Edit tour

Windows Analysis Report
laserl.ps1

Overview

General Information

Sample name:	laserl.ps1
Analysis ID:	1614996
MD5:	4798cd4856a1c8354fe91f614524edee
SHA1:	c448e04f77f821b021ce1ed31d3ef1eeb17c04e7
SHA256:	0c37328792b140f373f02a48893a6a45d65f7a8873ead5dfd4e80e091b1d460d
Tags:	196-251-92-64ps1user-JAMESWT_MHT
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Powershell drops PE file

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7404 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laserl.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

x.exe (PID: 7632 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 2B95FBF66D9BE796D2B17AEEC55498DB)

CasPol.exe (PID: 7692 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

z53lU2R5p.exe (PID: 5880 cmdline: "C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\a5VGUv5drfrOvH.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

runonce.exe (PID: 8132 cmdline: "C:\Windows\SysWOW64\runonce.exe" MD5: 9E16655119DDE1B24A741C4FD4AD08FC)

z53lU2R5p.exe (PID: 3688 cmdline: "C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 7240 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

notepad.exe (PID: 7556 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\laserl.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2622959605.0000000003260000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1881174440.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2631819181.0000000004F60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2631757866.0000000004F10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1882071267.0000000001960000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2631265003.0000000001290000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1883696726.0000000003110000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2631876199.00000000041A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: powershell.exe PID: 7404	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2b79:$b1: ::WriteAllBytes( 0x89625:$b1: ::WriteAllBytes( 0x2b95:$b2: ::FromBase64String( 0x89641:$b2: ::FromBase64String( 0x53b2f:$s1: -join 0x55765:$s1: -join 0x175dcc:$s1: -join 0x182ea1:$s1: -join 0x186273:$s1: -join 0x186925:$s1: -join 0x188416:$s1: -join 0x18a61c:$s1: -join 0x18ae43:$s1: -join 0x18b6b3:$s1: -join 0x18bdee:$s1: -join 0x18be20:$s1: -join 0x18be68:$s1: -join 0x18be87:$s1: -join 0x18c6d7:$s1: -join 0x18c853:$s1: -join 0x18c8cb:$s1: -join
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.CasPol.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laserl.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laserl.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5676, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laserl.ps1", ProcessId: 7404, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laserl.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laserl.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5676, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laserl.ps1", ProcessId: 7404, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T12:13:25.946828+0100	2855465	1	A Network Trojan was detected	192.168.2.9	59356	162.218.30.235	80	TCP
2025-02-14T12:13:49.493179+0100	2855465	1	A Network Trojan was detected	192.168.2.9	59360	103.106.67.112	80	TCP
2025-02-14T12:14:04.236399+0100	2855465	1	A Network Trojan was detected	192.168.2.9	59364	104.21.112.1	80	TCP
2025-02-14T12:14:17.653466+0100	2855465	1	A Network Trojan was detected	192.168.2.9	59368	104.21.48.1	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T12:13:41.871762+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59357	103.106.67.112	80	TCP
2025-02-14T12:13:44.401498+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59358	103.106.67.112	80	TCP
2025-02-14T12:13:46.979399+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59359	103.106.67.112	80	TCP
2025-02-14T12:13:56.074580+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59361	104.21.112.1	80	TCP
2025-02-14T12:13:57.863401+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59362	104.21.112.1	80	TCP
2025-02-14T12:14:01.433816+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59363	104.21.112.1	80	TCP
2025-02-14T12:14:09.997872+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59365	104.21.48.1	80	TCP
2025-02-14T12:14:12.554983+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59366	104.21.48.1	80	TCP
2025-02-14T12:14:15.104519+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59367	104.21.48.1	80	TCP
2025-02-14T12:14:24.282264+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59369	134.122.133.80	80	TCP
2025-02-14T12:14:26.859913+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59370	134.122.133.80	80	TCP
2025-02-14T12:14:30.576320+0100	2855464	1	A Network Trojan was detected	192.168.2.9	59371	134.122.133.80	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.seasay.xyz/c9ts/?y2IHp=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7UxshhdjBGkpYiovfB8EVbaaI8Ibdvw==&iLy=Wfpx	Avira URL Cloud: Label: malware
Source: http://www.seasay.xyz/c9ts/	Avira URL Cloud: Label: malware
Source: http://www.tumbetgirislinki.fit/k566/?iLy=Wfpx&y2IHp=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe6OYJ2CZYvza1X4jE5qPwznFDfci4lg==	Avira URL Cloud: Label: malware
Source: http://www.lucynoel6465.shop/jgkl/?y2IHp=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpe8No0hPfAwO5oFY7qBV6wzFyOtp6qA==&iLy=Wfpx	Avira URL Cloud: Label: malware
Source: http://www.l63339.xyz/vhr7/?iLy=Wfpx&y2IHp=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4o2GNlbdMtrDimVv8q0bADTP2MW58ag==	Avira URL Cloud: Label: malware
Source: http://www.tumbetgirislinki.fit/k566/	Avira URL Cloud: Label: malware
Source: http://www.kjuw.party/e0jv/	Avira URL Cloud: Label: malware
Source: https://www.seasay.xyz/c9ts/?y2IHp=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAya	Avira URL Cloud: Label: malware
Source: http://www.lucynoel6465.shop/jgkl/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: laserl.ps1	Virustotal: Detection: 51%			Perma Link
Source: laserl.ps1	ReversingLabs: Detection: 45%

