Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
13.03.2025-13.03.2025 shtml.exe

Overview

General Information

Sample name:13.03.2025-13.03.2025 shtml.exe
Analysis ID:1638491
MD5:9d230f555a48d165dab09a7fc8217e1d
SHA1:b92e29329be4e01e571a7d63d2bf08632de7c796
SHA256:6eaa8b8e5596f08328a7d53938eadc4617ea123d40c2b0c6e4876f5a6dd30d17
Tags:exeuser-threatcat_ch
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 13.03.2025-13.03.2025 shtml.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exe" MD5: 9D230F555A48D165DAB09A7FC8217E1D)
    • RegAsm.exe (PID: 7500 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "darksender@mcnzxz.com", "Password": "Nigeria@2025", "Server": "cphost14.qhoster.net"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefdf:$a1: get_encryptedPassword
          • 0xf307:$a2: get_encryptedUsername
          • 0xed7a:$a3: get_timePasswordChanged
          • 0xee9b:$a4: get_passwordField
          • 0xeff5:$a5: set_encryptedPassword
          • 0x10951:$a7: get_logins
          • 0x10602:$a8: GetOutlookPasswords
          • 0x103f4:$a9: StartKeylogger
          • 0x108a1:$a10: KeyLoggerEventArgs
          • 0x10451:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xd3df:$a1: get_encryptedPassword
                  • 0xd707:$a2: get_encryptedUsername
                  • 0xd17a:$a3: get_timePasswordChanged
                  • 0xd29b:$a4: get_passwordField
                  • 0xd3f5:$a5: set_encryptedPassword
                  • 0xed51:$a7: get_logins
                  • 0xea02:$a8: GetOutlookPasswords
                  • 0xe7f4:$a9: StartKeylogger
                  • 0xeca1:$a10: KeyLoggerEventArgs
                  • 0xe851:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 31 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-14T12:54:06.596543+010028032742Potentially Bad Traffic192.168.2.449713158.101.44.24280TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 13.03.2025-13.03.2025 shtml.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "darksender@mcnzxz.com", "Password": "Nigeria@2025", "Server": "cphost14.qhoster.net"}
                  Multi AV Scanner detection for submitted file
                  Source: 13.03.2025-13.03.2025 shtml.exeVirustotal: Detection: 56%Perma Link
                  Source: 13.03.2025-13.03.2025 shtml.exeReversingLabs: Detection: 52%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: 13.03.2025-13.03.2025 shtml.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49714 version: TLS 1.0
                  Source: 13.03.2025-13.03.2025 shtml.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164243380.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164243380.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1165420462.0000000005150000.00000004.08000000.00040000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00905782h1_2_00905366
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 009051B9h1_2_00904F08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00905782h1_2_009056AF
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                  Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                  Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49713 -> 158.101.44.242:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49714 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: RegAsm.exe, 00000001.00000002.2393283628.000000000257E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegAsm.exe, 00000001.00000002.2393283628.0000000002511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: RegAsm.exe, 00000001.00000002.2393283628.00000000025AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: RegAsm.exe, 00000001.00000002.2393283628.00000000025AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: RegAsm.exe, 00000001.00000002.2393283628.0000000002511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: 13.03.2025-13.03.2025 shtml.exe PID: 7468, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegAsm.exe PID: 7500, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeCode function: 0_2_0296CC240_2_0296CC24
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeCode function: 0_2_050E95500_2_050E9550
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeCode function: 0_2_050E1C000_2_050E1C00
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeCode function: 0_2_050E00060_2_050E0006
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeCode function: 0_2_050E00400_2_050E0040
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeCode function: 0_2_050E1BF00_2_050E1BF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0090C1681_2_0090C168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0090CA581_2_0090CA58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00907E681_2_00907E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00904F081_2_00904F08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0090C3861_2_0090C386
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0090B9DC1_2_0090B9DC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0090B9E01_2_0090B9E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00902DD11_2_00902DD1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00904EF81_2_00904EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00907E661_2_00907E66
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000000.1150973078.0000000000822000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameoven.exe* vs 13.03.2025-13.03.2025 shtml.exe
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1165420462.000000000515C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs 13.03.2025-13.03.2025 shtml.exe
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1162910289.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 13.03.2025-13.03.2025 shtml.exe
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAntiBossing.dll8 vs 13.03.2025-13.03.2025 shtml.exe
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs 13.03.2025-13.03.2025 shtml.exe
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164243380.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs 13.03.2025-13.03.2025 shtml.exe
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164243380.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs 13.03.2025-13.03.2025 shtml.exe
                  Source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1165365654.0000000005120000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAntiBossing.dll8 vs 13.03.2025-13.03.2025 shtml.exe
                  Source: 13.03.2025-13.03.2025 shtml.exeBinary or memory string: OriginalFilenameoven.exe* vs 13.03.2025-13.03.2025 shtml.exe
                  Source: 13.03.2025-13.03.2025 shtml.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: 13.03.2025-13.03.2025 shtml.exe PID: 7468, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegAsm.exe PID: 7500, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 13.03.2025-13.03.2025 shtml.exe, Nation.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, FuelfordChassis.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.5120000.5.raw.unpack, FuelfordChassis.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\13.03.2025-13.03.2025 shtml.exe.logJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                  Source: 13.03.2025-13.03.2025 shtml.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 13.03.2025-13.03.2025 shtml.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegAsm.exe, 00000001.00000002.2393283628.0000000002600000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2393283628.000000000260F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2393283628.00000000025F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: 13.03.2025-13.03.2025 shtml.exeVirustotal: Detection: 56%
                  Source: 13.03.2025-13.03.2025 shtml.exeReversingLabs: Detection: 52%
                  Source: unknownProcess created: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exe "C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exe"
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: 13.03.2025-13.03.2025 shtml.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 13.03.2025-13.03.2025 shtml.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164243380.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164243380.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, 13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1165420462.0000000005150000.00000004.08000000.00040000.00000000.sdmp
                  Source: 13.03.2025-13.03.2025 shtml.exeStatic PE information: 0xC6296E11 [Thu May 9 05:05:21 2075 UTC]
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeCode function: 0_2_0296E6C8 push esp; retf 0_2_0296E6C9
                  Source: 13.03.2025-13.03.2025 shtml.exeStatic PE information: section name: .text entropy: 7.681530557158975
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: 13.03.2025-13.03.2025 shtml.exe PID: 7468, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory allocated: 4B10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 8A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exe TID: 7488Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: RegAsm.exe, 00000001.00000002.2392152981.00000000007A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0090C168 LdrInitializeThunk,LdrInitializeThunk,1_2_0090C168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1E0000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1E0000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1E0000Jump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1E2000Jump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1FA000Jump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1FC000Jump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 3CD008Jump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 13.03.2025-13.03.2025 shtml.exe PID: 7468, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7500, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 13.03.2025-13.03.2025 shtml.exe PID: 7468, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7500, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 13.03.2025-13.03.2025 shtml.exe PID: 7468, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7500, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2393283628.0000000002636000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 13.03.2025-13.03.2025 shtml.exe PID: 7468, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7500, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 13.03.2025-13.03.2025 shtml.exe PID: 7468, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7500, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 13.03.2025-13.03.2025 shtml.exe PID: 7468, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7500, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.1e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c906e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c798b0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.13.03.2025-13.03.2025 shtml.exe.3c33a60.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 13.03.2025-13.03.2025 shtml.exe PID: 7468, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7500, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                  Process Injection                  		NTDS1
                  System Network Configuration Discovery                  		Distributed Component Object Model1
                  Data from Local System                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets13
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  13.03.2025-13.03.2025 shtml.exe57%VirustotalBrowse
                  13.03.2025-13.03.2025 shtml.exe53%ReversingLabsByteCode-MSIL.Trojan.Zilla
                  13.03.2025-13.03.2025 shtml.exe100%AviraHEUR/AGEN.1308654

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.32.1
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		158.101.44.242
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          http://checkip.dyndns.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.013.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersG13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/?13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bThe13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers?13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://reallyfreegeoip.orgdRegAsm.exe, 00000001.00000002.2393283628.00000000025AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.tiro.com13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.orgRegAsm.exe, 00000001.00000002.2393283628.000000000257E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.carterandcone.coml13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sajatypeworks.com13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.typography.netD13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/cabarga.htmlN13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/cThe13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.galapagosdesign.com/staff/dennis.htm13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.com/designers/frere-user.html13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://reallyfreegeoip.org/xml/8.46.123.189lRegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://checkip.dyndns.comdRegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://checkip.dyndns.org/q13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.jiyu-kobo.co.jp/13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://reallyfreegeoip.org/xml/8.46.123.189dRegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://reallyfreegeoip.orgRegAsm.exe, 00000001.00000002.2393283628.00000000025AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://checkip.dyndns.orgdRegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.galapagosdesign.com/DPlease13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.orgRegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.fontbureau.com/designers813.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.fonts.com13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://checkip.dyndns.comRegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.urwpp.deDPlease13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.zhongyicts.com.cn13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://checkip.dyndns.org/dRegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000001.00000002.2393283628.0000000002511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.sakkal.com13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1166052994.0000000006E92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://api.telegram.org/bot-/sendDocument?chat_id=13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://reallyfreegeoip.org/xml/13.03.2025-13.03.2025 shtml.exe, 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2393283628.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      104.21.32.1
                                                                                                      		reallyfreegeoip.orgUnited States
                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                      158.101.44.242
                                                                                                      		checkip.dyndns.comUnited States
                                                                                                      		31898ORACLE-BMC-31898USfalse

                                                                                                      General Information

                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                      Analysis ID:1638491
                                                                                                      Start date and time:2025-03-14 12:53:09 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 5m 4s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:11
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:13.03.2025-13.03.2025 shtml.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 99%
                                                                                                      • Number of executed functions: 35
                                                                                                      • Number of non-executed functions: 3
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 23.199.214.10, 4.175.87.197
                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      No simulations

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      104.21.32.1SHIPPING DETAILS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.auto-total.info/3lc9/
                                                                                                      arGdXDmyGJ.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.rbopisalive.cyou/a669/
                                                                                                      2rvyZc27tz.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.kdrqcyusevx.info/k7wl/
                                                                                                      Final PayStub.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.oddsideodylicoopod.cloud/g43m/?chops=VTj0v6ZXr6p4dp&Ezr8U8lh=iHr8ZanSEmppv2NUfEI3Sn+a6zMFeevffxq5V5At5Kf3VZBf0vxOCE6EQW7iEjpklZqKgy7LQg==
                                                                                                      JOB NO. AIQ8478.bat.exeGet hashmaliciousLokibotBrowse
                                                                                                      • touxzw.ir/sccc/five/fre.php
                                                                                                      DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.rbopisalive.cyou/2dxw/
                                                                                                      MmF9tcIj1J.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.newanthoperso.shop/lqfq/
                                                                                                      Payment Invoice ref0306252.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.rbopisalive.cyou/a669/
                                                                                                      DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.rbopisalive.cyou/2dxw/
                                                                                                      RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.kdrqcyusevx.info/k7wl/
                                                                                                      158.101.44.242DON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      believe.ps1Get hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      INV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      Purchase Order No.1364.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      QUOTATION_FEBQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      8QeI7CboDY.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      uhg.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                                      • checkip.dyndns.org/

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      reallyfreegeoip.orgSOA FEB 2025.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 104.21.16.1
                                                                                                      DON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 104.21.32.1
                                                                                                      believe.ps1Get hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.64.1
                                                                                                      INV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.48.1
                                                                                                      SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 104.21.112.1
                                                                                                      Payment slip.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 104.21.16.1
                                                                                                      Statement FEB 2025pdf.com.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 104.21.16.1
                                                                                                      Purchase Order No.1364.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 104.21.112.1
                                                                                                      Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 104.21.16.1
                                                                                                      file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 104.21.96.1
                                                                                                      checkip.dyndns.comSOA FEB 2025.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 132.226.247.73
                                                                                                      DON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 132.226.247.73
                                                                                                      believe.ps1Get hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      INV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 132.226.247.73
                                                                                                      SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 193.122.6.168
                                                                                                      Payment slip.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 193.122.6.168
                                                                                                      Statement FEB 2025pdf.com.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 132.226.247.73
                                                                                                      Purchase Order No.1364.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 132.226.8.169
                                                                                                      file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 193.122.130.0

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      ORACLE-BMC-31898USDON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 158.101.44.242
                                                                                                      believe.ps1Get hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      INV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 193.122.6.168
                                                                                                      Payment slip.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 193.122.6.168
                                                                                                      Purchase Order No.1364.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 193.122.130.0
                                                                                                      file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      Notice Letter 2025 03 12 02930920.docs.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 193.122.6.168
                                                                                                      Bank Swift Payment.bat.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 193.122.130.0
                                                                                                      CLOUDFLARENETUSSecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                      • 172.67.181.28
                                                                                                      https://https.docusign.click/Xckp3QUpZN3dxRHFodEMwRElEMjkzNi96OEZ0MzdvM05qN3hHeE9JNjdDMThoQVo0Ukl2UEhETTdTZEVjNCtzS0IzUFBQb3l5SnRmbWdnMHpCVzdkaTl6NjJEcS93cVduMkdvOHJLV3RlK0JkbmFKRS9oRTdDUXVhVlZXQUd0anJnaUNyTHBNL2xhaFNpd0xwVnFvdlg3dnNYNGlNczg5ZkhVdTZmVlBtd3FEK0RCMHh0THJOdGRYMmRKVUMzK0xKanduNzZ3PT0tLUJCU3Z2YVFGNUd0UHl1TWctLWZaZnlpcFIxMDRETkp4eEx1SVhuQVE9PQ==?cid=322110114Get hashmaliciousKnowBe4Browse
                                                                                                      • 104.17.245.203
                                                                                                      SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                      • 104.21.48.1
                                                                                                      SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                      • 104.21.72.99
                                                                                                      http://www.windowsdnsservicereload.icuGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.80.1
                                                                                                      https://encryption-marinha.jkndfuzv.ru/PtM2i/$nadia.sofia.rijo@marinha.ptGet hashmaliciousUnknownBrowse
                                                                                                      • 104.17.25.14
                                                                                                      VM Orger Acknowledged.zipGet hashmaliciousUnknownBrowse
                                                                                                      • 104.16.4.189
                                                                                                      http://188.114.97.3Get hashmaliciousUnknownBrowse
                                                                                                      • 104.16.123.96
                                                                                                      http://188.114.96.3Get hashmaliciousUnknownBrowse
                                                                                                      • 104.16.123.96
                                                                                                      Xsysglobal Payment Receipt For Invoice 6c6172732e6b72616566744078737973676c6f62616c2e636f6d.pdfGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.149.15

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adSOA FEB 2025.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 104.21.32.1
                                                                                                      DON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 104.21.32.1
                                                                                                      believe.ps1Get hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.32.1
                                                                                                      QUOTATION#006565.exeGet hashmaliciousRedLineBrowse
                                                                                                      • 104.21.32.1
                                                                                                      SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 104.21.32.1
                                                                                                      Payment slip.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 104.21.32.1
                                                                                                      Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 104.21.32.1
                                                                                                      file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 104.21.32.1
                                                                                                      file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                      • 104.21.32.1
                                                                                                      file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.32.1

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\13.03.2025-13.03.2025 shtml.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1119
                                                                                                      Entropy (8bit):5.345080863654519
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                                                                                                      MD5:88593431AEF401417595E7A00FE86E5F
                                                                                                      SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                                                                                                      SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                                                                                                      SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                                                                                                      Malicious:true
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Entropy (8bit):7.656786420263492
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                      File name:13.03.2025-13.03.2025 shtml.exe
                                                                                                      File size:244'736 bytes
                                                                                                      MD5:9d230f555a48d165dab09a7fc8217e1d
                                                                                                      SHA1:b92e29329be4e01e571a7d63d2bf08632de7c796
                                                                                                      SHA256:6eaa8b8e5596f08328a7d53938eadc4617ea123d40c2b0c6e4876f5a6dd30d17
                                                                                                      SHA512:c91a62909edeb30b3b929a5b19d45215d59ab53d1e8bf35ca647d1b5c3fc2307f0c4713c78b1f3902e1084e4a141d1052f6ddc6dda20bbafb19124c31bee0a6b
                                                                                                      SSDEEP:3072:lAnTe+kqIHjFu7LVs6GK6a8dO0W706aycGU8n5VEJgxyGJUMbWa6xS5VlgTiGavN:okPCHRaycGUq5C2EWBgeGQmT50
                                                                                                      TLSH:8334E681B5D649D4FE7526799063081723B13C6EAA3EB9280F0012FED55FBC2F78479A
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n)...............0.............n.... ........@.. ....................... ............@................................

                                                                                                      File Icon

                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x43d16e
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0xC6296E11 [Thu May 9 05:05:21 2075 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      jmp dword ptr [00402000h]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3d1140x57.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e0000x586.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x400000xc.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x20000x3b1740x3b2003e9ae16f0778a387500215f67e00aa95False0.6558824986786469data7.681530557158975IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x3e0000x5860x6000a26726623e42c8455fcef0eb1de2339False0.4140625data4.009219536512398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x400000xc0x200038d8005dc7d29eed6a48a56a78c02e2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_VERSION0x3e0a00x2fcdata0.43586387434554974
                                                                                                      RT_MANIFEST0x3e39c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      mscoree.dll_CorExeMain

                                                                                                      Version Infos

                                                                                                      DescriptionData
                                                                                                      Translation0x0000 0x04b0
                                                                                                      Comments
                                                                                                      CompanyName
                                                                                                      FileDescriptionoven
                                                                                                      FileVersion1.0.0.0
                                                                                                      InternalNameoven.exe
                                                                                                      LegalCopyrightCopyright 2025
                                                                                                      LegalTrademarks
                                                                                                      OriginalFilenameoven.exe
                                                                                                      ProductNameoven
                                                                                                      ProductVersion1.0.0.0
                                                                                                      Assembly Version1.0.0.0

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2025-03-14T12:54:06.596543+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449713158.101.44.24280TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Mar 14, 2025 12:54:05.792124987 CET4971380192.168.2.4158.101.44.242
                                                                                                      Mar 14, 2025 12:54:05.796895981 CET8049713158.101.44.242192.168.2.4
                                                                                                      Mar 14, 2025 12:54:05.796967983 CET4971380192.168.2.4158.101.44.242
                                                                                                      Mar 14, 2025 12:54:05.797172070 CET4971380192.168.2.4158.101.44.242
                                                                                                      Mar 14, 2025 12:54:05.801739931 CET8049713158.101.44.242192.168.2.4
                                                                                                      Mar 14, 2025 12:54:06.378534079 CET8049713158.101.44.242192.168.2.4
                                                                                                      Mar 14, 2025 12:54:06.384552956 CET4971380192.168.2.4158.101.44.242
                                                                                                      Mar 14, 2025 12:54:06.389261007 CET8049713158.101.44.242192.168.2.4
                                                                                                      Mar 14, 2025 12:54:06.541883945 CET8049713158.101.44.242192.168.2.4
                                                                                                      Mar 14, 2025 12:54:06.553623915 CET49714443192.168.2.4104.21.32.1
                                                                                                      Mar 14, 2025 12:54:06.553683043 CET44349714104.21.32.1192.168.2.4
                                                                                                      Mar 14, 2025 12:54:06.553745031 CET49714443192.168.2.4104.21.32.1
                                                                                                      Mar 14, 2025 12:54:06.568520069 CET49714443192.168.2.4104.21.32.1
                                                                                                      Mar 14, 2025 12:54:06.568555117 CET44349714104.21.32.1192.168.2.4
                                                                                                      Mar 14, 2025 12:54:06.596543074 CET4971380192.168.2.4158.101.44.242
                                                                                                      Mar 14, 2025 12:54:07.039164066 CET44349714104.21.32.1192.168.2.4
                                                                                                      Mar 14, 2025 12:54:07.039254904 CET49714443192.168.2.4104.21.32.1
                                                                                                      Mar 14, 2025 12:54:07.056663990 CET49714443192.168.2.4104.21.32.1
                                                                                                      Mar 14, 2025 12:54:07.056715012 CET44349714104.21.32.1192.168.2.4
                                                                                                      Mar 14, 2025 12:54:07.057068110 CET44349714104.21.32.1192.168.2.4
                                                                                                      Mar 14, 2025 12:54:07.112198114 CET49714443192.168.2.4104.21.32.1
                                                                                                      Mar 14, 2025 12:54:07.400643110 CET49714443192.168.2.4104.21.32.1
                                                                                                      Mar 14, 2025 12:54:07.448335886 CET44349714104.21.32.1192.168.2.4
                                                                                                      Mar 14, 2025 12:54:07.508330107 CET44349714104.21.32.1192.168.2.4
                                                                                                      Mar 14, 2025 12:54:07.508394957 CET44349714104.21.32.1192.168.2.4
                                                                                                      Mar 14, 2025 12:54:07.508562088 CET49714443192.168.2.4104.21.32.1
                                                                                                      Mar 14, 2025 12:54:07.513834000 CET49714443192.168.2.4104.21.32.1
                                                                                                      Mar 14, 2025 12:55:11.545433998 CET8049713158.101.44.242192.168.2.4
                                                                                                      Mar 14, 2025 12:55:11.545564890 CET4971380192.168.2.4158.101.44.242
                                                                                                      Mar 14, 2025 12:55:46.551012993 CET4971380192.168.2.4158.101.44.242
                                                                                                      Mar 14, 2025 12:55:46.555798054 CET8049713158.101.44.242192.168.2.4

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Mar 14, 2025 12:54:05.774713993 CET5771053192.168.2.41.1.1.1
                                                                                                      Mar 14, 2025 12:54:05.781335115 CET53577101.1.1.1192.168.2.4
                                                                                                      Mar 14, 2025 12:54:06.544769049 CET5814453192.168.2.41.1.1.1
                                                                                                      Mar 14, 2025 12:54:06.552545071 CET53581441.1.1.1192.168.2.4

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Mar 14, 2025 12:54:05.774713993 CET192.168.2.41.1.1.10x8cdcStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:06.544769049 CET192.168.2.41.1.1.10xaccaStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Mar 14, 2025 12:54:05.781335115 CET1.1.1.1192.168.2.40x8cdcNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:05.781335115 CET1.1.1.1192.168.2.40x8cdcNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:05.781335115 CET1.1.1.1192.168.2.40x8cdcNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:05.781335115 CET1.1.1.1192.168.2.40x8cdcNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:05.781335115 CET1.1.1.1192.168.2.40x8cdcNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:05.781335115 CET1.1.1.1192.168.2.40x8cdcNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:06.552545071 CET1.1.1.1192.168.2.40xaccaNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:06.552545071 CET1.1.1.1192.168.2.40xaccaNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:06.552545071 CET1.1.1.1192.168.2.40xaccaNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:06.552545071 CET1.1.1.1192.168.2.40xaccaNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:06.552545071 CET1.1.1.1192.168.2.40xaccaNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:06.552545071 CET1.1.1.1192.168.2.40xaccaNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                      Mar 14, 2025 12:54:06.552545071 CET1.1.1.1192.168.2.40xaccaNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • reallyfreegeoip.org
                                                                                                      • checkip.dyndns.org

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449713158.101.44.242807500C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Mar 14, 2025 12:54:05.797172070 CET151OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Connection: Keep-Alive
                                                                                                      Mar 14, 2025 12:54:06.378534079 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 14 Mar 2025 11:54:06 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: dd1b6e5ea5628ce90150a2b764226b1f
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                      Mar 14, 2025 12:54:06.384552956 CET127OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Mar 14, 2025 12:54:06.541883945 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 14 Mar 2025 11:54:06 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: b427f1522908929198048b70bbfb1a65
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449714104.21.32.14437500C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-14 11:54:07 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2025-03-14 11:54:07 UTC854INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 14 Mar 2025 11:54:07 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Age: 103513
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      cf-cache-status: HIT
                                                                                                      last-modified: Thu, 13 Mar 2025 07:08:53 GMT
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bQbt1Eq9ebs7Q2xMQ2HScW3f1DMKns1ZrspBxS7IgrJKFSJQkMtmc3LNBSDeFusEp6F8%2FkFIEkRq%2FwOoanw3kNFBMQA4MAmH3yLI90Vmk6P8DBwfXht1wOQc2eFmGJArkoe%2FrFI6"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 92039314891019cb-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1782&rtt_var=680&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1594756&cwnd=230&unsent_bytes=0&cid=069d3ae52c44449c&ts=481&x=0"
                                                                                                      2025-03-14 11:54:07 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:07:54:04
                                                                                                      Start date:14/03/2025
                                                                                                      Path:C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\13.03.2025-13.03.2025 shtml.exe"
                                                                                                      Imagebase:0x820000
                                                                                                      File size:244'736 bytes
                                                                                                      MD5 hash:9D230F555A48D165DAB09A7FC8217E1D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1164569253.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:07:54:04
                                                                                                      Start date:14/03/2025
                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                      Imagebase:0x100000
                                                                                                      File size:65'440 bytes
                                                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2390940134.00000000001E2000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2393283628.0000000002636000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:11.9%
                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                        Signature Coverage:19.1%
                                                                                                        Total number of Nodes:157
                                                                                                        Total number of Limit Nodes:8
                                                                                                        execution_graph 26075 296a570 26079 296a658 26075->26079 26084 296a668 26075->26084 26076 296a57f 26080 296a69c 26079->26080 26081 296a679 26079->26081 26080->26076 26081->26080 26082 296a8a0 GetModuleHandleW 26081->26082 26083 296a8cd 26082->26083 26083->26076 26085 296a69c 26084->26085 26086 296a679 26084->26086 26085->26076 26086->26085 26087 296a8a0 GetModuleHandleW 26086->26087 26088 296a8cd 26087->26088 26088->26076 26159 296cf40 DuplicateHandle 26160 296cfd6 26159->26160 26089 291d01c 26090 291d034 26089->26090 26091 291d08e 26090->26091 26096 50e1a98 26090->26096 26102 50e2c18 26090->26102 26111 50e2c08 26090->26111 26120 50e1aa8 26090->26120 26097 50e1a3e 26096->26097 26098 50e1aa3 26096->26098 26100 50e2c08 CallWindowProcW 26098->26100 26101 50e2c18 CallWindowProcW 26098->26101 26099 50e1aef 26099->26091 26100->26099 26101->26099 26103 50e2c45 26102->26103 26104 50e2c79 26103->26104 26106 50e2c69 26103->26106 26107 50e2c77 26104->26107 26138 50e2808 26104->26138 26125 50e2e6c 26106->26125 26130 50e2d91 26106->26130 26134 50e2da0 26106->26134 26112 50e2c45 26111->26112 26113 50e2c79 26112->26113 26115 50e2c69 26112->26115 26114 50e2808 CallWindowProcW 26113->26114 26116 50e2c77 26113->26116 26114->26116 26117 50e2e6c CallWindowProcW 26115->26117 26118 50e2da0 CallWindowProcW 26115->26118 26119 50e2d91 CallWindowProcW 26115->26119 26117->26116 26118->26116 26119->26116 26121 50e1ace 26120->26121 26123 50e2c08 CallWindowProcW 26121->26123 26124 50e2c18 CallWindowProcW 26121->26124 26122 50e1aef 26122->26091 26123->26122 26124->26122 26126 50e2e7a 26125->26126 26127 50e2e2a 26125->26127 26142 50e2e58 26127->26142 26128 50e2e40 26128->26107 26132 50e2db4 26130->26132 26131 50e2e40 26131->26107 26133 50e2e58 CallWindowProcW 26132->26133 26133->26131 26136 50e2db4 26134->26136 26135 50e2e40 26135->26107 26137 50e2e58 CallWindowProcW 26136->26137 26137->26135 26139 50e2813 26138->26139 26140 50e40da CallWindowProcW 26139->26140 26141 50e4089 26139->26141 26140->26141 26141->26107 26144 50e2e69 26142->26144 26145 50e4012 26142->26145 26144->26128 26146 50e401f 26145->26146 26147 50e2808 CallWindowProcW 26146->26147 26148 50e402a 26147->26148 26148->26144 26149 296ccf8 26150 296cd3e GetCurrentProcess 26149->26150 26152 296cd90 GetCurrentThread 26150->26152 26153 296cd89 26150->26153 26154 296cdc6 26152->26154 26155 296cdcd GetCurrentProcess 26152->26155 26153->26152 26154->26155 26156 296ce03 26155->26156 26157 296ce2b GetCurrentThreadId 26156->26157 26158 296ce5c 26157->26158 26161 50e9550 26162 50e9583 26161->26162 26193 50e8db4 26162->26193 26197 50e8dc0 26162->26197 26163 50e9701 26164 50e9823 26163->26164 26191 50e8998 Wow64SetThreadContext 26163->26191 26192 50e89a0 Wow64SetThreadContext 26163->26192 26179 50e8c28 ReadProcessMemory 26164->26179 26180 50e8c20 ReadProcessMemory 26164->26180 26165 50e9ad3 26167 50e9b2a 26165->26167 26183 50e8a78 VirtualAllocEx 26165->26183 26184 50e8a70 VirtualAllocEx 26165->26184 26166 50e994d 26175 50e8a78 VirtualAllocEx 26166->26175 26176 50e8a70 VirtualAllocEx 26166->26176 26181 50e8b38 WriteProcessMemory 26167->26181 26182 50e8b30 WriteProcessMemory 26167->26182 26168 50e9de1 26187 50e8b38 WriteProcessMemory 26168->26187 26188 50e8b30 WriteProcessMemory 26168->26188 26169 50e9e1f 26171 50e9f1d 26169->26171 26189 50e8998 Wow64SetThreadContext 26169->26189 26190 50e89a0 Wow64SetThreadContext 26169->26190 26170 50e9bb5 26170->26168 26185 50e8b38 WriteProcessMemory 26170->26185 26186 50e8b30 WriteProcessMemory 26170->26186 26177 50e88e8 ResumeThread 26171->26177 26178 50e88f0 ResumeThread 26171->26178 26172 50ea01a 26175->26165 26176->26165 26177->26172 26178->26172 26179->26166 26180->26166 26181->26170 26182->26170 26183->26167 26184->26167 26185->26170 26186->26170 26187->26169 26188->26169 26189->26171 26190->26171 26191->26164 26192->26164 26194 50e8e49 CreateProcessA 26193->26194 26196 50e900b 26194->26196 26198 50e8e49 CreateProcessA 26197->26198 26200 50e900b 26198->26200 26201 2964528 26202 296453a 26201->26202 26205 2963d00 26202->26205 26204 2964555 26206 2963d0b 26205->26206 26209 29640c0 26206->26209 26208 2964611 26208->26204 26210 29640cb 26209->26210 26213 29640e0 26210->26213 26212 2964935 26212->26208 26214 29640eb 26213->26214 26217 2964270 26214->26217 26216 2964a1a 26216->26212 26218 296427b 26217->26218 26221 29642a0 26218->26221 26220 2964b1c 26220->26216 26223 29642ab 26221->26223 26222 2967b59 26222->26220 26223->26222 26225 296c620 26223->26225 26226 296c651 26225->26226 26227 296c675 26226->26227 26230 296c7e0 26226->26230 26234 296c7d1 26226->26234 26227->26222 26231 296c7ed 26230->26231 26232 296c827 26231->26232 26238 296b040 26231->26238 26232->26227 26235 296c7ed 26234->26235 26236 296c827 26235->26236 26237 296b040 2 API calls 26235->26237 26236->26227 26237->26236 26239 296b04b 26238->26239 26241 296d538 26239->26241 26242 296c944 26239->26242 26241->26241 26243 296c94f 26242->26243 26244 29642a0 2 API calls 26243->26244 26245 296d5a7 26244->26245 26249 296f328 26245->26249 26255 296f310 26245->26255 26246 296d5e1 26246->26241 26251 296f359 26249->26251 26252 296f45a 26249->26252 26250 296f365 26250->26246 26251->26250 26253 50e09c0 CreateWindowExW CreateWindowExW 26251->26253 26254 50e09b1 CreateWindowExW CreateWindowExW 26251->26254 26252->26246 26253->26252 26254->26252 26257 296f359 26255->26257 26258 296f45a 26255->26258 26256 296f365 26256->26246 26257->26256 26259 50e09c0 CreateWindowExW CreateWindowExW 26257->26259 26260 50e09b1 CreateWindowExW CreateWindowExW 26257->26260 26258->26246 26259->26258 26260->26258

                                                                                                        Executed Functions

                                                                                                        Function 050E9550 Relevance: 1.9, Strings: 1, Instructions: 650COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 707 50e9550-50e9581 708 50e9588-50e96fc 707->708 709 50e9583 707->709 827 50e96ff call 50e8db4 708->827 828 50e96ff call 50e8dc0 708->828 709->708 714 50e9701-50e9721 715 50e9765-50e97cf 714->715 716 50e9723-50e975a 714->716 723 50e97d6-50e9802 715->723 724 50e97d1 715->724 716->715 726 50e988d-50e98c8 723->726 727 50e9808-50e981e 723->727 724->723 730 50e98ca-50e9900 726->730 731 50e990b 726->731 845 50e9821 call 50e8998 727->845 846 50e9821 call 50e89a0 727->846 729 50e9823-50e9843 732 50e9886-50e9888 729->732 733 50e9845-50e987b 729->733 730->731 734 50e990c-50e9916 731->734 732->734 733->732 735 50e991d-50e9948 734->735 736 50e9918 734->736 833 50e994b call 50e8c28 735->833 834 50e994b call 50e8c20 735->834 736->735 740 50e994d-50e996d 742 50e996f-50e99a5 740->742 743 50e99b0-50e99c9 740->743 742->743 744 50e99cf-50e9a2c 743->744 745 50e9a70-50e9ace 743->745 754 50e9a2e-50e9a64 744->754 755 50e9a6f 744->755 829 50e9ad1 call 50e8a78 745->829 830 50e9ad1 call 50e8a70 745->830 754->755 755->745 757 50e9ad3-50e9af9 758 50e9aff-50e9b25 757->758 759 50e9b94-50e9bb0 757->759 837 50e9b28 call 50e8a78 758->837 838 50e9b28 call 50e8a70 758->838 835 50e9bb3 call 50e8b38 759->835 836 50e9bb3 call 50e8b30 759->836 761 50e9bb5-50e9bd5 764 50e9c18-50e9c4d 761->764 765 50e9bd7-50e9c0d 761->765 762 50e9b2a-50e9b50 766 50e9b52-50e9b88 762->766 767 50e9b93 762->767 772 50e9dbf-50e9ddb 764->772 765->764 766->767 767->759 774 50e9c52-50e9cd6 772->774 775 50e9de1-50e9e1a 772->775 786 50e9cdc-50e9d4b 774->786 787 50e9db4-50e9db9 774->787 841 50e9e1d call 50e8b38 775->841 842 50e9e1d call 50e8b30 775->842 782 50e9e1f-50e9e3f 783 50e9e82-50e9eb2 782->783 784 50e9e41-50e9e77 782->784 790 50e9eba-50e9eca 783->790 791 50e9eb4-50e9eb7 783->791 784->783 839 50e9d4e call 50e8b38 786->839 840 50e9d4e call 50e8b30 786->840 787->772 794 50e9ecc 790->794 795 50e9ed1-50e9efc 790->795 791->790 794->795 799 50e9f87-50e9fc2 795->799 800 50e9f02-50e9f18 795->800 808 50e9fc4-50e9ffa 799->808 809 50ea005 799->809 843 50e9f1b call 50e8998 800->843 844 50e9f1b call 50e89a0 800->844 801 50e9d50-50e9d70 803 50e9d72-50e9da8 801->803 804 50e9db3 801->804 802 50e9f1d-50e9f3d 806 50e9f3f-50e9f75 802->806 807 50e9f80-50e9f82 802->807 803->804 804->787 806->807 810 50ea006-50ea015 807->810 808->809 809->810 831 50ea018 call 50e88e8 810->831 832 50ea018 call 50e88f0 810->832 815 50ea01a-50ea03a 818 50ea03c-50ea072 815->818 819 50ea07d-50ea0ed 815->819 818->819 827->714 828->714 829->757 830->757 831->815 832->815 833->740 834->740 835->761 836->761 837->762 838->762 839->801 840->801 841->782 842->782 843->802 844->802 845->729 846->729
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1165297782.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_50e0000_13.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (
                                                                                                        • API String ID: 0-3887548279
                                                                                                        • Opcode ID: 3b2c35c0cd2403f723db13e10eebfcad8ca92dcd422ee266dcef8252bfcbd93f
                                                                                                        • Instruction ID: b2a9ddfff9f17d57985aeb080a525ddc79b08a23f4c9d1c536abb05509050d9d
                                                                                                        • Opcode Fuzzy Hash: 3b2c35c0cd2403f723db13e10eebfcad8ca92dcd422ee266dcef8252bfcbd93f
                                                                                                        • Instruction Fuzzy Hash: BD62D470E012288FDB64DF65D984BDDBBB2BF89304F2485EAD409A7294DB319E85CF40
                                                                                                        Function 050E1C00 Relevance: .2, Instructions: 249COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1165297782.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_50e0000_13.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bd02b8bdb3ccada91fe6812cd6be3270030243ecb340bd7aadd96b464be38538
                                                                                                        • Instruction ID: ce33770b7a59cb7439acd751f138129e896bcb0a038d9e75077794c015146ee7
                                                                                                        • Opcode Fuzzy Hash: bd02b8bdb3ccada91fe6812cd6be3270030243ecb340bd7aadd96b464be38538
                                                                                                        • Instruction Fuzzy Hash: 35A17035E103198FDB04DFA4D894AEDBBFAFF89300F658215E416AF2A4DB70A945CB50
                                                                                                        Function 050E1BF0 Relevance: .2, Instructions: 218COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1165297782.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_50e0000_13.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6cfe7c51adfc04667c2631e6a2c846d1450f16b05264609ee74939103ad97628
                                                                                                        • Instruction ID: 55791e28ad3b7c20514fe2a9bc434cc983311218a49b745e5f573cafba33c1ec
                                                                                                        • Opcode Fuzzy Hash: 6cfe7c51adfc04667c2631e6a2c846d1450f16b05264609ee74939103ad97628
                                                                                                        • Instruction Fuzzy Hash: B9917135E103099FDB04DFA4D8849DDBBFAFF89300B658215F416AB2A8DB70E945CB50
                                                                                                        Function 0296CCE9 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 526 296cce9-296cd87 GetCurrentProcess 530 296cd90-296cdc4 GetCurrentThread 526->530 531 296cd89-296cd8f 526->531 532 296cdc6-296cdcc 530->532 533 296cdcd-296ce01 GetCurrentProcess 530->533 531->530 532->533 535 296ce03-296ce09 533->535 536 296ce0a-296ce25 call 296cec8 533->536 535->536 538 296ce2b-296ce5a GetCurrentThreadId 536->538 540 296ce63-296cec5 538->540 541 296ce5c-296ce62 538->541 541->540
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0296CD76
                                                                                                        • GetCurrentThread.KERNEL32 ref: 0296CDB3
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0296CDF0
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0296CE49
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1163602767.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2960000_13.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: d29d1584502e0debc4fc884256b6a50e9d764fb3ffcc7dcfd59314bf33c6d59a
                                                                                                        • Instruction ID: ae0f662d8b4dec7be5c3a5ce24953f4fc21278d58e25235dda9cf44d089d38d7
                                                                                                        • Opcode Fuzzy Hash: d29d1584502e0debc4fc884256b6a50e9d764fb3ffcc7dcfd59314bf33c6d59a
                                                                                                        • Instruction Fuzzy Hash: 9E5124B0D003498FEB14CFA9D588BEEBFF1EF88314F24845AE049AB260DB345945CB65
                                                                                                        Function 0296CCF8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 548 296ccf8-296cd87 GetCurrentProcess 552 296cd90-296cdc4 GetCurrentThread 548->552 553 296cd89-296cd8f 548->553 554 296cdc6-296cdcc 552->554 555 296cdcd-296ce01 GetCurrentProcess 552->555 553->552 554->555 557 296ce03-296ce09 555->557 558 296ce0a-296ce25 call 296cec8 555->558 557->558 560 296ce2b-296ce5a GetCurrentThreadId 558->560 562 296ce63-296cec5 560->562 563 296ce5c-296ce62 560->563 563->562
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0296CD76
                                                                                                        • GetCurrentThread.KERNEL32 ref: 0296CDB3
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0296CDF0
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0296CE49
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1163602767.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2960000_13.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: d71806a21ac1ab4dba7da3f1ef8e1ebb9581d6e1a974f60f47026e416894c17b
                                                                                                        • Instruction ID: 4665f5c27f69b1e7bfa88725c97a603d4f71ffa219b160f3a73616c031866443
                                                                                                        • Opcode Fuzzy Hash: d71806a21ac1ab4dba7da3f1ef8e1ebb9581d6e1a974f60f47026e416894c17b
                                                                                                        • Instruction Fuzzy Hash: 7C5146B0D003498FEB14CFAAD588BAEBBF5EF48314F248059E049A7350DB345944CF65
                                                                                                        Function 050E8DB4 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 847 50e8db4-50e8e55 849 50e8e8e-50e8eae 847->849 850 50e8e57-50e8e61 847->850 857 50e8ee7-50e8f16 849->857 858 50e8eb0-50e8eba 849->858 850->849 851 50e8e63-50e8e65 850->851 852 50e8e88-50e8e8b 851->852 853 50e8e67-50e8e71 851->853 852->849 855 50e8e75-50e8e84 853->855 856 50e8e73 853->856 855->855 859 50e8e86 855->859 856->855 864 50e8f4f-50e9009 CreateProcessA 857->864 865 50e8f18-50e8f22 857->865 858->857 860 50e8ebc-50e8ebe 858->860 859->852 862 50e8ec0-50e8eca 860->862 863 50e8ee1-50e8ee4 860->863 866 50e8ece-50e8edd 862->866 867 50e8ecc 862->867 863->857 878 50e900b-50e9011 864->878 879 50e9012-50e9098 864->879 865->864 869 50e8f24-50e8f26 865->869 866->866 868 50e8edf 866->868 867->866 868->863 870 50e8f28-50e8f32 869->870 871 50e8f49-50e8f4c 869->871 873 50e8f36-50e8f45 870->873 874 50e8f34 870->874 871->864 873->873 876 50e8f47 873->876 874->873 876->871 878->879 889 50e909a-50e909e 879->889 890 50e90a8-50e90ac 879->890 889->890 891 50e90a0 889->891 892 50e90ae-50e90b2 890->892 893 50e90bc-50e90c0 890->893 891->890 892->893 894 50e90b4 892->894 895 50e90c2-50e90c6 893->895 896 50e90d0-50e90d4 893->896 894->893 895->896 899 50e90c8 895->899 897 50e90e6-50e90ed 896->897 898 50e90d6-50e90dc 896->898 900 50e90ef-50e90fe 897->900 901 50e9104 897->901 898->897 899->896 900->901 903 50e9105 901->903 903->903
                                                                                                        APIs
                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 050E8FF6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1165297782.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_50e0000_13.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 963392458-0
                                                                                                        • Opcode ID: c950a274d3927b19ac7a6cd57d1b3694d976e5393d7221595707eaaf5009492c
                                                                                                        • Instruction ID: 751fc6ab8fdc9ad79f35323dc3ef39256f0e6c3e30ce5b7c2123f9f561d73dd9
                                                                                                        • Opcode Fuzzy Hash: c950a274d3927b19ac7a6cd57d1b3694d976e5393d7221595707eaaf5009492c
                                                                                                        • Instruction Fuzzy Hash: D7915A71D003199FEB24CFA8D845BEDBBF2BF48310F1485A9E819A7280DB759985CF91
                                                                                                        Function 050E8DC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 904