Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe

Overview

General Information

Sample name:T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
Analysis ID:1635290
MD5:94c16379efe1d3a7c600b2f83f8c50f0
SHA1:c6ccf2056134a3376eb89f2507d17bae14da2f30
SHA256:0ca149e59a526c1811fcac3c14943acdbc43a3261af653670bc9e71436b1fc32
Tags:AgentTeslaexeuser-cocaman
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2484 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • AccessMask.exe (PID: 2968 cmdline: "C:\Users\user\AppData\Roaming\AccessMask.exe" MD5: 94C16379EFE1D3A7C600B2F83F8C50F0)
      • InstallUtil.exe (PID: 7076 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "classic@iaa-airferight.com", "Password": "BIGNAIRA2024"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1444867182.0000000005A20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.1441813636.0000000004186000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.1441813636.0000000004186000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.5a20000.8.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.5a20000.8.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                3.2.AccessMask.exe.4037860.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  3.2.AccessMask.exe.4037860.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    3.2.AccessMask.exe.4037860.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x316cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x31741:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x317cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x3185d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x318c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x31939:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x319cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x31a5f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs" , ProcessId: 2484, ProcessName: wscript.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 6952, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs" , ProcessId: 2484, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, ProcessId: 3816, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Found malware configuration
                    Source: 3.2.AccessMask.exe.4037860.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "classic@iaa-airferight.com", "Password": "BIGNAIRA2024"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeVirustotal: Detection: 65%Perma Link
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeReversingLabs: Detection: 55%
                    Multi AV Scanner detection for submitted file
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeVirustotal: Detection: 65%Perma Link
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeReversingLabs: Detection: 55%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445238040.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003F43000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445238040.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003F43000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 4x nop then jmp 05AF7C28h0_2_05AF7B6A
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 4x nop then jmp 05AF7C28h0_2_05AF7B70
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: InstallUtil.exe, 00000001.00000002.1564063383.000000000292C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2681796098.0000000002BEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1425681362.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1564063383.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1562919680.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2681796098.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000004186000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1559323187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000004022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000004186000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1559323187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1564063383.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000004022000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2681796098.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: InstallUtil.exe, 00000001.00000002.1564063383.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2681796098.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: InstallUtil.exe, 00000001.00000002.1564063383.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2681796098.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1425681362.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1562919680.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49707 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, K6raBsUk6.cs.Net Code: UQgQ75

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.2.AccessMask.exe.4037860.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.AccessMask.exe.4037860.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_05AF93F0 NtProtectVirtualMemory,0_2_05AF93F0
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_05AFCD10 NtResumeThread,0_2_05AFCD10
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_05AF93E8 NtProtectVirtualMemory,0_2_05AF93E8
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_05AFCD09 NtResumeThread,0_2_05AFCD09
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_02D5EC080_2_02D5EC08
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_02D5A7F10_2_02D5A7F1
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_02D5A8000_2_02D5A800
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_02D5B1900_2_02D5B190
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_02D51B380_2_02D51B38
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_02D51B290_2_02D51B29
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_05AF853A0_2_05AF853A
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_05AF5C480_2_05AF5C48
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_05AF5C580_2_05AF5C58
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_0613F7D00_2_0613F7D0
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_0613FAC00_2_0613FAC0
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_0613E7380_2_0613E738
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_061200060_2_06120006
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_061200400_2_06120040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00BD41C01_2_00BD41C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00BDE5E01_2_00BDE5E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00BD4A901_2_00BD4A90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00BDAA181_2_00BDAA18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00BDDE181_2_00BDDE18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00BD3E781_2_00BD3E78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00BDAA131_2_00BDAA13
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_06197D681_2_06197D68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_061965D81_2_061965D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_061955C01_2_061955C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0619B2201_2_0619B220
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_061923601_2_06192360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0619C1781_2_0619C178
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_061976881_2_06197688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_06195CE01_2_06195CE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0619E3A01_2_0619E3A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_061900401_2_06190040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_061900071_2_06190007
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_061900371_2_06190037
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeCode function: 3_2_0145EC083_2_0145EC08
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeCode function: 3_2_0145A7F13_2_0145A7F1
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeCode function: 3_2_0145A8003_2_0145A800
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeCode function: 3_2_0145B1303_2_0145B130
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeCode function: 3_2_0145B1903_2_0145B190
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeCode function: 3_2_01451B293_2_01451B29
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeCode function: 3_2_01451B383_2_01451B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_010841C84_2_010841C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0108E8104_2_0108E810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0108AA204_2_0108AA20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_01084A984_2_01084A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_01083E804_2_01083E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0108AA1A4_2_0108AA1A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065CA39C4_2_065CA39C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065CBC184_2_065CBC18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065D65D84_2_065D65D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065D55C04_2_065D55C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065DB2204_2_065DB220
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065D23604_2_065D2360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065DC1784_2_065DC178
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065D7D684_2_065D7D68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065D76884_2_065D7688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065DE3A04_2_065DE3A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065D00404_2_065D0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065D5CE04_2_065D5CE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065D00064_2_065D0006
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1443950245.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNorva.exe, vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003FFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003FFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNorva.exe, vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445238040.00000000060B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1424716779.0000000000FAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000004186000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename69f9de06-3db1-4f6f-8eb7-8ce21e91f1c8.exe4 vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1443050347.00000000052E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOdadrjhy.dll" vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003F43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1425681362.0000000002E31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003F30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOdadrjhy.dll" vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1425681362.000000000306F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename69f9de06-3db1-4f6f-8eb7-8ce21e91f1c8.exe4 vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeBinary or memory string: OriginalFilenameNorva.exe, vs T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 3.2.AccessMask.exe.4037860.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.AccessMask.exe.4037860.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: AccessMask.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, ListenerService.csCryptographic APIs: 'CreateDecryptor'
                    Source: AccessMask.exe.0.dr, ListenerService.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/3@2/2
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs"
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeVirustotal: Detection: 65%
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeReversingLabs: Detection: 55%
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeFile read: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe "C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe"
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\AccessMask.exe "C:\Users\user\AppData\Roaming\AccessMask.exe"
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\AccessMask.exe "C:\Users\user\AppData\Roaming\AccessMask.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic file information: File size 1129984 > 1048576
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x113400
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445238040.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003F43000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445238040.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003F43000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, ListenerAuthorizer.cs.Net Code: ExecuteListener System.AppDomain.Load(byte[])
                    Source: AccessMask.exe.0.dr, ListenerAuthorizer.cs.Net Code: ExecuteListener System.AppDomain.Load(byte[])
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3ffc148.4.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.3fac128.0.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.5a90000.9.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.5a90000.9.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.5a90000.9.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.5a90000.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.5a90000.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.5a20000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.5a20000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1444867182.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1562919680.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1425681362.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe PID: 3816, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AccessMask.exe PID: 2968, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_05AF70EA push ecx; ret 0_2_05AF710C
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeCode function: 0_2_06126900 push edi; retf 0_2_06126906
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00BD0CCB push edi; retf 1_2_00BD0C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00BD0C6D push edi; retf 1_2_00BD0C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_01080C6D push edi; retf 4_2_01080C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065C4D20 push es; ret 4_2_065C4D30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065CFB42 push es; ret 4_2_065CFB44
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_065CFB3D push es; ret 4_2_065CFB40
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeStatic PE information: section name: .text entropy: 7.993263316405533
                    Source: AccessMask.exe.0.drStatic PE information: section name: .text entropy: 7.993263316405533
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeFile created: \t&s-wan fung gmt fty ltd (cw0007)-statement as at 28 feb 2025.exe
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeFile created: \t&s-wan fung gmt fty ltd (cw0007)-statement as at 28 feb 2025.exeJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeFile created: C:\Users\user\AppData\Roaming\AccessMask.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbsJump to dropped file
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbsJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbsJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe PID: 3816, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AccessMask.exe PID: 2968, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1425681362.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1562919680.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeMemory allocated: 1400000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeMemory allocated: 1400000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: BD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 28B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 26F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeMemory allocated: 2DE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1080000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2503Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7353Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2569Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7279Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3328Thread sleep count: 2503 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -99874s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3328Thread sleep count: 7353 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -99399s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -99287s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -99140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -99031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -98922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -98812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -98702s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -98593s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -98484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -98375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -98265s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -98156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -98046s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -97937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -97828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -97718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -97609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -97500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -97390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -97281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -97171s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -97059s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -96950s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -96842s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -96734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -96622s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -96499s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -96328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -96218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -96109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -96000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -95890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -95781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -95672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -95547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -95437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -95324s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -95218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -95109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -94999s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -94890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -94781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -94672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -94547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -94437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1940Thread sleep time: -94327s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3944Thread sleep count: 2569 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -99859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3944Thread sleep count: 7279 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -99750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -99640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -99529s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -99406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -99296s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -99162s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -99031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -98922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -98812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -98703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -98590s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -98468s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -98140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -97918s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -97797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -97672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -97559s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -97437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -97325s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -97215s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -97093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -96984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -96782s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -96513s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -96400s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -96281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -96172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -96062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -95953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -95843s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -95734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -95625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -95515s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -95406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -95297s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -95187s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -95078s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -94968s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -94859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -94749s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -94640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -94515s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -94406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -94296s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -94186s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3564Thread sleep time: -93981s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99399Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99287Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98702Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97171Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97059Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96950Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96842Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96622Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96499Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95324Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94327Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99529Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99162Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98590Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97918Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97559Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97325Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97215Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96782Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96513Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96400Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94749Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94186Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93981Jump to behavior
                    Source: AccessMask.exe, 00000003.00000002.1562919680.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                    Source: wscript.exe, 00000002.00000003.1542303135.0000018A0A613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
                    Source: InstallUtil.exe, 00000004.00000002.2688500930.0000000005D52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
                    Source: AccessMask.exe, 00000003.00000002.1562919680.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                    Source: InstallUtil.exe, 00000001.00000002.1569883753.0000000004FCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 63F008Jump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\AccessMask.exe "C:\Users\user\AppData\Roaming\AccessMask.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeQueries volume information: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeQueries volume information: C:\Users\user\AppData\Roaming\AccessMask.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AccessMask.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.AccessMask.exe.4037860.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.AccessMask.exe.4037860.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1441813636.0000000004186000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2681796098.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2681796098.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1559323187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1564063383.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1564063383.000000000292C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1586329723.0000000004022000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe PID: 3816, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6952, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AccessMask.exe PID: 2968, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7076, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 3.2.AccessMask.exe.4037860.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.AccessMask.exe.4037860.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1441813636.0000000004186000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2681796098.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1559323187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1564063383.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1586329723.0000000004022000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe PID: 3816, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6952, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AccessMask.exe PID: 2968, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7076, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.AccessMask.exe.4037860.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.AccessMask.exe.4037860.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe.419b680.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1441813636.0000000004186000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2681796098.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2681796098.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1559323187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1564063383.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1564063383.000000000292C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1586329723.0000000004022000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe PID: 3816, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6952, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AccessMask.exe PID: 2968, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7076, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts121
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		311
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		2
                    Registry Run Keys / Startup Folder                    		12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635290 Sample: T&S-WAN FUNG GMT FTY LTD (C... Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 29 mail.iaa-airferight.com 2->29 31 api.ipify.org 2->31 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 10 other signatures 2->43 8 T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe 5 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 23 C:\Users\user\AppData\...\AccessMask.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\...\AccessMask.vbs, ASCII 8->25 dropped 27 C:\Users\...\AccessMask.exe:Zone.Identifier, ASCII 8->27 dropped 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->53 55 Writes to foreign memory regions 8->55 57 Injects a PE file into a foreign processes 8->57 14 InstallUtil.exe 15 2 8->14         started        59 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->59 18 AccessMask.exe 2 12->18         started        signatures6 process7 dnsIp8 33 api.ipify.org 172.67.74.152, 443, 49704, 49707 CLOUDFLARENETUS United States 14->33 35 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->35 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->63 65 Tries to steal Mail credentials (via file / registry access) 14->65 67 Antivirus detection for dropped file 18->67 69 Multi AV Scanner detection for dropped file 18->69 20 InstallUtil.exe 2 18->20         started        signatures9 process10 signatures11 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->45 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal ftp login credentials 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe66%VirustotalBrowse
                    T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe55%ReversingLabsWin32.Trojan.Leonem
                    T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe100%AviraTR/Dropper.Gen

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\AccessMask.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\AccessMask.exe66%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\AccessMask.exe55%ReversingLabsWin32.Trojan.Leonem

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://github.com/mgravell/protobuf-netT&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.orgT&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000004186000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1559323187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1564063383.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000004022000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2681796098.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/mgravell/protobuf-netiT&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1425681362.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1562919680.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000004186000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1559323187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000004022000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/mgravell/protobuf-netJT&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.ipify.org/tInstallUtil.exe, 00000001.00000002.1564063383.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2681796098.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameT&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1425681362.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1564063383.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1562919680.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2681796098.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://stackoverflow.com/q/11564914/23354;T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://stackoverflow.com/q/2152978/23354T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1441813636.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe, 00000000.00000002.1445041815.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, AccessMask.exe, 00000003.00000002.1586329723.0000000003DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://mail.iaa-airferight.comInstallUtil.exe, 00000001.00000002.1564063383.000000000292C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2681796098.0000000002BEC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                46.175.148.58
                                                		mail.iaa-airferight.comUkraine
                                                		56394ASLAGIDKOM-NETUAfalse
                                                172.67.74.152
                                                		api.ipify.orgUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1635290
                                                Start date and time:2025-03-11 15:09:09 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 14s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:15
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.expl.evad.winEXE@8/3@2/2
                                                EGA Information:
                                                • Successful, ratio: 75%
                                                HCA Information:
                                                • Successful, ratio: 97%
                                                • Number of executed functions: 206
                                                • Number of non-executed functions: 13
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 150.171.28.10
                                                • Excluded domains from analysis (whitelisted): ev2-ring.msedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target AccessMask.exe, PID 2968 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                10:10:20API Interceptor270x Sleep call for process: InstallUtil.exe modified
                                                15:10:19AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                46.175.148.58Global e-Banking Payment Advice 000000164.exeGet hashmaliciousAgentTeslaBrowse
                                                  Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                    SecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                      pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        G3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                            ShGhJDcXXI.exeGet hashmaliciousAgentTeslaBrowse
                                                              wpo28029 Changzhou Tairun.exeGet hashmaliciousAgentTeslaBrowse
                                                                gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  AmEZrFh7we.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    172.67.74.152NightFixed 1.0.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                    • api.ipify.org/
                                                                    VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                    • api.ipify.org/
                                                                    VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                    • api.ipify.org/
                                                                    Editing.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/?format=xml
                                                                    jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/?format=text

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    mail.iaa-airferight.comGlobal e-Banking Payment Advice 000000164.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    G3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    ShGhJDcXXI.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    wpo28029 Changzhou Tairun.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    AmEZrFh7we.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    api.ipify.orghttps://www.livemap-loads.com/login/Get hashmaliciousNetSupport RAT, CAPTCHA Scam ClickFixBrowse
                                                                    • 104.26.12.205
                                                                    https://www.livemap-loads.com/login/Get hashmaliciousNetSupport RAT, CAPTCHA Scam ClickFixBrowse
                                                                    • 172.67.74.152
                                                                    Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205
                                                                    TcSzPgyAqC1WEJQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    y27AF4qx0Q.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205
                                                                    nPqeSjgAQQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205
                                                                    FORTUNE ALLIANCE VSL's DESCRIPTION.pdf.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    MV RUN LONG VSL's DETAILS.pdf.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    ynH9fYoMvM.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 172.67.74.152
                                                                    yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    ASLAGIDKOM-NETUAGlobal e-Banking Payment Advice 000000164.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    G3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    ShGhJDcXXI.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    wpo28029 Changzhou Tairun.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    AmEZrFh7we.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    CLOUDFLARENETUSAcct# 427094 _ Plateautel Payment_ XEPOOFUCKD.emlGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                                                    • 104.16.2.189
                                                                    https://getformly.app/KKpGCrGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                                                    • 188.114.97.3
                                                                    https://booking-com-payments-update.help/fohlgkhGet hashmaliciousUnknownBrowse
                                                                    • 172.67.139.137
                                                                    https://www.google.com///url?q=https%3A%2F%2Fwww.passosnet.com.br%2F.dd%2F&sa=D&sntz=1&usg=AOvVaw06RIF_pDk1KI1M_8QwBxU6#iHOZfE-SUREDANNRGlhbmEuQmFoYW5AZGFpaWNoaS1zYW5reW8uZXU=Get hashmaliciousInvisible JS, Tycoon2FABrowse
                                                                    • 104.16.2.189
                                                                    Keba-SecureDocument-f5f3d273b3aac9f0deab48ef49b6b79d96f3f54c.svgGet hashmaliciousUnknownBrowse
                                                                    • 104.18.95.41
                                                                    https://gamma.app/docs/Innovative-Industrial-Fabricators-LLC-l9jiky9l79t1mba?mode=present#card-04miadc3h3yvc0wGet hashmaliciousHTMLPhisherBrowse
                                                                    • 104.18.11.200
                                                                    https://6197612681.sbsGet hashmaliciousUnknownBrowse
                                                                    • 104.18.95.41
                                                                    phish_alert_sp2_2.0.0.0 (2).emlGet hashmaliciousUnknownBrowse
                                                                    • 104.18.86.42
                                                                    https://rebrand.ly/8fca12Get hashmaliciousHTMLPhisherBrowse
                                                                    • 172.67.75.166
                                                                    lisontek2.1.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.45.166

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    3b5074b1b5d032e5620f69f9f700ff0eftaHTqkV.posh.ps1Get hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152
                                                                    #rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 172.67.74.152
                                                                    sv_chost64.jsGet hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152
                                                                    sv_chost32.jsGet hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152
                                                                    runbroke64.jsGet hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152
                                                                    sv_time32.jsGet hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152
                                                                    https://www.livemap-loads.com/login/Get hashmaliciousNetSupport RAT, CAPTCHA Scam ClickFixBrowse
                                                                    • 172.67.74.152
                                                                    SecuriteInfo.com.Win32.MalwareX-gen.1567.5483.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 172.67.74.152
                                                                    emotet.docGet hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152
                                                                    Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 172.67.74.152

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Roaming\AccessMask.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1129984
                                                                    Entropy (8bit):7.991110585747674
                                                                    Encrypted:true
                                                                    SSDEEP:24576:D8pWRfv/akLPItzMxj09JLKttNC4m0ykiIT:DgeHiksgxj0zmM6ykp
                                                                    MD5:94C16379EFE1D3A7C600B2F83F8C50F0
                                                                    SHA1:C6CCF2056134A3376EB89F2507D17BAE14DA2F30
                                                                    SHA-256:0CA149E59A526C1811FCAC3C14943ACDBC43A3261AF653670BC9E71436B1FC32
                                                                    SHA-512:CE80B8904CB29D5F8BEC537BDCD1563A6EE45CB2D79B7D69B3820D17DEF2442F916B13C968A86C121FFF72F1EE04534FF260A0311722DB6E4184A248CF1F7686
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Virustotal, Detection: 66%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 55%
                                                                    Reputation:low
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g.................4...........S... ...`....@.. ....................................`.................................`S..K....`............................................................................... ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B.................S......H........R..PB..........h...............................................*...(....*..0.......... ........8........E............8.....r...p(....rM..p(.... ....~:...{r...:....& ....8........E........8.....V...& ....~:...{*...:....& ....8........E........8......... ....~:...{_...:X...& ....8M...*........%.Jo.7....&~.......*...~....*..(....*..0..h....... ........8........E....+...........8&...(...... ....~:...{....9....& ....8......*...o.... ....~:...{u...:....& ....8........E...

                                                                    C:\Users\user\AppData\Roaming\AccessMask.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccessMask.vbs

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):86
                                                                    Entropy (8bit):4.770408615238051
                                                                    Encrypted:false
                                                                    SSDEEP:3:FER/n0eFHHoUkh4EaKC5zHn:FER/lFHI9aZ5j
                                                                    MD5:E1C03CAC9AA72124E0DB40086821EAF4
                                                                    SHA1:752D8A815F3852D3CD887ACBB9C56588D20B1547
                                                                    SHA-256:A0769C2D5F808EA8F57A1E87D5BC75F27BAC9F97104151EF7D27C81812C25F68
                                                                    SHA-512:32A006B06A21E71A099E3F7413FB4D8E7EB91C524843FC819CE81FFC328690DDB3A7E96E9F8AEBB3F24DC1FB48B74B9F470CE1B541D0CB33566027BAD80A174D
                                                                    Malicious:true
                                                                    Reputation:low
                                                                    Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\AccessMask.exe"""

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.991110585747674
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe
                                                                    File size:1'129'984 bytes
                                                                    MD5:94c16379efe1d3a7c600b2f83f8c50f0
                                                                    SHA1:c6ccf2056134a3376eb89f2507d17bae14da2f30
                                                                    SHA256:0ca149e59a526c1811fcac3c14943acdbc43a3261af653670bc9e71436b1fc32
                                                                    SHA512:ce80b8904cb29d5f8bec537bdcd1563a6ee45cb2d79b7d69b3820d17def2442f916b13c968a86c121fff72f1ee04534ff260a0311722db6e4184a248cf1f7686
                                                                    SSDEEP:24576:D8pWRfv/akLPItzMxj09JLKttNC4m0ykiIT:DgeHiksgxj0zmM6ykp
                                                                    TLSH:503523103648E7BAE17A2B73EB5BF99243A8CE1250D3D54DB08E358A8643F1FC50A35D
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................4...........S... ...`....@.. ....................................`................................

                                                                    File Icon

                                                                    Icon Hash:90cececece8e8eb0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x5153ae
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x67CF9CE4 [Tue Mar 11 02:16:04 2025 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al