Yara detected FormBook

Source: Yara match	File source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2622959605.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1881174440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2631819181.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2631757866.0000000004F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1882071267.0000000001960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2631265003.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1883696726.0000000003110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2631876199.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source:	Binary string: VXCDD.pdb source: powershell.exe, 00000000.00000002.1380156291.000000000641A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1365169323.000000000057E000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
Source:	Binary string: runonce.pdbGCTL source: CasPol.exe, 00000005.00000002.1881815071.0000000001567000.00000004.00000020.00020000.00000000.sdmp, z53lU2R5p.exe, 00000009.00000002.2630465937.000000000123E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: CasPol.exe, 00000005.00000002.1882277639.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.1883619131.00000000050C5000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2632290889.0000000005270000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2632290889.000000000540E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.1881461802.0000000004F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CasPol.exe, CasPol.exe, 00000005.00000002.1882277639.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 0000000A.00000003.1883619131.00000000050C5000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2632290889.0000000005270000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2632290889.000000000540E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.1881461802.0000000004F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: VXCDD.pdbX source: powershell.exe, 00000000.00000002.1380156291.000000000641A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1365169323.000000000057E000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
Source:	Binary string: runonce.pdb source: CasPol.exe, 00000005.00000002.1881815071.0000000001567000.00000004.00000020.00020000.00000000.sdmp, z53lU2R5p.exe, 00000009.00000002.2630465937.000000000123E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: z53lU2R5p.exe, 00000009.00000002.2622950201.00000000005CF000.00000002.00000001.01000000.0000000B.sdmp, z53lU2R5p.exe, 0000000D.00000000.1950205064.00000000005CF000.00000002.00000001.01000000.0000000B.sdmp

Source: C:\Windows\SysWOW64\runonce.exe

Code function: 10_2_0327C8D0 FindFirstFileW,FindNextFileW,FindClose,

10_2_0327C8D0

Source: C:\Windows\SysWOW64\runonce.exe	Code function: 4x nop then xor eax, eax	10_2_03269EF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 4x nop then mov ebx, 00000004h	10_2_050604E8
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 4x nop then pop edi	13_2_012B453F
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 4x nop then pop edi	13_2_012B45D7
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 4x nop then pop edi	13_2_012B44FB
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 4x nop then xor eax, eax	13_2_012A8F3E
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 4x nop then pop edi	13_2_012A5730
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 4x nop then pop edi	13_2_012A3741
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 4x nop then pop edi	13_2_012B4624
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 4x nop then pop edi	13_2_012B46B5

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59371 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59361 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:59360 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59359 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:59368 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59357 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59367 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59370 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59369 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59362 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59366 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59358 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59363 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59365 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:59356 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:59364 -> 104.21.112.1:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.l63339.xyz
Source:	DNS query: www.seasay.xyz

Source: global traffic

TCP traffic: 192.168.2.9:59273 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 103.106.67.112 103.106.67.112

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /vhr7/?iLy=Wfpx&y2IHp=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4o2GNlbdMtrDimVv8q0bADTP2MW58ag== HTTP/1.1Host: www.l63339.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /c9ts/?y2IHp=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7UxshhdjBGkpYiovfB8EVbaaI8Ibdvw==&iLy=Wfpx HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /k566/?iLy=Wfpx&y2IHp=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe6OYJ2CZYvza1X4jE5qPwznFDfci4lg== HTTP/1.1Host: www.tumbetgirislinki.fitAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /jgkl/?y2IHp=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpe8No0hPfAwO5oFY7qBV6wzFyOtp6qA==&iLy=Wfpx HTTP/1.1Host: www.lucynoel6465.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.l63339.xyz
Source: global traffic	DNS traffic detected: DNS query: www.seasay.xyz
Source: global traffic	DNS traffic detected: DNS query: www.tumbetgirislinki.fit
Source: global traffic	DNS traffic detected: DNS query: www.lucynoel6465.shop
Source: global traffic	DNS traffic detected: DNS query: www.kjuw.party

Source: unknown

HTTP traffic detected: POST /c9ts/ HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.seasay.xyzReferer: http://www.seasay.xyz/c9ts/Content-Length: 194Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5Data Raw: 79 32 49 48 70 3d 57 30 4a 59 34 44 6c 67 38 7a 6d 57 35 46 36 57 58 32 78 58 4d 50 49 78 69 4a 75 36 49 52 48 59 6e 55 4c 6b 7a 41 74 66 75 65 4b 75 72 51 35 70 50 52 74 73 32 58 79 46 63 6c 75 6f 49 52 59 54 59 4b 44 4b 54 43 74 31 59 32 2f 49 30 47 63 49 70 45 34 70 57 54 45 55 36 4b 7a 67 50 58 5a 69 6f 64 6d 78 4c 71 6f 66 58 49 2b 4c 37 36 62 4b 35 66 52 48 31 69 32 65 45 32 57 75 44 59 42 30 36 32 51 56 2f 32 4d 73 62 32 48 6b 75 32 32 5a 47 36 32 51 35 4f 2b 50 30 55 43 61 74 4b 43 4f 30 4e 36 54 63 47 31 6d 74 42 6d 38 77 75 39 44 2b 79 52 2b 56 7a 4e 70 66 38 65 37 Data Ascii: y2IHp=W0JY4Dlg8zmW5F6WX2xXMPIxiJu6IRHYnULkzAtfueKurQ5pPRts2XyFcluoIRYTYKDKTCt1Y2/I0GcIpE4pWTEU6KzgPXZiodmxLqofXI+L76bK5fRH1i2eE2WuDYB062QV/2Msb2Hku22ZG62Q5O+P0UCatKCO0N6TcG1mtBm8wu9D+yR+VzNpf8e7

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:13:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kzm1QjCJwW38n0V1lV7UH4VtaZ3qhghKqkua18Pf8C7CwS7Ma0XIAZXNeRyiHNxbP%2BljyDb3Xbk1Bch7bPyjaWzt9u4MBFFcXCp50kwGNacC64Hj3rOF1w0niqiP5TbHukqOGC6cJGCJwtk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911ca1be8d96430d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1563&rtt_var=781&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=841&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 97 a3 4a 72 7e bf bf 42 ae 39 b6 67 0e 5d cd be d5 ad 6a 1b 10 12 48 02 01 12 92 d0 cb 3d 90 24 8b 58 c5 2e f9 cc 0f f2 df f0 2f f3 51 55 2f d5 55 52 77 df 19 3f 38 1f 4a 64 66 44 64 64 2c 5f 50 99 fc f6 db 6f 8f ff 32 5e 4a 6b c7 90 47 51 93 a5 9f 7e 7b 7c f9 19 8d 46 a3 c7 08 ba fe e7 c7 0c 36 ee 28 6a 9a f2 1e 1e db b8 7b ba 93 8a bc 81 79 73 df 9c 4a 78 37 02 2f bd a7 bb 06 0e 0d 7a 11 f1 fb 08 44 6e 55 c3 e6 a9 6d 82 7b ee ee a6 1c 17 44 f0 fe c2 5f 15 e9 2b 41 79 71 0f 2e 53 37 19 8d ca 0d 33 f7 cf 70 c8 43 19 57 b0 7e c5 82 7d 47 9b bb 19 7c ba eb 62 d8 97 45 d5 bc 22 eb 63 bf 89 9e 7c d8 c5 00 de 3f 77 3e 8c e2 3c 6e 62 37 bd af 81 9b c2 27 fc e3 57 51 4d dc a4 f0 13 85 51 23 bd 68 46 93 a2 cd fd 47 f4 65 f0 85 a0 6e 4e 29 1c 5d ec f6 d9 5c a0 ae 3f 33 5f 9a 57 f8 a7 d1 7f 7d ed 5e 5a 50 e4 cd 7d e0 66 71 7a 7a 18 09 55 ec a6 1f 46 0a 4c 3b d8 c4 c0 fd 30 aa dd bc be af 61 15 07 bf bf 67 ab e3 33 7c 18 e1 54 39 7c 3f 99 c6 39 bc 8f 60 1c 46 cd c3 08 ff 48 11 1c cd e2 14 c1 7f 4f e5 Data Ascii: 1313ZYJr~B9g]jH=$X./QU/URw?8JdfDdd,_Po2^JkGQ~{\|F6(j{ysJx7/zDnUm{D_+Ayq.S73pCW~}G\|bE"c\|?w><nb7'WQMQ#hFGenN)]\?3_W}^ZP}fqzzUFL;0ag3\|T9\|?9`FHO
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:14:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FrunjR4aNKlahKK9SSOTqdzcKhCH7gZcRO5GS%2FgBZ8qrtdqGifebbI5A8QxMcEKtFRNk%2B86Gm7qQtD%2F20CXQleR3jU%2F1DJ9UxH%2B6o1QHzqy1RQoab0OV437LzbUH2beCoty4jZBv567X8yg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911ca1dffd9542e3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1587&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=538&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 0d 0a 0a 0a 0a 0d 0a Data Ascii: 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:14:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GTRSZ%2Bv4c1rWWOao3B%2FUkMzTJImcsqQ7y2kOg%2Bw9%2BIKiIIEc17r700252WJns0ZRRh5qusMmNKVIh10Cp2f%2FEsFfax80AkE6qaSDQ6alRpK5j%2F4egf9mO0bBJnaIxDxat4n9QsvMwt4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911ca20a7ed117b5-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1757&min_rtt=1757&rtt_var=878&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=808&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:14:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mwzsR35MhtvUHJ7SR4gLvi2NF1TM%2FOt5EvO981keGBysVL74VPqcBWzHu1tJjLKLXsfYBrhRYyPDEYCUlMUEg7ji8ghs6Ab05WQlFwpJYlMDJF8NP33bA23rY8rIqqc2iVE%2FdycAZUE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911ca21a7fb24304-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1567&rtt_var=783&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=832&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 36 61 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f6a(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:14:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GJy3kgUrsSKpNELaHkyON%2B4UqZYGXc8Y4pIpgLskjJZyD1Xyi%2FZQZbkPbSkXvkAnTb6WYMmXkylGzR7Ce25DrNCRdsAsijgg9o81nw6KqFJ67OYjmabr0J0jHTP84JiPcj2YOzP02Nk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911ca22a6f301a13-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1911&min_rtt=1911&rtt_var=955&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1845&delivery_rate=0&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:14:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ux8IMxBSWsxkmqzmm%2FOtstpQBSwTMrDZ97gsrTTnT6eEE%2Fb%2FGU5xmkE7bFv0StiCpQt0C4A%2BFaxOYqDEmmg0fVljJxNTwBv0bAZj2q%2FokPPxlz9g2nh6TIbIUoGww4bz%2F3QFzO8f0Kk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911ca23a5f9641de-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2211&min_rtt=2211&rtt_var=1105&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=535&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Fri, 14 Feb 2025 11:14:24 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Fri, 14 Feb 2025 11:14:26 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Fri, 14 Feb 2025 11:14:30 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: runonce.exe, 0000000A.00000002.2632892876.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, z53lU2R5p.exe, 0000000D.00000002.2632350713.00000000037D8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: powershell.exe, 00000000.00000002.1380156291.000000000641A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1376350694.0000000005506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1383231866.0000000007A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1376350694.00000000053B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1376350694.0000000005506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1383231866.0000000007A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: z53lU2R5p.exe, 0000000D.00000002.2631265003.00000000012EF000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kjuw.party
Source: z53lU2R5p.exe, 0000000D.00000002.2631265003.00000000012EF000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kjuw.party/e0jv/
Source: runonce.exe, 0000000A.00000003.2066536487.0000000008538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000000.00000002.1376350694.00000000053B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: runonce.exe, 0000000A.00000003.2066536487.0000000008538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: runonce.exe, 0000000A.00000003.2066536487.0000000008538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: runonce.exe, 0000000A.00000003.2066536487.0000000008538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000000.00000002.1380156291.000000000641A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1380156291.000000000641A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1380156291.000000000641A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: runonce.exe, 0000000A.00000003.2066536487.0000000008538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: runonce.exe, 0000000A.00000003.2066536487.0000000008538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: runonce.exe, 0000000A.00000003.2066536487.0000000008538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000000.00000002.1376350694.0000000005506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1383231866.0000000007A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: runonce.exe, 0000000A.00000002.2626930439.0000000003427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: runonce.exe, 0000000A.00000003.2062822541.0000000003427000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2626930439.0000000003427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: runonce.exe, 0000000A.00000003.2061728951.0000000008529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: runonce.exe, 0000000A.00000003.2062822541.0000000003427000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2062822541.0000000003415000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: runonce.exe, 0000000A.00000003.2062822541.0000000003415000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: runonce.exe, 0000000A.00000003.2062822541.0000000003427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: runonce.exe, 0000000A.00000003.2062822541.0000000003415000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfken88
Source: runonce.exe, 0000000A.00000003.2062822541.0000000003415000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2626930439.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: runonce.exe, 0000000A.00000003.2062822541.0000000003427000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2626930439.0000000003427000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2062822541.0000000003415000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: runonce.exe, 0000000A.00000003.2062822541.0000000003427000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2626930439.0000000003427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: powershell.exe, 00000000.00000002.1380156291.000000000641A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: runonce.exe, 0000000A.00000003.2066536487.0000000008538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: runonce.exe, 0000000A.00000003.2066536487.0000000008538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: z53lU2R5p.exe, 0000000D.00000002.2632350713.0000000003646000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/c9ts/?y2IHp=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAya
Source: runonce.exe, 0000000A.00000002.2632892876.0000000005C84000.00000004.10000000.00040000.00000000.sdmp, z53lU2R5p.exe, 0000000D.00000002.2632350713.00000000034B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.2172347743.00000000271A4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/
Source: runonce.exe, 0000000A.00000002.2632892876.0000000005C84000.00000004.10000000.00040000.00000000.sdmp, z53lU2R5p.exe, 0000000D.00000002.2632350713.00000000034B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.2172347743.00000000271A4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2622959605.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1881174440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2631819181.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2631757866.0000000004F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1882071267.0000000001960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2631265003.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1883696726.0000000003110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2631876199.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7404, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

PE file contains section with special chars

Source: x.exe.0.dr

Static PE information: section name: sZr#e^

PE file has nameless sections

Source: x.exe.0.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0042CAA3 NtClose,	5_2_0042CAA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A335C0 NtCreateMutant,LdrInitializeThunk,	5_2_01A335C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32B60 NtClose,LdrInitializeThunk,	5_2_01A32B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01A32DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_01A32C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A33090 NtSetValueKey,	5_2_01A33090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A33010 NtOpenDirectoryObject,	5_2_01A33010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A34340 NtSetContextThread,	5_2_01A34340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A34650 NtSuspendThread,	5_2_01A34650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A339B0 NtGetContextThread,	5_2_01A339B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32BA0 NtEnumerateValueKey,	5_2_01A32BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32B80 NtQueryInformationFile,	5_2_01A32B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32BE0 NtQueryValueKey,	5_2_01A32BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32BF0 NtAllocateVirtualMemory,	5_2_01A32BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32AB0 NtWaitForSingleObject,	5_2_01A32AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32AF0 NtWriteFile,	5_2_01A32AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32AD0 NtReadFile,	5_2_01A32AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32DB0 NtEnumerateKey,	5_2_01A32DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32DD0 NtDelayExecution,	5_2_01A32DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32D30 NtUnmapViewOfSection,	5_2_01A32D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32D00 NtSetInformationFile,	5_2_01A32D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A33D10 NtOpenProcessToken,	5_2_01A33D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32D10 NtMapViewOfSection,	5_2_01A32D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A33D70 NtOpenThread,	5_2_01A33D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32CA0 NtQueryInformationToken,	5_2_01A32CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32CF0 NtOpenProcess,	5_2_01A32CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32CC0 NtQueryVirtualMemory,	5_2_01A32CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32C00 NtQueryInformationProcess,	5_2_01A32C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32C60 NtCreateKey,	5_2_01A32C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32FA0 NtQuerySection,	5_2_01A32FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32FB0 NtResumeThread,	5_2_01A32FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32F90 NtProtectVirtualMemory,	5_2_01A32F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32FE0 NtCreateFile,	5_2_01A32FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32F30 NtCreateSection,	5_2_01A32F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32F60 NtCreateProcessEx,	5_2_01A32F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32EA0 NtAdjustPrivilegesToken,	5_2_01A32EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32E80 NtReadVirtualMemory,	5_2_01A32E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32EE0 NtQueueApcThread,	5_2_01A32EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A32E30 NtWriteVirtualMemory,	5_2_01A32E30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E35C0 NtCreateMutant,LdrInitializeThunk,	10_2_052E35C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E4650 NtSuspendThread,LdrInitializeThunk,	10_2_052E4650
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E4340 NtSetContextThread,LdrInitializeThunk,	10_2_052E4340
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_052E2D30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_052E2D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_052E2DF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2DD0 NtDelayExecution,LdrInitializeThunk,	10_2_052E2DD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2C60 NtCreateKey,LdrInitializeThunk,	10_2_052E2C60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_052E2C70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_052E2CA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2F30 NtCreateSection,LdrInitializeThunk,	10_2_052E2F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2FB0 NtResumeThread,LdrInitializeThunk,	10_2_052E2FB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2FE0 NtCreateFile,LdrInitializeThunk,	10_2_052E2FE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_052E2E80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_052E2EE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E39B0 NtGetContextThread,LdrInitializeThunk,	10_2_052E39B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2B60 NtClose,LdrInitializeThunk,	10_2_052E2B60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_052E2BA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_052E2BE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_052E2BF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2AF0 NtWriteFile,LdrInitializeThunk,	10_2_052E2AF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2AD0 NtReadFile,LdrInitializeThunk,	10_2_052E2AD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E3010 NtOpenDirectoryObject,	10_2_052E3010
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E3090 NtSetValueKey,	10_2_052E3090
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2D00 NtSetInformationFile,	10_2_052E2D00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E3D10 NtOpenProcessToken,	10_2_052E3D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E3D70 NtOpenThread,	10_2_052E3D70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2DB0 NtEnumerateKey,	10_2_052E2DB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2C00 NtQueryInformationProcess,	10_2_052E2C00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2CF0 NtOpenProcess,	10_2_052E2CF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2CC0 NtQueryVirtualMemory,	10_2_052E2CC0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2F60 NtCreateProcessEx,	10_2_052E2F60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2FA0 NtQuerySection,	10_2_052E2FA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2F90 NtProtectVirtualMemory,	10_2_052E2F90
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2E30 NtWriteVirtualMemory,	10_2_052E2E30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2EA0 NtAdjustPrivilegesToken,	10_2_052E2EA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2B80 NtQueryInformationFile,	10_2_052E2B80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E2AB0 NtWaitForSingleObject,	10_2_052E2AB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03289780 NtDeleteFile,	10_2_03289780
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03289680 NtReadFile,	10_2_03289680
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03289510 NtCreateFile,	10_2_03289510
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03289980 NtAllocateVirtualMemory,	10_2_03289980
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03289820 NtClose,	10_2_03289820
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0506F2CF NtReadVirtualMemory,	10_2_0506F2CF
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0506F8C4 NtMapViewOfSection,	10_2_0506F8C4

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00D81CD8	4_2_00D81CD8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00D828D0	4_2_00D828D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00D80848	4_2_00D80848
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00D811E9	4_2_00D811E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00D828C0	4_2_00D828C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00D807E0	4_2_00D807E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004188F3	5_2_004188F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00403000	5_2_00403000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004100CA	5_2_004100CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0042F0D3	5_2_0042F0D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004100D3	5_2_004100D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00401240	5_2_00401240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0040E2E3	5_2_0040E2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004102F3	5_2_004102F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00416AFE	5_2_00416AFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00416B03	5_2_00416B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00402462	5_2_00402462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00402470	5_2_00402470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0040E47C	5_2_0040E47C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0040E427	5_2_0040E427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0040E433	5_2_0040E433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00402750	5_2_00402750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AC01AA	5_2_01AC01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A0B1B0	5_2_01A0B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AB81CC	5_2_01AB81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019F0100	5_2_019F0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A9A118	5_2_01A9A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ACB16B	5_2_01ACB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A3516C	5_2_01A3516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019EF172	5_2_019EF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A88158	5_2_01A88158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AB70E9	5_2_01AB70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABF0E0	5_2_01ABF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A070C0	5_2_01A070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AAF0CC	5_2_01AAF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A4739A	5_2_01A4739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AC03E6	5_2_01AC03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A0E3F0	5_2_01A0E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AB132D	5_2_01AB132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019ED34C	5_2_019ED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABA352	5_2_01ABA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A052A0	5_2_01A052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AA12ED	5_2_01AA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A1B2C0	5_2_01A1B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AA0274	5_2_01AA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A9D5B0	5_2_01A9D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AC0591	5_2_01AC0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A00535	5_2_01A00535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AB7571	5_2_01AB7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AAE4F6	5_2_01AAE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABF43F	5_2_01ABF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AB2446	5_2_01AB2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019F1460	5_2_019F1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABF7B0	5_2_01ABF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019FC7C0	5_2_019FC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A00770	5_2_01A00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A24750	5_2_01A24750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A1C6E0	5_2_01A1C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AB16CC	5_2_01AB16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A029A0	5_2_01A029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ACA9A6	5_2_01ACA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A16962	5_2_01A16962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A09950	5_2_01A09950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A1B950	5_2_01A1B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019E68B8	5_2_019E68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A038E0	5_2_01A038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A2E8F0	5_2_01A2E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A6D800	5_2_01A6D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A02840	5_2_01A02840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A0A840	5_2_01A0A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A1FB80	5_2_01A1FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A75BF0	5_2_01A75BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A3DBF9	5_2_01A3DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AB6BD7	5_2_01AB6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABFB76	5_2_01ABFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABAB40	5_2_01ABAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A45AA0	5_2_01A45AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A9DAAC	5_2_01A9DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019FEA80	5_2_019FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AADAC6	5_2_01AADAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A73A6C	5_2_01A73A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABFA49	5_2_01ABFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AB7A46	5_2_01AB7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A18DBF	5_2_01A18DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A1FDC0	5_2_01A1FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019FADE0	5_2_019FADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A0AD00	5_2_01A0AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AB7D73	5_2_01AB7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A03D40	5_2_01A03D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AB1D5A	5_2_01AB1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01AA0CB5	5_2_01AA0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABFCF2	5_2_01ABFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019F0CF2	5_2_019F0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A79C32	5_2_01A79C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A00C00	5_2_01A00C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABFFB1	5_2_01ABFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A01F92	5_2_01A01F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A0CFE0	5_2_01A0CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019F2FC8	5_2_019F2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A42F28	5_2_01A42F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A20F30	5_2_01A20F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABFF09	5_2_01ABFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A74F40	5_2_01A74F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A09EB0	5_2_01A09EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A12E90	5_2_01A12E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABCE93	5_2_01ABCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABEEDB	5_2_01ABEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01ABEE26	5_2_01ABEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01A00E59	5_2_01A00E59
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B0535	10_2_052B0535
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05367571	10_2_05367571
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0534D5B0	10_2_0534D5B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05370591	10_2_05370591
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536F43F	10_2_0536F43F
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052A1460	10_2_052A1460
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05362446	10_2_05362446
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0535E4F6	10_2_0535E4F6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B0770	10_2_052B0770
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052D4750	10_2_052D4750
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536F7B0	10_2_0536F7B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052AC7C0	10_2_052AC7C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052CC6E0	10_2_052CC6E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_053616CC	10_2_053616CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052A0100	10_2_052A0100
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0534A118	10_2_0534A118
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052E516C	10_2_052E516C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0529F172	10_2_0529F172
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0537B16B	10_2_0537B16B
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052BB1B0	10_2_052BB1B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_053701AA	10_2_053701AA
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_053681CC	10_2_053681CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536F0E0	10_2_0536F0E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_053670E9	10_2_053670E9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B70C0	10_2_052B70C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0535F0CC	10_2_0535F0CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536132D	10_2_0536132D
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536A352	10_2_0536A352
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0529D34C	10_2_0529D34C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052F739A	10_2_052F739A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_053703E6	10_2_053703E6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052BE3F0	10_2_052BE3F0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05350274	10_2_05350274
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B52A0	10_2_052B52A0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_053512ED	10_2_053512ED
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052CB2C0	10_2_052CB2C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052BAD00	10_2_052BAD00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05367D73	10_2_05367D73
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B3D40	10_2_052B3D40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05361D5A	10_2_05361D5A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052C8DBF	10_2_052C8DBF
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052AADE0	10_2_052AADE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052CFDC0	10_2_052CFDC0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05329C32	10_2_05329C32
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B0C00	10_2_052B0C00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05350CB5	10_2_05350CB5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536FCF2	10_2_0536FCF2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052A0CF2	10_2_052A0CF2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052D0F30	10_2_052D0F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536FF09	10_2_0536FF09
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05324F40	10_2_05324F40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536FFB1	10_2_0536FFB1
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B1F92	10_2_052B1F92
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052BCFE0	10_2_052BCFE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052A2FC8	10_2_052A2FC8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536EE26	10_2_0536EE26
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B0E59	10_2_052B0E59
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B9EB0	10_2_052B9EB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536CE93	10_2_0536CE93
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052C2E90	10_2_052C2E90
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536EEDB	10_2_0536EEDB
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052C6962	10_2_052C6962
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B9950	10_2_052B9950
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052CB950	10_2_052CB950
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B29A0	10_2_052B29A0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0537A9A6	10_2_0537A9A6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B2840	10_2_052B2840
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052BA840	10_2_052BA840
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052968B8	10_2_052968B8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052B38E0	10_2_052B38E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052DE8F0	10_2_052DE8F0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536FB76	10_2_0536FB76
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536AB40	10_2_0536AB40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052CFB80	10_2_052CFB80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052EDBF9	10_2_052EDBF9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05366BD7	10_2_05366BD7
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05323A6C	10_2_05323A6C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05367A46	10_2_05367A46
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0536FA49	10_2_0536FA49
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052F5AA0	10_2_052F5AA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0534DAAC	10_2_0534DAAC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052AEA80	10_2_052AEA80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0535DAC6	10_2_0535DAC6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03271FD0	10_2_03271FD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0326B1A4	10_2_0326B1A4
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0326B1B0	10_2_0326B1B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0326B1F9	10_2_0326B1F9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0326B060	10_2_0326B060
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0326D070	10_2_0326D070
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03275670	10_2_03275670
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0327387B	10_2_0327387B
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03273880	10_2_03273880
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0326CE47	10_2_0326CE47
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0326CE50	10_2_0326CE50
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0328BE50	10_2_0328BE50
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0506E467	10_2_0506E467
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0506E7FC	10_2_0506E7FC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0506D8C8	10_2_0506D8C8
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012AA1FE	13_2_012AA1FE
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012AA1F2	13_2_012AA1F2
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012B101E	13_2_012B101E
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012AA0AE	13_2_012AA0AE
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012AC0BE	13_2_012AC0BE
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012B28C9	13_2_012B28C9
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012B28CE	13_2_012B28CE
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012AA247	13_2_012AA247
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012B46BE	13_2_012B46BE
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012CAE9E	13_2_012CAE9E
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012ABE9E	13_2_012ABE9E
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Code function: 13_2_012ABE95	13_2_012ABE95

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\x.exe 3DBEAF9A20F222FE4E804B19A337C14A560F1977C5E9B11F4E02BC30E620FEBE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 019EB970 appears 268 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 01A7F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 01A47E54 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 01A35130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 01A6EA12 appears 86 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 052E5130 appears 36 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 0529B970 appears 266 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 0532F290 appears 105 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 052F7E54 appears 87 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 0531EA12 appears 84 times

Source: Process Memory Space: powershell.exe PID: 7404, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: x.exe.0.dr

Static PE information: Section: sZr#e^ ZLIB complexity 1.0003320970117846

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@11/8@6/5

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\x.exe	Mutant created: NULL

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laserl.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\laserl.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"
Source: C:\Windows\SysWOW64\runonce.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0041F04F push ebx; ret	5_2_0041F058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00403280 push eax; ret	5_2_00403282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0041AB61 pushfd ; ret	5_2_0041AB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0041ABD6 push ds; ret	5_2_0041ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0040D38A push edx; iretd	5_2_0040D453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00426CC3 pushad ; iretd	5_2_00426CEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004084DA push esi; retf	5_2_004084DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004084FF push ebp; iretd	5_2_00408502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00412559 push ecx; iretd	5_2_0041255A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004125DC pushfd ; iretd	5_2_004125FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00405E25 push ecx; ret	5_2_00405E2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00401F0E push ss; retf	5_2_00401F14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019F09AD push ecx; mov dword ptr [esp], ecx	5_2_019F09B6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_052A09AD push ecx; mov dword ptr [esp], ecx	10_2_052A09B6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0326F359 pushfd ; iretd	10_2_0326F378
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0326527C push ebp; iretd	10_2_0326527F
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03265257 push esi; retf	10_2_0326525A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0326F2D6 push ecx; iretd	10_2_0326F2D7
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03277B60 push FFFFFFC3h; ret	10_2_03277BCA
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03262BA2 push ecx; ret	10_2_03262BA8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03283A40 pushad ; iretd	10_2_03283A68
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_03277953 push ds; ret	10_2_03277955
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_032778DE pushfd ; ret	10_2_032778F5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0327BDCC push ebx; ret	10_2_0327BDD5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05066482 push cs; retf	10_2_05066492
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_05064626 push 0CD768ABh; retf	10_2_050646A8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0506466D push 0CD768ABh; retf	10_2_050646A8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_050666D1 push ebx; ret	10_2_050666D2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0506C188 push eax; ret	10_2_0506C1E3
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0506C1E5 push eax; ret	10_2_0506C1E3
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 10_2_0506F1F3 push esi; ret	10_2_0506F1F4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF90818D7E4
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF90818DA44

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 48C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 4F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 5F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 60A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 70A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2737			Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Window / User API: threadDelayed 9701			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\runonce.exe	API coverage: 3.1 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7652	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 6804	Thread sleep count: 271 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 6804	Thread sleep time: -542000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 6804	Thread sleep count: 9701 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 6804	Thread sleep time: -19402000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe TID: 1280	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\runonce.exe	Last function: Thread delayed

Source: 6511-iOQ--.10.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: 6511-iOQ--.10.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: 6511-iOQ--.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: runonce.exe, 0000000A.00000002.2635208670.00000000085A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,119
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: runonce.exe, 0000000A.00000002.2635208670.00000000085A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tVMware20,11696497155
Source: 6511-iOQ--.10.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: 6511-iOQ--.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: 6511-iOQ--.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: runonce.exe, 0000000A.00000002.2626930439.00000000033FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: 6511-iOQ--.10.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: 6511-iOQ--.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: 6511-iOQ--.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: 6511-iOQ--.10.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: 6511-iOQ--.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: 6511-iOQ--.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: runonce.exe, 0000000A.00000002.2635208670.00000000085A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155
Source: 6511-iOQ--.10.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: runonce.exe, 0000000A.00000002.2635208670.00000000085A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,116964971&
Source: 6511-iOQ--.10.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: 6511-iOQ--.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: 6511-iOQ--.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: 6511-iOQ--.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: 6511-iOQ--.10.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: 6511-iOQ--.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: z53lU2R5p.exe, 0000000D.00000002.2630779154.00000000011B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: 6511-iOQ--.10.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: 6511-iOQ--.10.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: 6511-iOQ--.10.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: 6511-iOQ--.10.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: 6511-iOQ--.10.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: 6511-iOQ--.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: firefox.exe, 0000000E.00000002.2174059908.0000021426CEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll``

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtProtectVirtualMemory: Direct from: 0x77542F9C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtSetInformationProcess: Direct from: 0x77542C5C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtOpenKeyEx: Direct from: 0x77542B9C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtProtectVirtualMemory: Direct from: 0x77537B2E	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtCreateFile: Direct from: 0x77542FEC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtOpenFile: Direct from: 0x77542DCC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtQueryInformationToken: Direct from: 0x77542CAC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtTerminateThread: Direct from: 0x77542FCC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtDeviceIoControlFile: Direct from: 0x77542AEC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtQueryValueKey: Direct from: 0x77542BEC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtQueryVolumeInformationFile: Direct from: 0x77542F2C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtOpenSection: Direct from: 0x77542E0C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtAllocateVirtualMemory: Direct from: 0x775448EC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtSetInformationThread: Direct from: 0x775363F9	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtQuerySystemInformation: Direct from: 0x775448CC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtReadVirtualMemory: Direct from: 0x77542E8C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtCreateKey: Direct from: 0x77542C6C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtSetInformationThread: Direct from: 0x77542B4C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtQueryAttributesFile: Direct from: 0x77542E6C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtOpenKeyEx: Direct from: 0x77543C9C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtCreateUserProcess: Direct from: 0x7754371C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtQueryInformationProcess: Direct from: 0x77542C26	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtResumeThread: Direct from: 0x77542FBC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtWriteVirtualMemory: Direct from: 0x7754490C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtDelayExecution: Direct from: 0x77542DDC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtAllocateVirtualMemory: Direct from: 0x77542BFC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtReadFile: Direct from: 0x77542ADC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtQuerySystemInformation: Direct from: 0x77542DFC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtResumeThread: Direct from: 0x775436AC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtNotifyChangeKey: Direct from: 0x77543C2C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtCreateMutant: Direct from: 0x775435CC	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtWriteVirtualMemory: Direct from: 0x77542E3C	Jump to behavior
Source: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe	NtMapViewOfSection: Direct from: 0x77542D1C	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\runonce.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files (x86)\OeOkWTVmHdqTTiRIUsnfgYIxAKikzNpkBCqwpqzOCYDZJCXIUbZZaRQsUrSm\z53lU2R5p.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1092008	Jump to behavior

Source: z53lU2R5p.exe, 00000009.00000002.2631124400.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, z53lU2R5p.exe, 00000009.00000000.1803120056.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, z53lU2R5p.exe, 0000000D.00000002.2631836416.0000000001821000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: z53lU2R5p.exe, 00000009.00000002.2631124400.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, z53lU2R5p.exe, 00000009.00000000.1803120056.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, z53lU2R5p.exe, 0000000D.00000002.2631836416.0000000001821000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: z53lU2R5p.exe, 00000009.00000002.2631124400.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, z53lU2R5p.exe, 00000009.00000000.1803120056.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, z53lU2R5p.exe, 0000000D.00000002.2631836416.0000000001821000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: z53lU2R5p.exe, 00000009.00000002.2631124400.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, z53lU2R5p.exe, 00000009.00000000.1803120056.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, z53lU2R5p.exe, 0000000D.00000002.2631836416.0000000001821000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\laserl.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report laserl.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
laserl.ps1

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	612 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement