5:	71544A8C341516D848F349A909DFFC4B
SHA1:	C4F47F937209021ABC3C4553EAFBC20AB46C3A14
SHA-256:	9B9D139CD0193A90918A41DECA02EA7A121140F396B66DEB8840EB02AC2C6FAC
SHA-512:	989F27A29940FA81C30AB4B5EAFFFF264BE17B38291C8CA2DBDFD35C3191D9DF693DBB22EF5DE298E717923C5FEF87635112B4E8F9329605A4DE1F941035730A
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.480408899621245
Encrypted:	false
SSDEEP:	48:jIWSU4xympjmZ9tz4RIoUeNWR831NFZ9001dqr:0LHxvMZfIfjW8fS01Yr
MD5:	1691986686AB58606A00CE11CFB87691
SHA1:	FEE5FDA79974A5AFA8A6FC53C4497E7AA90DAE04
SHA-256:	499A709687A016FC2BDA34B74EA6EB494EFFC97CA418D6F95B55E3A436BBFC36
SHA-512:	A44618DD8F3BBE02B4E7978B55B8868031CE4963A89A6E8CFE31699C4A65B94441D3EEE2F5582F2759735599EF82C85E4C79390687AA57CCB438F664720E9735
Malicious:	false
Preview:	@...e...........K.....................-.;.......................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.D....................+.H..!...e........System.Configuration.Ins

Process:	C:\Windows\SysWOW64\more.com
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	786944
Entropy (8bit):	6.80933482022886
Encrypted:	false
SSDEEP:	12288:uvsXZv8km0OHcbGbvzWHz0HnquwMr+g0ssFWylkkoAbtEgIwfNqbYS2VbICKMIUx:ZfPz0HvSg0ssFlSjBcT
MD5:	2B209F07C6251E367835FBF30E7C348E
SHA1:	CD5534D4871AEBA9351941CF548B2E63F492A609
SHA-256:	A499ADF007DF84FC58178A1FD861138C078731760BEA948501259C8E83E19783
SHA-512:	95FE64D09AD91A8DB600969279834E8EF6BBC2371FE3AFDD3D88F351CDDC858A4B247BCBAE1D4351914E0AB720D9372E342E2513C68D64086AFC7C388FC0678D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\ggejkdxocdbcf, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

Process:	C:\Users\user\Desktop\9VbeqQbgU4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3699712
Entropy (8bit):	6.605047198768081
Encrypted:	false
SSDEEP:	98304:wJYVM+LtVt3P/KuG2ONG9iqLRQV333K0i:BVL/tnHGYiqlnt
MD5:	6AB2AF20157D2F440E8B22982F6247C5
SHA1:	53C0DA8DE2EE2C50B79913A876EDCD7078897566
SHA-256:	C95F668AB97A0C6650381E0FC1A93AA043E3F899EEF09DD7A3B0837A4298838E
SHA-512:	5ED8B96A65C44F7CAB604440F21B5E2F331C38D2E7CA3EBB26A9C1750AE5E5690225EC0F6530E6C65589DC639FCBCBF9AFA80E85881B6F731118D0089559CB6D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@9...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	06/06/2024 02:52:51 07/06/2025 02:52:51
Subject Chain	CN="Hebei Qianyuan Biopharmaceutical Co., Ltd.", O="Hebei Qianyuan Biopharmaceutical Co., Ltd.", STREET="South of Xiangtong Village, Nanlou Township, Zhengding County", L=Shijiazhuang, S=Hebei, C=CN, OID.1.3.6.1.4.1.311.60.2.1.1=Shijiazhuang, OID.1.3.6.1.4.1.311.60.2.1.2=Hebei, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91130123MA09YCKA2U, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	471800388AAA9103A74D65E746957952
Thumbprint SHA-1:	F2EA1DD98D1AF0F9044C24B266475A5C61C6A658
Thumbprint SHA-256:	FF7A3EBC344477D9ADDC06569B913E13D5C9203193B34CCBADBEE3C7D116D846
Serial:	3790CF6A4249C71C54A5D812

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x69c1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5395178	0x29e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x69c1c	0x69e00	f6d14f45f8145bc951e2271802a63aca	False	0.38513457423258557	data	6.12883713458275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb708	0xb1b4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004616196254286
RT_ICON	0xd68bc	0x25228	Device independent bitmap graphic, 192 x 384 x 32, image size 147456, resolution 2835 x 2835 px/m	English	United States	0.24354389102193236
RT_ICON	0xfbae4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	United States	0.30131314326274694
RT_ICON	0x10c30c	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m	English	United States	0.34824994744586923
RT_ICON	0x1157b4	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 2835 x 2835 px/m	English	United States	0.38402255639097743
RT_ICON	0x11bf9c	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 2835 x 2835 px/m	English	United States	0.402634011090573
RT_ICON	0x121424	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	United States	0.43180207841284834
RT_ICON	0x12564c	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14400, resolution 2835 x 2835 px/m	English	United States	0.45154155495978554
RT_ICON	0x129094	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States	0.49470954356846475
RT_ICON	0x12b63c	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6400, resolution 2835 x 2835 px/m	English	United States	0.5338757396449704
RT_ICON	0x12d0a4	0x1588	Device independent bitmap graphic, 36 x 72 x 32, image size 5184, resolution 2835 x 2835 px/m	English	United States	0.5469883889695211
RT_ICON	0x12e62c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States	0.5956848030018762
RT_ICON	0x12f6d4	0xeb0	Device independent bitmap graphic, 30 x 60 x 32, image size 3600, resolution 2835 x 2835 px/m	English	United States	0.6215425531914893
RT_ICON	0x130584	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m	English	United States	0.6754098360655738
RT_ICON	0x130f0c	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1600, resolution 2835 x 2835 px/m	English	United States	0.7168604651162791
RT_ICON	0x1315c4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States	0.7819148936170213
RT_STRING	0x131a2c	0x3f8	data			0.3198818897637795
RT_STRING	0x131e24	0x2dc	data			0.36475409836065575
RT_STRING	0x132100	0x430	data			0.40578358208955223
RT_STRING	0x132530	0x44c	data			0.38636363636363635
RT_STRING	0x13297c	0x2d4	data			0.39226519337016574
RT_STRING	0x132c50	0xb8	data			0.6467391304347826
RT_STRING	0x132d08	0x9c	data			0.6410256410256411
RT_STRING	0x132da4	0x374	data			0.4230769230769231
RT_STRING	0x133118	0x398	data			0.3358695652173913
RT_STRING	0x1334b0	0x368	data			0.3795871559633027
RT_STRING	0x133818	0x2a4	data			0.4275147928994083
RT_RCDATA	0x133abc	0x10	data			1.5
RT_RCDATA	0x133acc	0x310	data			0.6173469387755102
RT_RCDATA	0x133ddc	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x133e08	0xe6	GLS_BINARY_LSB_FIRST	English	United States	0.6739130434782609
RT_VERSION	0x133ef0	0x584	data	English	United States	0.2754957507082153
RT_MANIFEST	0x134474	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 10:04:25.195559978 CET	1.1.1.1	192.168.2.7	0xebee	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 10:04:25.950206041 CET	1.1.1.1	192.168.2.7	0x9d1c	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 10:04:25.950206041 CET	1.1.1.1	192.168.2.7	0x9d1c	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 10:05:55.764923096 CET	111	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 45.141.84.168:9000 Connection: Keep-Alive
Nov 28, 2024 10:05:57.247246981 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Thu, 28 Nov 2024 09:05:56 GMT Connection: close

Target ID:	0
Start time:	04:04:30
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\9VbeqQbgU4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9VbeqQbgU4.exe"
Imagebase:	0xc10000
File size:	87'653'216 bytes
MD5 hash:	A91B4875630C4F702AB63F94ED633DA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	04:04:31
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\is-TUTCO.tmp\9VbeqQbgU4.tmp" /SL5="$103E6,81954756,1209856,C:\Users\user\Desktop\9VbeqQbgU4.exe"
Imagebase:	0xc10000
File size:	3'699'712 bytes
MD5 hash:	6AB2AF20157D2F440E8B22982F6247C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	04:05:12
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\is-6VQJV.tmp\ExtractedContent.ps1"
Imagebase:	0x140000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	04:05:13
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	04:05:17
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SystemUtil\dobi.exe"
Imagebase:	0xba0000
File size:	10'115'160 bytes
MD5 hash:	A439025E40533F6E78C74FE8E9CE9875
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 38%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	04:05:22
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\more.com
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\more.com
Imagebase:	0xda0000
File size:	24'576 bytes
MD5 hash:	03805AE7E8CBC07840108F5C80CF4973
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2196810054.00000000062A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.2196810054.00000000062A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9VbeqQbgU4.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Canva\Canva.exe (copy)

C:\Program Files (x86)\Canva\LICENSE.electron.txt (copy)

C:\Program Files (x86)\Canva\LICENSES.chromium.html (copy)

C:\Program Files (x86)\Canva\Uninstall Canva.exe (copy)

C:\Program Files (x86)\Canva\chrome_100_percent.pak (copy)

C:\Program Files (x86)\Canva\chrome_200_percent.pak (copy)

C:\Program Files (x86)\Canva\d3dcompiler_47.dll (copy)

C:\Program Files (x86)\Canva\ffmpeg.dll (copy)

C:\Program Files (x86)\Canva\icudtl.dat (copy)

Windows Analysis Report
9VbeqQbgU4.exe

Target ID:	12
Start time:	04:05:35
Start date:	28/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	13
Start time:	04:05:48
Start date:	28/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x620000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	14
Start time:	04:05:54
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\sto\coml.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\sto\coml.exe"
Imagebase:	0x5a0000
File size:	10'115'160 bytes
MD5 hash:	A439025E40533F6E78C74FE8E9CE9875
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	15
Start time:	04:05:57
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\more.com
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\more.com
Imagebase:	0xda0000
File size:	24'576 bytes
MD5 hash:	03805AE7E8CBC07840108F5C80CF4973
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2441564536.0000000005B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.2441564536.0000000005B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	17
Start time:	04:06:13
Start date:	28/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x7e0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2441992162.0000000000C02000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000011.00000002.2441992162.0000000000C02000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
Has exited:	true

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.3%
Total number of Nodes:	132
Total number of Limit Nodes:	6

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	96.6%
Signature Coverage:	3.4%
Total number of Nodes:	87
Total number of Limit Nodes:	1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre