Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 9JbJZPtaKF.exe

Overview

General Information

Sample Name:9JbJZPtaKF.exe
Analysis ID:491916
MD5:133c10454108aa86301f79a03aa24046
SHA1:21439179cb8700406d57332079ab311d08b0c9bf
SHA256:de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797
Tags:BitRATexeRAT
Infos:

Most interesting Screenshot:

Detection

AsyncRAT BitRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected BitRAT
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Yara detected AntiVM3
Yara detected AsyncRAT
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Creates multiple autostart registry keys
Sigma detected: Suspicious Script Execution From Temp Folder
Writes to foreign memory regions
Connects to many ports of the same IP (likely port scanning)
Bypasses PowerShell execution policy
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Suspicious powershell command line found
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Creates files in alternative data streams (ADS)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores large binary data to the registry
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Installs a global mouse hook
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Sigma detected: PowerShell Script Run in AppData

Classification

Process Tree

  • System is w10x64
  • 9JbJZPtaKF.exe (PID: 6972 cmdline: 'C:\Users\user\Desktop\9JbJZPtaKF.exe' MD5: 133C10454108AA86301F79A03AA24046)
    • RegAsm.exe (PID: 7040 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 7084 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • cmd.exe (PID: 4348 cmdline: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 720 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • mmybgd.exe (PID: 4776 cmdline: 'C:\Users\user\AppData\Local\Temp\mmybgd.exe' MD5: BDC628B212725C5FD4287591393CB44E)
            • RegAsm.exe (PID: 4676 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • ct.exe (PID: 4644 cmdline: 'C:\Users\user\AppData\Roaming\cf\ct.exe' MD5: 133C10454108AA86301F79A03AA24046)
    • RegAsm.exe (PID: 5916 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • ct.exe (PID: 5344 cmdline: 'C:\Users\user\AppData\Roaming\cf\ct.exe' MD5: 133C10454108AA86301F79A03AA24046)
    • RegAsm.exe (PID: 6740 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 6756 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • bg.exe (PID: 6184 cmdline: 'C:\Users\user\AppData\Roaming\bp\bg.exe' MD5: BDC628B212725C5FD4287591393CB44E)
    • RegAsm.exe (PID: 2532 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 5276 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 6580 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 3176 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • bg.exe (PID: 7072 cmdline: 'C:\Users\user\AppData\Roaming\bp\bg.exe' MD5: BDC628B212725C5FD4287591393CB44E)
    • RegAsm.exe (PID: 6748 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 6696 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 6764 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 42 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.3.ct.exe.739714.2.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              14.3.ct.exe.739714.2.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                0.3.9JbJZPtaKF.exe.7ee9c8.3.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.3.9JbJZPtaKF.exe.8051e4.1.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    11.3.ct.exe.6f4934.1.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      Click to see the 24 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\9JbJZPtaKF.exe' , ParentImage: C:\Users\user\Desktop\9JbJZPtaKF.exe, ParentProcessId: 6972, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 7040
                      Sigma detected: Suspicious Script Execution From Temp FolderShow sources
                      Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4348, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , ProcessId: 720
                      Sigma detected: PowerShell Script Run in AppDataShow sources
                      Source: Process startedAuthor: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit, CommandLine: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 7084, ProcessCommandLine: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit, ProcessId: 4348
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\9JbJZPtaKF.exe' , ParentImage: C:\Users\user\Desktop\9JbJZPtaKF.exe, ParentProcessId: 6972, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 7040
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4348, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , ProcessId: 720
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132773126290596771.720.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 9JbJZPtaKF.exeVirustotal: Detection: 35%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeReversingLabs: Detection: 40%
                      Machine Learning detection for sampleShow sources
                      Source: 9JbJZPtaKF.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeJoe Sandbox ML: detected
                      Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 17.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 12.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: RegAsm.exe, 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
                      Source: 9JbJZPtaKF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: Binary string: Telemetry.Common.pdb## source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000B.00000003.309143224.0000000002FD6000.00000004.00000001.sdmp, ct.exe, 0000000E.00000002.328247413.0000000000487000.00000002.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437767065.0000000000487000.00000002.00020000.sdmp, bg.exe, 00000021.00000000.460309859.0000000000487000.00000002.00020000.sdmp
                      Source: Binary string: Telemetry.Common.pdb source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000B.00000002.311356379.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000E.00000002.328247413.0000000000487000.00000002.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437767065.0000000000487000.00000002.00020000.sdmp, bg.exe, 00000021.00000000.460309859.0000000000487000.00000002.00020000.sdmp
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 4x nop then push ebp

                      Networking:

                      barindex
                      Connects to many ports of the same IP (likely port scanning)Show sources
                      Source: global trafficTCP traffic: 185.157.160.136 ports 1,1975,3,1973,7,9
                      Source: global trafficTCP traffic: 192.168.2.3:49749 -> 185.157.160.136:1973
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.136
                      Source: RegAsm.exe, 00000004.00000002.561796956.000000000530D000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.441347188.0000000000923000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: RegAsm.exe, 00000004.00000002.552795488.00000000011B6000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: RegAsm.exe, 00000004.00000002.561796956.000000000530D000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: ct.exeString found in binary or memory: http://schemas.microsof
                      Source: RegAsm.exe, 00000004.00000002.554885816.0000000002EB1000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.443919743.0000000004591000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: 9JbJZPtaKF.exe, 9JbJZPtaKF.exe, 00000000.00000000.277536101.0000000000401000.00000020.00020000.sdmp, RegAsm.exe, 00000004.00000002.558074837.00000000042E7000.00000004.00000001.sdmp, ct.exe, 0000000B.00000000.306368311.0000000000401000.00000020.00020000.sdmp, ct.exe, 0000000E.00000002.328150567.0000000000401000.00000020.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437697279.0000000000401000.00000020.00020000.sdmp, bg.exe, 00000021.00000002.472166356.0000000000401000.00000020.00020000.sdmpString found in binary or memory: http://www.vb-helper.com/vba.htm
                      Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: RegAsm.exe, 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmp, bg.exe, 00000021.00000003.462953448.00000000034F0000.00000004.00000001.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                      Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 14.3.ct.exe.739714.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.722ef8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6de118.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.722ef8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6de118.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327182152.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325299126.000000000070C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280183910.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278483376.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306958807.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325371450.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.356231512.00000000061A4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325340924.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327210322.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278249926.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278304939.0000000000805000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.554990912.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278201980.00000000007FA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308889804.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306989450.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278470265.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327236288.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306923152.00000000006C7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278264012.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325501534.0000000000739000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280278807.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308874401.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278240068.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278220853.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308858373.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325118501.000000000072F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9JbJZPtaKF.exe PID: 6972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ct.exe PID: 4644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ct.exe PID: 5344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6756, type: MEMORYSTR
                      Source: 9JbJZPtaKF.exe, 00000000.00000002.281098449.000000000079A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 mouse low level NULL

                      System Summary:

                      barindex
                      Source: 9JbJZPtaKF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_2_00479C70
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_2_004034F0
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_2_0040A2FB
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_2_0040A330
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_2_0040350C
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_2_0040B50D
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_2_0045D710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01159530
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0115D5E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01158C60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0115F298
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01158918
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_082F5030
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_082F0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_082F28C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_082F57A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_082F64B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_083026A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_08300968
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_08302430
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_08302423
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_08302693
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeCode function: 14_3_00745012
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0108C240
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0108C2CB
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0787EF70
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0787D418
                      Source: 9JbJZPtaKF.exeStatic PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Source: ct.exe.0.drStatic PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Source: mmybgd.exe.4.drStatic PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Source: bg.exe.30.drStatic PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Source: 9JbJZPtaKF.exe, 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs 9JbJZPtaKF.exe
                      Source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTelemetry.Common.dllj% vs 9JbJZPtaKF.exe
                      Source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamea.exe vs 9JbJZPtaKF.exe
                      Source: 9JbJZPtaKF.exe, 00000000.00000003.278461394.00000000007FA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamea.exe2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.12W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.AppData2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.cf2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.ct.exe2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.cp2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.net42W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z. vs 9JbJZPtaKF.exe
                      Source: mmybgd.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: bg.exe.30.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: 9JbJZPtaKF.exeVirustotal: Detection: 35%
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeFile read: C:\Users\user\Desktop\9JbJZPtaKF.exeJump to behavior
                      Source: 9JbJZPtaKF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                      Source: unknownProcess created: C:\Users\user\Desktop\9JbJZPtaKF.exe 'C:\Users\user\Desktop\9JbJZPtaKF.exe'
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\cf\ct.exe 'C:\Users\user\AppData\Roaming\cf\ct.exe'
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\cf\ct.exe 'C:\Users\user\AppData\Roaming\cf\ct.exe'
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe''
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\mmybgd.exe 'C:\Users\user\AppData\Local\Temp\mmybgd.exe'
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\bp\bg.exe 'C:\Users\user\AppData\Roaming\bp\bg.exe'
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\bp\bg.exe 'C:\Users\user\AppData\Roaming\bp\bg.exe'
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe''
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\mmybgd.exe 'C:\Users\user\AppData\Local\Temp\mmybgd.exe'
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeFile created: C:\Users\user\AppData\Roaming\cf\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\mmybgd.exeJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@38/9@0/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 17.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 17.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 12.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 12.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: '+LdhvsUs+pw4B71d2iQwVxAbsVN/CI8V5uDe4+8GBQVVA3p3Gjc+xdz/YAfyI5hJiGX1Qc4myvmMJ/w+spH5TQ==', 'Q9Q7PSgZxC8JyyITnfRxL911PUyfaZ4B9LbPmzb+mTt/Hx4JdEAONTuGgnWRwuZpFkFK8zpSe1AiYCl7xj+smQ==', 'SwekYo1ECeuqyYzN9+9SJx43jCQ3iDEuvx8an3VXRZ5VvDwu6r8n7S25x1XQQQHtwNBO8EdlgYpRrR9hxSi3OaDJloHbpfSIX7DAAcqylN8VBzNW6tmZjNKifIL1xwA4LDpbpStyaKERWCs0tsHzPHFUl5kWt8yUwM92eTaBvKMhkHlzxvXcHzlGigD994SD0m1DxsHVtOEkOp13Q9Z3Li/e0abpcfEMTHK4UqVyya09Zq37PU0rpJS3rhyHttYjZqRu4/aysQPq0e6s4B1avfxO0dO4HVdZUQU/FEhl+AZ+n7UJ3Au+H8NclQ/t1Tduui6+i1Zwej8iIp1Tn541nuWtPpBxKSGVGEFu7Dx6/eFT5pYsQVPLh/exGtUzIw3JmwfntfPzHexAEsrF8md/QqpbSwH77xSUhrGItVHFeHSl8Qn58/XiTG/aJP/Tl0FG/VhJWtbgNxWozxdVMu27o19IhfgkHxmssKtHOWua0SR1lhImFUTfwRnDXzHg0pyoMBQVhsL00Y+7npfSGSyX08/8xS0ZCJKgrp2BS3VtcAFZCH1E7AOcLXf50BvkMGbZcIDnqEKOTySfirbIr9tV2FytyGbppML/LOUQvolqbYNC6INHgD3Nqv8YCDPWotuj1BG+Ca6utbQemo+NNqRHET15rUYxtw7pyzIUNsqJnhKfRjKOKi0Db2U6B8sNhWiwNLoFNGv+aQQbEGixQCdlzXiomD0Nkwu/dU7AYoUqlK1Ze1xnGfRm61u+XoWkynj0LMF4Iywewo3n8Fb1u41cijRDsufRt8DTvvGBjILj3MR0n/g5gv4+WSwJpjCOcQBii8Ps3JQHY2IsxhnW9JRxbRJ0g0h9KKFZOJMcewtw7Nji508TbpZZdXvCF176YBMPWkwpoSYpRXMaYM2Kow62560MOfXTj6ijM8a1c5MeuC6G6UKDEQlSfuVFz/b/37BFHqWPFnSetTW3Bmh4cvA5WU/cgh1I1h9v/6InQqIs7ooVK5UYV6ZBnMkKgI0D+BFcOE6YR4K0i5OdvF/+UJG9m8g7zwvniH4jObkSy/HFFOSZIn2rh8omu1d7k4N2Z2lF0yXc+DFhte5S4ggRoOksVK/QtM2nl+c2oOA0SCg2MquzSKF/ZuRaIkH55x4yuRz/alOrgVryfuWwJrNddFeWph32x3ui9V/HFcQg8HZvsRojo/N+DsyBjDBDHaWqH64kz2POlHKHXnpPZbxi7sPze8yb/pL7DK5c4GoeNI2um1X7XG5dcIQXyfObbFEt+A8V8+03DD1lgok7f4gD0RTFZyyT67Hsx+8TPkKBUW2PS83kD+2sGBK/u66SBrO6WxUghpnV/OtaiWBnDGEzn7fGjvWDIhIO9GwLjNnIjXMVpvpN1ZzofYfOHoWqXV2an622TEUWRrf5zdDQsfLv8zvcOCPtUDmS/sfdIKxjovfWfDr2HB7wRZpfJZDZEna+5if6+ExMTMwlwK/mtxR3/q8zsqKNZB/vX97/gvvuVDie2qKbZBLFKVEkZHmRNx6Hcr7MORPFMLinJIIHoyJV5Okih7WJkqj5Vi40EYeXD5QWH5VLL/4xZFNVMVQ4WNejN+MmhVG8Lx4Cb/2vBfCuCxYIuI0Y3ZTGUXRXBK99WzJt8N/rzz/Lmpl8GBxQETqcRxduY6qcfQZYX1Y1ZHSjGjID8Xwb1zMMMfEqca1O27aJnbOMx1HetlFbgZhM/aTkdveZzbNFLTrJRcvpho5wSov/8gZsdxXVnYJ2W0zKgjHfx/VNjxK80bmInIdKLgiqii/oWQD5Bh96/mRKP7lJ2D/jxmGXtAZXZJeCLBRJ8DaQyJ54wn039c4IjazzhWGC11ShaX8eKYIMkYJ6nFUcRukcK3/aTzb6IfKT3djBfrKQIBJGVlRQhXC5hxr14g2pXwkL9uYjwgyVsJqTUmEaFwexPqDO33rm3i7gqWEyVLXnV8MWwOj2/Kzdw+OFf1Dh+VupTTbwleacwaYO4OH4bx3NzBI5xOQ68pBDXi1uJ6pZ+gGlmX+HB2EYMrFBoHxZHLL9J+KpaLAW1zgPdTdOnaDLGzEd9FdCWR298tQIfVNxPAzSO+CDmc4ndtqYl3NZmEW6VwqrGquN4wFNFxEKTmuecdR9AI2BvmDMP6uxHBsybrRlrjhlPDHy70Tc71HQVmsDqu316O7a4VGftIwqQnFR/HfSD8SU0kQoQzV42Am5FsROnV/FYhRuREmYfWhVLektFh4nRiEdCV4cB7soLWyhPwy9PxBmwL4+CS+doBMyTD+o7/R/jv7JqpgrKTEzdfIx', 'ZsgJx/yojFzRDrd6d1tl2e5cG8L3oZ6FmQh1YzpSUxZuEnTP9PYySENFaUa+/t5aAJnTvz9r/LBQI6HkJIYeYZ+Gph0R+QFDexqLOI/DClAOEeH3TYtMVCw+NXxbE28MqTIoKD+7j4sNOiDy672odGSgFtv8zqSn4R1K6wO+o8THWFlHyzZTscYqga2xRhaFBH+SMHvET0AVHKzK1u5ApDlFaXAmTiRECM6Fo/R5+5EApqf/os/nXJz8B4FO1E28opcXSlGgn08ICyzjWlNgMitkZChzISSokP/sGItGCbBiIITmDVRfK0c4JRuR5VuA5a5lfhDwJfcJmzypRsCZOU52k0Jlly5P9QzZG6hy3n3MidxePqODZZ66fA5fLPOCC9uikA+7cvqOy0DqE1dCzcOtKk3dJpOGp2m07xnLKED7SFJruJzz0szpC84SfWmf+dIf4N7UjVX8Z6BE3I1ZVZYXM+K8Q33Ssmm1NyaWTex8f9yrVHnFNM5gPYE
                      Source: 12.2.RegAsm.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: '+LdhvsUs+pw4B71d2iQwVxAbsVN/CI8V5uDe4+8GBQVVA3p3Gjc+xdz/YAfyI5hJiGX1Qc4myvmMJ/w+spH5TQ==', 'Q9Q7PSgZxC8JyyITnfRxL911PUyfaZ4B9LbPmzb+mTt/Hx4JdEAONTuGgnWRwuZpFkFK8zpSe1AiYCl7xj+smQ==', 'SwekYo1ECeuqyYzN9+9SJx43jCQ3iDEuvx8an3VXRZ5VvDwu6r8n7S25x1XQQQHtwNBO8EdlgYpRrR9hxSi3OaDJloHbpfSIX7DAAcqylN8VBzNW6tmZjNKifIL1xwA4LDpbpStyaKERWCs0tsHzPHFUl5kWt8yUwM92eTaBvKMhkHlzxvXcHzlGigD994SD0m1DxsHVtOEkOp13Q9Z3Li/e0abpcfEMTHK4UqVyya09Zq37PU0rpJS3rhyHttYjZqRu4/aysQPq0e6s4B1avfxO0dO4HVdZUQU/FEhl+AZ+n7UJ3Au+H8NclQ/t1Tduui6+i1Zwej8iIp1Tn541nuWtPpBxKSGVGEFu7Dx6/eFT5pYsQVPLh/exGtUzIw3JmwfntfPzHexAEsrF8md/QqpbSwH77xSUhrGItVHFeHSl8Qn58/XiTG/aJP/Tl0FG/VhJWtbgNxWozxdVMu27o19IhfgkHxmssKtHOWua0SR1lhImFUTfwRnDXzHg0pyoMBQVhsL00Y+7npfSGSyX08/8xS0ZCJKgrp2BS3VtcAFZCH1E7AOcLXf50BvkMGbZcIDnqEKOTySfirbIr9tV2FytyGbppML/LOUQvolqbYNC6INHgD3Nqv8YCDPWotuj1BG+Ca6utbQemo+NNqRHET15rUYxtw7pyzIUNsqJnhKfRjKOKi0Db2U6B8sNhWiwNLoFNGv+aQQbEGixQCdlzXiomD0Nkwu/dU7AYoUqlK1Ze1xnGfRm61u+XoWkynj0LMF4Iywewo3n8Fb1u41cijRDsufRt8DTvvGBjILj3MR0n/g5gv4+WSwJpjCOcQBii8Ps3JQHY2IsxhnW9JRxbRJ0g0h9KKFZOJMcewtw7Nji508TbpZZdXvCF176YBMPWkwpoSYpRXMaYM2Kow62560MOfXTj6ijM8a1c5MeuC6G6UKDEQlSfuVFz/b/37BFHqWPFnSetTW3Bmh4cvA5WU/cgh1I1h9v/6InQqIs7ooVK5UYV6ZBnMkKgI0D+BFcOE6YR4K0i5OdvF/+UJG9m8g7zwvniH4jObkSy/HFFOSZIn2rh8omu1d7k4N2Z2lF0yXc+DFhte5S4ggRoOksVK/QtM2nl+c2oOA0SCg2MquzSKF/ZuRaIkH55x4yuRz/alOrgVryfuWwJrNddFeWph32x3ui9V/HFcQg8HZvsRojo/N+DsyBjDBDHaWqH64kz2POlHKHXnpPZbxi7sPze8yb/pL7DK5c4GoeNI2um1X7XG5dcIQXyfObbFEt+A8V8+03DD1lgok7f4gD0RTFZyyT67Hsx+8TPkKBUW2PS83kD+2sGBK/u66SBrO6WxUghpnV/OtaiWBnDGEzn7fGjvWDIhIO9GwLjNnIjXMVpvpN1ZzofYfOHoWqXV2an622TEUWRrf5zdDQsfLv8zvcOCPtUDmS/sfdIKxjovfWfDr2HB7wRZpfJZDZEna+5if6+ExMTMwlwK/mtxR3/q8zsqKNZB/vX97/gvvuVDie2qKbZBLFKVEkZHmRNx6Hcr7MORPFMLinJIIHoyJV5Okih7WJkqj5Vi40EYeXD5QWH5VLL/4xZFNVMVQ4WNejN+MmhVG8Lx4Cb/2vBfCuCxYIuI0Y3ZTGUXRXBK99WzJt8N/rzz/Lmpl8GBxQETqcRxduY6qcfQZYX1Y1ZHSjGjID8Xwb1zMMMfEqca1O27aJnbOMx1HetlFbgZhM/aTkdveZzbNFLTrJRcvpho5wSov/8gZsdxXVnYJ2W0zKgjHfx/VNjxK80bmInIdKLgiqii/oWQD5Bh96/mRKP7lJ2D/jxmGXtAZXZJeCLBRJ8DaQyJ54wn039c4IjazzhWGC11ShaX8eKYIMkYJ6nFUcRukcK3/aTzb6IfKT3djBfrKQIBJGVlRQhXC5hxr14g2pXwkL9uYjwgyVsJqTUmEaFwexPqDO33rm3i7gqWEyVLXnV8MWwOj2/Kzdw+OFf1Dh+VupTTbwleacwaYO4OH4bx3NzBI5xOQ68pBDXi1uJ6pZ+gGlmX+HB2EYMrFBoHxZHLL9J+KpaLAW1zgPdTdOnaDLGzEd9FdCWR298tQIfVNxPAzSO+CDmc4ndtqYl3NZmEW6VwqrGquN4wFNFxEKTmuecdR9AI2BvmDMP6uxHBsybrRlrjhlPDHy70Tc71HQVmsDqu316O7a4VGftIwqQnFR/HfSD8SU0kQoQzV42Am5FsROnV/FYhRuREmYfWhVLektFh4nRiEdCV4cB7soLWyhPwy9PxBmwL4+CS+doBMyTD+o7/R/jv7JqpgrKTEzdfIx', 'ZsgJx/yojFzRDrd6d1tl2e5cG8L3oZ6FmQh1YzpSUxZuEnTP9PYySENFaUa+/t5aAJnTvz9r/LBQI6HkJIYeYZ+Gph0R+QFDexqLOI/DClAOEeH3TYtMVCw+NXxbE28MqTIoKD+7j4sNOiDy672odGSgFtv8zqSn4R1K6wO+o8THWFlHyzZTscYqga2xRhaFBH+SMHvET0AVHKzK1u5ApDlFaXAmTiRECM6Fo/R5+5EApqf/os/nXJz8B4FO1E28opcXSlGgn08ICyzjWlNgMitkZChzISSokP/sGItGCbBiIITmDVRfK0c4JRuR5VuA5a5lfhDwJfcJmzypRsCZOU52k0Jlly5P9QzZG6hy3n3MidxePqODZZ66fA5fLPOCC9uikA+7cvqOy0DqE1dCzcOtKk3dJpOGp2m07xnLKED7SFJruJzz0szpC84SfWmf+dIf4N7UjVX8Z6BE3I1ZVZYXM+K8Q33Ssmm1NyaWTex8f9yrVHnFNM5gPYE
                      Source: 17.2.RegAsm.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: '+LdhvsUs+pw4B71d2iQwVxAbsVN/CI8V5uDe4+8GBQVVA3p3Gjc+xdz/YAfyI5hJiGX1Qc4myvmMJ/w+spH5TQ==', 'Q9Q7PSgZxC8JyyITnfRxL911PUyfaZ4B9LbPmzb+mTt/Hx4JdEAONTuGgnWRwuZpFkFK8zpSe1AiYCl7xj+smQ==', 'SwekYo1ECeuqyYzN9+9SJx43jCQ3iDEuvx8an3VXRZ5VvDwu6r8n7S25x1XQQQHtwNBO8EdlgYpRrR9hxSi3OaDJloHbpfSIX7DAAcqylN8VBzNW6tmZjNKifIL1xwA4LDpbpStyaKERWCs0tsHzPHFUl5kWt8yUwM92eTaBvKMhkHlzxvXcHzlGigD994SD0m1DxsHVtOEkOp13Q9Z3Li/e0abpcfEMTHK4UqVyya09Zq37PU0rpJS3rhyHttYjZqRu4/aysQPq0e6s4B1avfxO0dO4HVdZUQU/FEhl+AZ+n7UJ3Au+H8NclQ/t1Tduui6+i1Zwej8iIp1Tn541nuWtPpBxKSGVGEFu7Dx6/eFT5pYsQVPLh/exGtUzIw3JmwfntfPzHexAEsrF8md/QqpbSwH77xSUhrGItVHFeHSl8Qn58/XiTG/aJP/Tl0FG/VhJWtbgNxWozxdVMu27o19IhfgkHxmssKtHOWua0SR1lhImFUTfwRnDXzHg0pyoMBQVhsL00Y+7npfSGSyX08/8xS0ZCJKgrp2BS3VtcAFZCH1E7AOcLXf50BvkMGbZcIDnqEKOTySfirbIr9tV2FytyGbppML/LOUQvolqbYNC6INHgD3Nqv8YCDPWotuj1BG+Ca6utbQemo+NNqRHET15rUYxtw7pyzIUNsqJnhKfRjKOKi0Db2U6B8sNhWiwNLoFNGv+aQQbEGixQCdlzXiomD0Nkwu/dU7AYoUqlK1Ze1xnGfRm61u+XoWkynj0LMF4Iywewo3n8Fb1u41cijRDsufRt8DTvvGBjILj3MR0n/g5gv4+WSwJpjCOcQBii8Ps3JQHY2IsxhnW9JRxbRJ0g0h9KKFZOJMcewtw7Nji508TbpZZdXvCF176YBMPWkwpoSYpRXMaYM2Kow62560MOfXTj6ijM8a1c5MeuC6G6UKDEQlSfuVFz/b/37BFHqWPFnSetTW3Bmh4cvA5WU/cgh1I1h9v/6InQqIs7ooVK5UYV6ZBnMkKgI0D+BFcOE6YR4K0i5OdvF/+UJG9m8g7zwvniH4jObkSy/HFFOSZIn2rh8omu1d7k4N2Z2lF0yXc+DFhte5S4ggRoOksVK/QtM2nl+c2oOA0SCg2MquzSKF/ZuRaIkH55x4yuRz/alOrgVryfuWwJrNddFeWph32x3ui9V/HFcQg8HZvsRojo/N+DsyBjDBDHaWqH64kz2POlHKHXnpPZbxi7sPze8yb/pL7DK5c4GoeNI2um1X7XG5dcIQXyfObbFEt+A8V8+03DD1lgok7f4gD0RTFZyyT67Hsx+8TPkKBUW2PS83kD+2sGBK/u66SBrO6WxUghpnV/OtaiWBnDGEzn7fGjvWDIhIO9GwLjNnIjXMVpvpN1ZzofYfOHoWqXV2an622TEUWRrf5zdDQsfLv8zvcOCPtUDmS/sfdIKxjovfWfDr2HB7wRZpfJZDZEna+5if6+ExMTMwlwK/mtxR3/q8zsqKNZB/vX97/gvvuVDie2qKbZBLFKVEkZHmRNx6Hcr7MORPFMLinJIIHoyJV5Okih7WJkqj5Vi40EYeXD5QWH5VLL/4xZFNVMVQ4WNejN+MmhVG8Lx4Cb/2vBfCuCxYIuI0Y3ZTGUXRXBK99WzJt8N/rzz/Lmpl8GBxQETqcRxduY6qcfQZYX1Y1ZHSjGjID8Xwb1zMMMfEqca1O27aJnbOMx1HetlFbgZhM/aTkdveZzbNFLTrJRcvpho5wSov/8gZsdxXVnYJ2W0zKgjHfx/VNjxK80bmInIdKLgiqii/oWQD5Bh96/mRKP7lJ2D/jxmGXtAZXZJeCLBRJ8DaQyJ54wn039c4IjazzhWGC11ShaX8eKYIMkYJ6nFUcRukcK3/aTzb6IfKT3djBfrKQIBJGVlRQhXC5hxr14g2pXwkL9uYjwgyVsJqTUmEaFwexPqDO33rm3i7gqWEyVLXnV8MWwOj2/Kzdw+OFf1Dh+VupTTbwleacwaYO4OH4bx3NzBI5xOQ68pBDXi1uJ6pZ+gGlmX+HB2EYMrFBoHxZHLL9J+KpaLAW1zgPdTdOnaDLGzEd9FdCWR298tQIfVNxPAzSO+CDmc4ndtqYl3NZmEW6VwqrGquN4wFNFxEKTmuecdR9AI2BvmDMP6uxHBsybrRlrjhlPDHy70Tc71HQVmsDqu316O7a4VGftIwqQnFR/HfSD8SU0kQoQzV42Am5FsROnV/FYhRuREmYfWhVLektFh4nRiEdCV4cB7soLWyhPwy9PxBmwL4+CS+doBMyTD+o7/R/jv7JqpgrKTEzdfIx', 'ZsgJx/yojFzRDrd6d1tl2e5cG8L3oZ6FmQh1YzpSUxZuEnTP9PYySENFaUa+/t5aAJnTvz9r/LBQI6HkJIYeYZ+Gph0R+QFDexqLOI/DClAOEeH3TYtMVCw+NXxbE28MqTIoKD+7j4sNOiDy672odGSgFtv8zqSn4R1K6wO+o8THWFlHyzZTscYqga2xRhaFBH+SMHvET0AVHKzK1u5ApDlFaXAmTiRECM6Fo/R5+5EApqf/os/nXJz8B4FO1E28opcXSlGgn08ICyzjWlNgMitkZChzISSokP/sGItGCbBiIITmDVRfK0c4JRuR5VuA5a5lfhDwJfcJmzypRsCZOU52k0Jlly5P9QzZG6hy3n3MidxePqODZZ66fA5fLPOCC9uikA+7cvqOy0DqE1dCzcOtKk3dJpOGp2m07xnLKED7SFJruJzz0szpC84SfWmf+dIf4N7UjVX8Z6BE3I1ZVZYXM+K8Q33Ssmm1NyaWTex8f9yrVHnFNM5gPYE
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_01
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\127138ab06d688bf145f78193fb1c3e5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\df4Rtg34dFjwr
                      Source: 9JbJZPtaKF.exe, 00000000.00000002.281002165.0000000000482000.00000004.00020000.sdmp, ct.exe, 0000000B.00000002.311342011.0000000000482000.00000004.00020000.sdmp, ct.exe, 0000000E.00000002.328236678.0000000000482000.00000004.00020000.sdmp, mmybgd.exe, 0000001E.00000002.442651359.0000000000482000.00000004.00020000.sdmpBinary or memory string: @*\AC:\Users\Pc\Desktop\Private Stubs\yaxil suge\ExtendedRTFCode.vbp
                      Source: 9JbJZPtaKF.exe, 00000000.00000000.277536101.0000000000401000.00000020.00020000.sdmp, ct.exe, 0000000B.00000000.306368311.0000000000401000.00000020.00020000.sdmp, ct.exe, 0000000E.00000002.328150567.0000000000401000.00000020.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437697279.0000000000401000.00000020.00020000.sdmp, bg.exe, 00000021.00000002.472166356.0000000000401000.00000020.00020000.sdmpBinary or memory string: /@ H*\AC:\Users\Pc\Desktop\Private Stubs\yaxil suge\ExtendedRTFCode.vbp
                      Source: 9JbJZPtaKF.exeBinary or memory string: H*\AC:\Users\Pc\Desktop\Private Stubs\yaxil suge\ExtendedRTFCode.vbp
                      Source: 9JbJZPtaKF.exeString found in binary or memory: eated to reference specifically\ulnone \par Visual Basic Programmer's Journal \par VB2Max \par PlanetCodeSource \par \fs26 VB-helper\fs24 \par \ul\b Known Code Sources\ulnone\b0 \par \pard\nowidctlpar\fs26 Public Function RichWordOver() As String \pa
                      Source: 9JbJZPtaKF.exeString found in binary or memory: 'Ready-To-Run Visual Basic Algorithms, Second Edition \par 'http://www.vb-helper.com/vba.htm \par modified for class usage by adding Sub \b MouseMove\b0 to the class as it needs to know about X and Y for mouse. \b \par \par \b0 Span Example in VB H
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: Binary string: Telemetry.Common.pdb## source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000B.00000003.309143224.0000000002FD6000.00000004.00000001.sdmp, ct.exe, 0000000E.00000002.328247413.0000000000487000.00000002.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437767065.0000000000487000.00000002.00020000.sdmp, bg.exe, 00000021.00000000.460309859.0000000000487000.00000002.00020000.sdmp
                      Source: Binary string: Telemetry.Common.pdb source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000B.00000002.311356379.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000E.00000002.328247413.0000000000487000.00000002.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437767065.0000000000487000.00000002.00020000.sdmp, bg.exe, 00000021.00000000.460309859.0000000000487000.00000002.00020000.sdmp

                      Data Obfuscation:

                      barindex
                      Suspicious powershell command line foundShow sources
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe''
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe''
                      .NET source code contains potential unpackerShow sources
                      Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 12.2.RegAsm.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 17.2.RegAsm.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_3_007DA036 push 00000000h; iretd
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_2_0040BA4D push ebx; iretd
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_2_0040BA50 push ebx; iretd
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeCode function: 0_2_0040BA01 push ebx; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_082F1C92 pushfd ; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_08308130 push ss; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_083099DA pushfd ; retn 0000h
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeCode function: 11_3_006C9966 push 00000000h; iretd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0787C591 push cs; iretd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0787A5D1 push es; iretd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0787C5EB push cs; iretd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0787C521 push cs; iretd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0787C543 push cs; iretd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0787C540 push cs; iretd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0787E347 push ds; iretd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_0787E19F push ds; iretd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_07872BAA pushad ; iretd
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeFile created: C:\Users\user\AppData\Roaming\cf\ct.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeFile created: C:\Users\user\AppData\Roaming\bp\bg.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\mmybgd.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 14.3.ct.exe.739714.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.722ef8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6de118.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.722ef8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6de118.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327182152.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325299126.000000000070C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280183910.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278483376.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306958807.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325371450.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.356231512.00000000061A4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325340924.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327210322.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278249926.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278304939.0000000000805000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.554990912.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278201980.00000000007FA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308889804.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306989450.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278470265.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327236288.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306923152.00000000006C7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278264012.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325501534.0000000000739000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280278807.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308874401.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278240068.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278220853.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308858373.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325118501.000000000072F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9JbJZPtaKF.exe PID: 6972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ct.exe PID: 4644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ct.exe PID: 5344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6756, type: MEMORYSTR
                      Creates multiple autostart registry keysShow sources
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bmJump to behavior
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cpJump to behavior
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cpJump to behavior
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cpJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bmJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bmJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
                      Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: iconPdf.png
                      Creates files in alternative data streams (ADS)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local:28-09-2021Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\37C355B9F362AD041939 4E47C429C681B3A23CF9BF8CDF60CAB79FBEDDB88B39B406A61CE21097DD7FE6Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 720, type: MEMORYSTR
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 14.3.ct.exe.739714.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.722ef8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6de118.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.722ef8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6de118.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327182152.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325299126.000000000070C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280183910.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278483376.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306958807.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325371450.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.356231512.00000000061A4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325340924.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327210322.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278249926.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278304939.0000000000805000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.554990912.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278201980.00000000007FA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308889804.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306989450.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278470265.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327236288.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306923152.00000000006C7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278264012.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325501534.0000000000739000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280278807.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308874401.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278240068.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278220853.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308858373.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325118501.000000000072F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9JbJZPtaKF.exe PID: 6972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ct.exe PID: 4644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ct.exe PID: 5344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6756, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: 9JbJZPtaKF.exe, 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, ct.exe, 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, RegAsm.exe, 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, ct.exe, 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, RegAsm.exe, 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3404Thread sleep time: -6456360425798339s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3404Thread sleep count: 77 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5476Thread sleep count: 115 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5476Thread sleep count: 9646 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6800Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6620Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144Thread sleep time: -11990383647911201s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6040Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060Thread sleep time: -350000s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2276Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9646
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 943
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 496
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 952
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 614
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
                      Source: powershell.exe, 00000016.00000002.444912196.0000000004886000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: RegAsm.exe, 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmpBinary or memory string: vmware
                      Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmpBinary or memory string: Bm:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: RegAsm.exe, 00000004.00000002.561723054.00000000052F5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

                      Anti Debugging:

                      barindex
                      Hides threads from debuggersShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Sample uses process hollowing techniqueShow sources
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CAB008
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F49008
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8D8008
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A80008
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F4B008
                      Bypasses PowerShell execution policyShow sources
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe''
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\Desktop\9JbJZPtaKF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\cf\ct.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe''
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\mmybgd.exe 'C:\Users\user\AppData\Local\Temp\mmybgd.exe'
                      Source: C:\Users\user\AppData\Local\Temp\mmybgd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Users\user\AppData\Roaming\bp\bg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: RegAsm.exe, 00000004.00000003.410300499.00000000061F8000.00000004.00000001.sdmp, RegAsm.exe, 0000001F.00000002.556205526.0000000001370000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegAsm.exe, 00000004.00000002.554377329.00000000016E0000.00000002.00020000.sdmp, RegAsm.exe, 0000001F.00000002.556205526.0000000001370000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegAsm.exe, 00000004.00000002.554377329.00000000016E0000.00000002.00020000.sdmp, RegAsm.exe, 0000001F.00000002.556205526.0000000001370000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegAsm.exe, 00000004.00000002.554377329.00000000016E0000.00000002.00020000.sdmp, RegAsm.exe, 0000001F.00000002.556205526.0000000001370000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 14.3.ct.exe.739714.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.722ef8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6de118.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.722ef8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.8051e4.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6de118.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.ct.exe.6f4934.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.ct.exe.739714.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327182152.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325299126.000000000070C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280183910.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278483376.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306958807.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325371450.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.356231512.00000000061A4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325340924.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327210322.0000000000723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278249926.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278304939.0000000000805000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.554990912.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278201980.00000000007FA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308889804.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306989450.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278470265.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.327236288.0000000000744000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.306923152.00000000006C7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278264012.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325501534.0000000000739000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.280278807.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308874401.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278240068.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.278220853.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.308858373.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.325118501.000000000072F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9JbJZPtaKF.exe PID: 6972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ct.exe PID: 4644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ct.exe PID: 5344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6756, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected BitRATShow sources
                      Source: Yara matchFile source: 31.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.476289404.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.462953448.00000000034F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.491911455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4676, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bg.exe PID: 6184, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected BitRATShow sources
                      Source: Yara matchFile source: 31.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.476289404.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.462953448.00000000034F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.491911455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4676, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bg.exe PID: 6184, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsShared Modules1Scheduled Task/Job1Process Injection412Obfuscated Files or Information121LSASS MemorySystem Information Discovery13Remote Desktop ProtocolInput Capture2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder11Scheduled Task/Job1Software Packing11Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsScheduled Task/Job1Logon Script (Mac)Registry Run Keys / Startup Folder11DLL Side-Loading1NTDSSecurity Software Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell2Network Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonModify Registry1Cached Domain CredentialsVirtualization/Sandbox Evasion121VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion121DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection412Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)NTFS File Attributes1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 491916 Sample: 9JbJZPtaKF.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 74 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected BitRAT 2->78 80 8 other signatures 2->80 10 9JbJZPtaKF.exe 1 2 2->10         started        14 ct.exe 2->14         started        16 bg.exe 2->16         started        18 2 other processes 2->18 process3 file4 62 C:\Users\user\AppData\Roaming\cf\ct.exe, PE32 10->62 dropped 90 Creates multiple autostart registry keys 10->90 92 Writes to foreign memory regions 10->92 94 Allocates memory in foreign processes 10->94 20 RegAsm.exe 1 4 10->20         started        24 RegAsm.exe 10->24         started        96 Multi AV Scanner detection for dropped file 14->96 98 Machine Learning detection for dropped file 14->98 100 Sample uses process hollowing technique 14->100 26 RegAsm.exe 3 14->26         started        102 Injects a PE file into a foreign processes 16->102 28 RegAsm.exe 16->28         started        37 2 other processes 16->37 31 RegAsm.exe 18->31         started        33 RegAsm.exe 2 18->33         started        35 RegAsm.exe 18->35         started        39 3 other processes 18->39 signatures5 process6 dnsIp7 64 185.157.160.136, 1973, 1975, 49749 OBE-EUROPEObenetworkEuropeSE Sweden 20->64 60 C:\Users\user\AppData\Local\Temp\mmybgd.exe, PE32 20->60 dropped 41 cmd.exe 1 20->41         started        104 Hides threads from debuggers 31->104 file8 signatures9 process10 signatures11 86 Suspicious powershell command line found 41->86 88 Bypasses PowerShell execution policy 41->88 44 powershell.exe 14 41->44         started        46 conhost.exe 41->46         started        process12 process13 48 mmybgd.exe 1 2 44->48         started        file14 56 C:\Users\user\AppData\Roaming\bp\bg.exe, PE32 48->56 dropped 66 Machine Learning detection for dropped file 48->66 68 Creates multiple autostart registry keys 48->68 70 Writes to foreign memory regions 48->70 72 3 other signatures 48->72 52 RegAsm.exe 3 48->52         started        signatures15 process16 file17 58 C:\Users\user\AppData\Local:28-09-2021, ASCII 52->58 dropped 82 Creates files in alternative data streams (ADS) 52->82 84 Hides threads from debuggers 52->84 signatures18

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      9JbJZPtaKF.exe35%VirustotalBrowse
                      9JbJZPtaKF.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\bp\bg.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\cf\ct.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\mmybgd.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\cf\ct.exe40%ReversingLabsWin32.Trojan.Sabsik

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      14.3.ct.exe.739714.1.unpack100%AviraHEUR/AGEN.1110362Download File
                      0.3.9JbJZPtaKF.exe.8051e4.1.unpack100%AviraHEUR/AGEN.1110362Download File
                      14.3.ct.exe.739714.2.unpack100%AviraHEUR/AGEN.1110362Download File
                      37.2.RegAsm.exe.400000.0.unpack100%AviraHEUR/AGEN.1140205Download File
                      41.2.RegAsm.exe.400000.0.unpack100%AviraHEUR/AGEN.1140205Download File
                      31.2.RegAsm.exe.400000.0.unpack100%AviraHEUR/AGEN.1140205Download File
                      4.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      11.3.ct.exe.6f4934.2.unpack100%AviraHEUR/AGEN.1110362Download File
                      0.3.9JbJZPtaKF.exe.8051e4.2.unpack100%AviraHEUR/AGEN.1110362Download File
                      11.3.ct.exe.6f4934.1.unpack100%AviraHEUR/AGEN.1110362Download File
                      17.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      12.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://schemas.microsof0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmpfalse
                        		high
                        http://www.vb-helper.com/vba.htm9JbJZPtaKF.exe, 9JbJZPtaKF.exe, 00000000.00000000.277536101.0000000000401000.00000020.00020000.sdmp, RegAsm.exe, 00000004.00000002.558074837.00000000042E7000.00000004.00000001.sdmp, ct.exe, 0000000B.00000000.306368311.0000000000401000.00000020.00020000.sdmp, ct.exe, 0000000E.00000002.328150567.0000000000401000.00000020.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437697279.0000000000401000.00000020.00020000.sdmp, bg.exe, 00000021.00000002.472166356.0000000000401000.00000020.00020000.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000004.00000002.554885816.0000000002EB1000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.443919743.0000000004591000.00000004.00000001.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmpfalse
                                		high
                                http://schemas.microsofct.exefalse
                                • URL Reputation: safe
                                		unknown
                                https://curl.haxx.se/docs/http-cookies.htmlRegAsm.exe, 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmp, bg.exe, 00000021.00000003.462953448.00000000034F0000.00000004.00000001.sdmpfalse
                                  		high
                                  https://contoso.com/powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Iconpowershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.157.160.136
                                    		unknownSweden
                                    		197595OBE-EUROPEObenetworkEuropeSEtrue

                                    General Information

                                    Joe Sandbox Version:33.0.0 White Diamond
                                    Analysis ID:491916
                                    Start date:28.09.2021
                                    Start time:07:22:16
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 14m 7s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:9JbJZPtaKF.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:44
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@38/9@0/1
                                    EGA Information:Failed
                                    HDC Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 92%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • TCP Packets have been reduced to 100
                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.209.183, 20.54.110.249, 40.112.88.60, 173.222.108.226, 173.222.108.210, 93.184.221.240, 8.248.115.254, 8.248.147.254, 8.238.85.254, 8.248.119.254, 8.248.139.254, 20.199.120.182, 80.67.82.211, 80.67.82.235, 20.199.120.151, 20.82.210.154
                                    • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size exceeded maximum capacity and may have missing network information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    07:23:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run cp C:\Users\user\AppData\Roaming\cf\ct.exe
                                    07:23:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run cp C:\Users\user\AppData\Roaming\cf\ct.exe
                                    07:24:14API Interceptor26x Sleep call for process: powershell.exe modified
                                    07:24:24AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bm C:\Users\user\AppData\Roaming\bp\bg.exe
                                    07:24:27API Interceptor379x Sleep call for process: RegAsm.exe modified
                                    07:24:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bm C:\Users\user\AppData\Roaming\bp\bg.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASN

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local:28-09-2021
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):128
                                    Entropy (8bit):4.936164137895121
                                    Encrypted:false
                                    SSDEEP:3:itC+AgK4mH8ogt03wrH8ogt0tJlZpKDBWJln:ioDgYH8ogt1vgtoppSc3
                                    MD5:F272081EB6D5BDF88A7CDDE29E8AC150
                                    SHA1:EB718AB1BE89F9EB73AC8F1A19D82157DC6E309F
                                    SHA-256:078B6A10730E390E9D44581EA9948AD370D0FC9615EC9598AFEAFF412B6A1CAD
                                    SHA-512:90AA2580785EB0F867D92356D97807759A2CC509ED898B50F9EEAFEF1696D857D55FA997F2ADC6BB5BE319F6B207CEC4E24E9D436FA842C1453883A10B3E1A89
                                    Malicious:true
                                    Reputation:unknown
                                    Preview: <block><data>CkNsaXBib2FyZCBkYXRhOiBbQ0xJUEJPQVJEX1NUQVJUXTBbQ0xJUEJPQVJEX0VORF0K</data></block><block><data>cg==</data></block>
                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):425
                                    Entropy (8bit):5.340009400190196
                                    Encrypted:false
                                    SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                    MD5:CC144808DBAF00E03294347EADC8E779
                                    SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                    SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                    SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                    Malicious:false
                                    Reputation:unknown
                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):16444
                                    Entropy (8bit):5.57046790718648
                                    Encrypted:false
                                    SSDEEP:384:dt9HXJTXEnrm6RpSBKnEul6SE7Y9gbprcQTDYZy:IRp4KEuljcxRTEI
                                    MD5:9C5740419512622E220DE5BBAF6FA1EC
                                    SHA1:0EAE04DCFA63BB866F7ECFFF9126338A96A26F33
                                    SHA-256:E3800672313D0EC981794F8F0E9E4487EE4704FBBE63006CCC317A9A7DCCD32C
                                    SHA-512:9E15658FEA652B440D51C183F95D90DC8FACFA6F56A9DC7026BB1E4F72A4D07AE023A8F82FFE93E9B6ACD3348AB5D1F5B1A7C84263036296796C0DFA73E93A0B
                                    Malicious:false
                                    Reputation:unknown
                                    Preview: @...e.......................?.7.7.......%............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)s.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wp4lsxaf.jau.ps1
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Reputation:unknown
                                    Preview: 1
                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyk0woll.01u.psm1
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Reputation:unknown
                                    Preview: 1
                                    C:\Users\user\AppData\Local\Temp\mmybgd.exe
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):4731304
                                    Entropy (8bit):7.880890582164195
                                    Encrypted:false
                                    SSDEEP:98304:YC2pE1Qeauo7Bnr3VGKkN2YxQ6BmvS4KB0hUXTMpJgGFwN6bmNNuRhEt:YC2pEieC7BL2Cvsah/pJgTN6bmNkDEt
                                    MD5:BDC628B212725C5FD4287591393CB44E
                                    SHA1:AE1D2F0C1480C0CBD02703D41AE76C36FC011BE8
                                    SHA-256:78F869F3203033C6B2D25C30D545F8BB6D701357B4D870E2707F92A68790DCE9
                                    SHA-512:6EDCA221CCC9DB764A88898CA1AA7FF6C3E50C4720321EA59C811D7876749428AEF9261486F7AC7B1D6C0DDEFA1B6399A105449885C7D20CA591CA3645A1FADD
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Reputation:unknown
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................w...................Rich............PE..L.....Oa..................... .......4....... ....@..........................@.......6H.....................................T...(....p......................................................................(... .......d............................text............................... ..`.data...HJ... ....... ..............@....rsrc........p.......0..............@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\AppData\Roaming\bp\bg.exe
                                    Process:C:\Users\user\AppData\Local\Temp\mmybgd.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):4731304
                                    Entropy (8bit):7.880890582164195
                                    Encrypted:false
                                    SSDEEP:98304:YC2pE1Qeauo7Bnr3VGKkN2YxQ6BmvS4KB0hUXTMpJgGFwN6bmNNuRhEt:YC2pEieC7BL2Cvsah/pJgTN6bmNkDEt
                                    MD5:BDC628B212725C5FD4287591393CB44E
                                    SHA1:AE1D2F0C1480C0CBD02703D41AE76C36FC011BE8
                                    SHA-256:78F869F3203033C6B2D25C30D545F8BB6D701357B4D870E2707F92A68790DCE9
                                    SHA-512:6EDCA221CCC9DB764A88898CA1AA7FF6C3E50C4720321EA59C811D7876749428AEF9261486F7AC7B1D6C0DDEFA1B6399A105449885C7D20CA591CA3645A1FADD
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Reputation:unknown
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................w...................Rich............PE..L.....Oa..................... .......4....... ....@..........................@.......6H.....................................T...(....p......................................................................(... .......d............................text............................... ..`.data...HJ... ....... ..............@....rsrc........p.......0..............@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\AppData\Roaming\cf\ct.exe
                                    Process:C:\Users\user\Desktop\9JbJZPtaKF.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):666024
                                    Entropy (8bit):6.300855326189978
                                    Encrypted:false
                                    SSDEEP:6144:Xsh7P4K387yYg9ihPBJ1G08ozfjqXXTewGJX/MHeKPwE+8sS6rU8jcxJ8:8h7l38OKJBWkzfwS/M+KGtLHX
                                    MD5:133C10454108AA86301F79A03AA24046
                                    SHA1:21439179CB8700406D57332079AB311D08B0C9BF
                                    SHA-256:DE0CB500125D733BECBDEB53CF7B3F1BACE4DC91E54805007718970124EF6797
                                    SHA-512:8B2A492A5732C89C2E347270E9B1DF4DB26B79FEFD6FEAE115B35A22B0851C7973FB0ECC9B6C6187791BF720D71A7B69374D81ABF63F0ED73FAED4EFBEE79FBE
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 40%
                                    Reputation:unknown
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................w...................Rich............PE..L.....Oa.............................4....... ....@.................................Z.......................................T...(....p...3..................................................................(... .......d............................text............................... ..`.data...HJ... ....... ..............@....rsrc....3...p...@...0..............@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\Documents\20210928\PowerShell_transcript.088753.vlQ_yutw.20210928072352.txt
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1023
                                    Entropy (8bit):5.163353160334551
                                    Encrypted:false
                                    SSDEEP:24:BxSA45xvBnVvx2DOXVVoWdeW9HjeTKKjX4CIym1ZJXUPVoWdfnxSAZ3:BZovhVvoOFGu9qDYB1Z2PGUZZ3
                                    MD5:6A130F3DDD89490FE85813ED0C44A58F
                                    SHA1:34FEEAA9FA7E877B4FE3ED5380FF6F9F84A56AC9
                                    SHA-256:81FFC9EA5A3E0F3D7F2ECDAA463259A4A39EA6190375892D90A8DBB35D82E1AC
                                    SHA-512:3B611F782E322C40274ADA7F938E16401BFCEB6DB861F2F700CBE40C0ABB5C89CF4ECEAD67357FF456C82469089CE1DD7160E54CD99F3878083F1D7FBD521D97
                                    Malicious:false
                                    Reputation:unknown
                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210928072409..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 088753 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell .ExecutionPolicy Bypass Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\mmybgd.exe'..Process ID: 720..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210928072409..**********************..PS>Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\mmybgd.exe'..**********************..Command start time: 20210928072740..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20210928072740..*

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):6.300855326189978
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 98.72%
                                    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                    • InstallShield setup (43055/19) 0.42%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    File name:9JbJZPtaKF.exe
                                    File size:666024
                                    MD5:133c10454108aa86301f79a03aa24046
                                    SHA1:21439179cb8700406d57332079ab311d08b0c9bf
                                    SHA256:de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797
                                    SHA512:8b2a492a5732c89c2e347270e9b1df4db26b79fefd6feae115b35a22b0851c7973fb0ecc9b6c6187791bf720d71a7b69374d81abf63f0ed73faed4efbee79fbe
                                    SSDEEP:6144:Xsh7P4K387yYg9ihPBJ1G08ozfjqXXTewGJX/MHeKPwE+8sS6rU8jcxJ8:8h7l38OKJBWkzfwS/M+KGtLHX
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................w.......................Rich............PE..L.....Oa.............................4....... ....@................

                                    File Icon

                                    Icon Hash:ecccccd4d4e8e096

                                    Static PE Info

                                    General

                                    Entrypoint:0x4034f0
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                    DLL Characteristics:
                                    Time Stamp:0x614F12F6 [Sat Sep 25 12:15:50 2021 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:835f485ca718411734d873f35af1695e

                                    Entrypoint Preview

                                    Instruction
                                    push 00405380h
                                    call 00007F5650801D45h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    xor byte ptr [eax], al
                                    add byte ptr [eax], al
                                    inc eax
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [esp+esi], al
                                    cmp bh, byte ptr [esp+edx*2-4Fh]
                                    xlatb
                                    dec eax
                                    xchg eax, esp
                                    add al, 23h
                                    push ebx
                                    push edi
                                    sbb byte ptr [eax-25h], ah
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add dword ptr [eax], eax
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    inc ebp
                                    js 00007F5650801DC6h
                                    outsb
                                    push edx
                                    push esp
                                    inc esi
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    dec esp
                                    xor dword ptr [eax], eax
                                    add dh, byte ptr [esi+79h]
                                    mov esp, 58F30642h
                                    dec edx
                                    call far 6BBAh : 59928696h
                                    je 00007F5650801D9Dh
                                    bound eax, dword ptr [esi]
                                    movsd
                                    or dword ptr [ecx], edi
                                    inc esi
                                    popfd
                                    out 63h, eax
                                    mov al, byte ptr [72A2B5BAh]
                                    dec edi
                                    lodsd
                                    xor ebx, dword ptr [ecx-48EE309Ah]
                                    or al, 00h
                                    stosb
                                    add byte ptr [eax-2Dh], ah
                                    xchg eax, ebx
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    mov bh, 1Ah
                                    add byte ptr [eax], al
                                    jnp 00007F5650801D6Ch
                                    add byte ptr [eax], al
                                    add byte ptr [ecx], cl
                                    add byte ptr [ecx+73h], al
                                    push 72616F62h
                                    add byte ptr fs:[ecx+eax], dl
                                    or byte ptr [eax], al
                                    dec ebp
                                    inc esp
                                    dec ecx
                                    inc esi
                                    outsd

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x803540x28.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x870000x133f8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x364.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x801c80x81000False0.334565391836data6.2183301582IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .data0x820000x4a480x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .rsrc0x870000x133f80x14000False0.338671875data5.02760964735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    CUSTOM0x872580xd200PE32+ executable (DLL) (GUI) x86-64, for MS WindowsEnglishUnited States
                                    RT_BITMAP0x944580x25a8dataEnglishUnited States
                                    RT_BITMAP0x96a000x25a8dataEnglishUnited States
                                    RT_ICON0x98fa80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4289967027, next used block 2880417711
                                    RT_STRING0x9a0500x64dataDanishDenmark
                                    RT_STRING0x9a0b40x90dataEnglishUnited States
                                    RT_STRING0x9a1440x48dataAfrikaansSouth Africa
                                    RT_STRING0x9a1440x48dataAfrikaansNamibia
                                    RT_STRING0x9a18c0x88dataArabicJordan
                                    RT_GROUP_ICON0x9a2140x14data
                                    RT_VERSION0x9a2280x1d0dataEnglishUnited States

                                    Imports

                                    DLLImport
                                    MSVBVM60.DLL__vbaVarTstGt, __vbaVarSub, __vbaStrI2, __vbaNextEachAry, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLineInputStr, __vbaLateIdCall, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFpCDblR8, __vbaVarIndexStore, __vbaNextEachVar, __vbaLineInputVar, __vbaFreeObjList, __vbaStrErrVarCopy, __vbaVarIndexLoadRef, _adj_fprem1, __vbaRecAnsiToUni, __vbaI2Abs, __vbaStrCat, __vbaWriteFile, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, __vbaVargVarCopy, _adj_fdiv_m32, __vbaAryVar, __vbaVarTstLe, __vbaAryDestruct, __vbaVarIndexLoadRefLock, __vbaLateMemSt, __vbaVarForInit, __vbaForEachCollObj, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaCyStr, __vbaFpR4, __vbaBoolVar, __vbaVargVar, __vbaVarTstLt, __vbaRefVarAry, __vbaFpR8, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVarZero, __vbaNextEachCollObj, __vbaVargVarMove, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaGet3, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, __vbaVarLateMemSt, __vbaCastObjVar, __vbaStrR4, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, __vbaStrR8, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, __vbaObjIs, __vbaRedimVar, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, __vbaExitEachAry, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaVarDiv, __vbaFPException, __vbaInStrVar, __vbaUbound, __vbaStrVarVal, __vbaVarCat, __vbaCheckType, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaR8Str, __vbaVar2Vec, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaVarCmpLt, __vbaFreeStrList, __vbaVarNot, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, __vbaForEachAry, __vbaVarCmpEq, __vbaVarAdd, __vbaAryLock, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI2, __vbaVarLateMemCallLd, __vbaVarCopy, __vbaFpI4, __vbaRecDestructAnsi, __vbaVarSetObjAddref, __vbaR8IntI2, __vbaLateMemCallLd, _CIatan, __vbaAryCopy, __vbaI2ErrVar, __vbaStrMove, __vbaCastObj, __vbaI4Cy, __vbaForEachVar, __vbaStrVarCopy, __vbaR8IntI4, _allmul, __vbaLateIdSt, __vbaLateMemCallSt, _CItan, __vbaFPInt, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaStrCy, __vbaMidStmtBstr, __vbaI4ErrVar, __vbaFreeStr, __vbaFreeObj

                                    Version Infos

                                    DescriptionData
                                    Translation0x0409 0x04b0
                                    ProductVersion1.00
                                    InternalNamea
                                    FileVersion1.00
                                    OriginalFilenamea.exe
                                    ProductNameExtendedRTFDemo

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States
                                    DanishDenmark
                                    AfrikaansSouth Africa
                                    AfrikaansNamibia
                                    ArabicJordan

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 28, 2021 07:23:14.652782917 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:14.737989902 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:14.738344908 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:14.812731981 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:14.900079012 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:14.900105000 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:14.900263071 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:14.905447960 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:15.073632956 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:15.117784977 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:16.496849060 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:16.805447102 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.013879061 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.014098883 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.251221895 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.254928112 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.255049944 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.256294012 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.305497885 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.345065117 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.523680925 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.536153078 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.536339045 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.538022041 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.563302994 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.563565969 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.570718050 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.618047953 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.821669102 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.823777914 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.824034929 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.825999975 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.828000069 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.828154087 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.865106106 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.867858887 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.868210077 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.869014978 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.871265888 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.871328115 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:17.892878056 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.901174068 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:17.901308060 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.062689066 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.064376116 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.064568996 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.068892956 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.073199034 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.073420048 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.085699081 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.087619066 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.087790966 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.097271919 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.110946894 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.111253977 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.165436983 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.167412043 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.167903900 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.172036886 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.173840046 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.174132109 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.176415920 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.179919958 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.180059910 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.180576086 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.182919979 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.183020115 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.191443920 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.203718901 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.203808069 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.206099033 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.208183050 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.208349943 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.275572062 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.280776024 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.280987978 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.282998085 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.285180092 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.285339117 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.287138939 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.290024042 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.290108919 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.291712046 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.298768044 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.298907042 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.301708937 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.307028055 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.307240963 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.308864117 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.311151981 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.311311007 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.357351065 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.369348049 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.369508982 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.371736050 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.375111103 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.375310898 CEST497491973192.168.2.3185.157.160.136
                                    Sep 28, 2021 07:23:18.763593912 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.766567945 CEST197349749185.157.160.136192.168.2.3
                                    Sep 28, 2021 07:23:18.766637087 CEST497491973192.168.2.3185.157.160.136

                                    Code Manipulations

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: 9JbJZPtaKF.exe PID: 6972 Parent PID: 4768

                                    General

                                    Start time:07:23:07
                                    Start date:28/09/2021
                                    Path:C:\Users\user\Desktop\9JbJZPtaKF.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\9JbJZPtaKF.exe'
                                    Imagebase:0x400000
                                    File size:666024 bytes
                                    MD5 hash:133C10454108AA86301F79A03AA24046
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Visual Basic
                                    Yara matches:
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.280183910.0000000000810000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.278483376.00000000007D7000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.278249926.0000000000810000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.278304939.0000000000805000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.278201980.00000000007FA000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.278470265.0000000000810000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.278264012.00000000007EF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.280278807.0000000000810000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.278240068.00000000007EF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.278220853.00000000007D7000.00000004.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    Analysis Process: RegAsm.exe PID: 7040 Parent PID: 6972

                                    General

                                    Start time:07:23:08
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0x2e0000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: RegAsm.exe PID: 7084 Parent PID: 6972

                                    General

                                    Start time:07:23:08
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0xad0000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000003.356231512.00000000061A4000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.554990912.0000000002EE8000.00000004.00000001.sdmp, Author: Joe Security
                                    Reputation:high

                                    Analysis Process: ct.exe PID: 4644 Parent PID: 3352

                                    General

                                    Start time:07:23:20
                                    Start date:28/09/2021
                                    Path:C:\Users\user\AppData\Roaming\cf\ct.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\AppData\Roaming\cf\ct.exe'
                                    Imagebase:0x400000
                                    File size:666024 bytes
                                    MD5 hash:133C10454108AA86301F79A03AA24046
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:Visual Basic
                                    Yara matches:
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.306958807.00000000006FF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.308889804.00000000006FF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.306989450.00000000006DF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.306923152.00000000006C7000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.308874401.00000000006DF000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.308858373.00000000006FF000.00000004.00000001.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 40%, ReversingLabs
                                    Reputation:low

                                    Analysis Process: RegAsm.exe PID: 5916 Parent PID: 4644

                                    General

                                    Start time:07:23:21
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0xc50000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:high

                                    Analysis Process: ct.exe PID: 5344 Parent PID: 3352

                                    General

                                    Start time:07:23:28
                                    Start date:28/09/2021
                                    Path:C:\Users\user\AppData\Roaming\cf\ct.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\AppData\Roaming\cf\ct.exe'
                                    Imagebase:0x400000
                                    File size:666024 bytes
                                    MD5 hash:133C10454108AA86301F79A03AA24046
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:Visual Basic
                                    Yara matches:
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000003.327182152.0000000000744000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000003.325299126.000000000070C000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000003.325371450.0000000000744000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000003.325340924.0000000000723000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000003.327210322.0000000000723000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000003.327236288.0000000000744000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000003.325501534.0000000000739000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000003.325118501.000000000072F000.00000004.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    Analysis Process: RegAsm.exe PID: 6740 Parent PID: 5344

                                    General

                                    Start time:07:23:30
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0x3c0000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: RegAsm.exe PID: 6756 Parent PID: 5344

                                    General

                                    Start time:07:23:30
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0x680000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:high

                                    Analysis Process: cmd.exe PID: 4348 Parent PID: 7084

                                    General

                                    Start time:07:23:48
                                    Start date:28/09/2021
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit
                                    Imagebase:0xd80000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: conhost.exe PID: 2132 Parent PID: 4348

                                    General

                                    Start time:07:23:48
                                    Start date:28/09/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7f20f0000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: powershell.exe PID: 720 Parent PID: 4348

                                    General

                                    Start time:07:23:49
                                    Start date:28/09/2021
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe''
                                    Imagebase:0x1110000
                                    File size:430592 bytes
                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:high

                                    Analysis Process: mmybgd.exe PID: 4776 Parent PID: 720

                                    General

                                    Start time:07:24:21
                                    Start date:28/09/2021
                                    Path:C:\Users\user\AppData\Local\Temp\mmybgd.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\AppData\Local\Temp\mmybgd.exe'
                                    Imagebase:0x400000
                                    File size:4731304 bytes
                                    MD5 hash:BDC628B212725C5FD4287591393CB44E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Visual Basic
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML

                                    Analysis Process: RegAsm.exe PID: 4676 Parent PID: 4776

                                    General

                                    Start time:07:24:23
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0x890000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_BitRAT, Description: Yara detected BitRAT, Source: 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                    Analysis Process: bg.exe PID: 6184 Parent PID: 3352

                                    General

                                    Start time:07:24:32
                                    Start date:28/09/2021
                                    Path:C:\Users\user\AppData\Roaming\bp\bg.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\AppData\Roaming\bp\bg.exe'
                                    Imagebase:0x400000
                                    File size:4731304 bytes
                                    MD5 hash:BDC628B212725C5FD4287591393CB44E
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:Visual Basic
                                    Yara matches:
                                    • Rule: JoeSecurity_BitRAT, Description: Yara detected BitRAT, Source: 00000021.00000003.462953448.00000000034F0000.00000004.00000001.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML

                                    Analysis Process: RegAsm.exe PID: 2532 Parent PID: 6184

                                    General

                                    Start time:07:24:34
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0x560000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language

                                    Analysis Process: RegAsm.exe PID: 5276 Parent PID: 6184

                                    General

                                    Start time:07:24:35
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0x330000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language

                                    Analysis Process: RegAsm.exe PID: 6580 Parent PID: 6184

                                    General

                                    Start time:07:24:35
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0x250000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language

                                    Analysis Process: RegAsm.exe PID: 3176 Parent PID: 6184

                                    General

                                    Start time:07:24:36
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0xbc0000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_BitRAT, Description: Yara detected BitRAT, Source: 00000025.00000002.476289404.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                    Analysis Process: bg.exe PID: 7072 Parent PID: 3352

                                    General

                                    Start time:07:24:41
                                    Start date:28/09/2021
                                    Path:C:\Users\user\AppData\Roaming\bp\bg.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\AppData\Roaming\bp\bg.exe'
                                    Imagebase:0x400000
                                    File size:4731304 bytes
                                    MD5 hash:BDC628B212725C5FD4287591393CB44E
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:Visual Basic

                                    Analysis Process: RegAsm.exe PID: 6748 Parent PID: 7072

                                    General

                                    Start time:07:24:42
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0x610000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language

                                    Analysis Process: RegAsm.exe PID: 6696 Parent PID: 7072

                                    General

                                    Start time:07:24:43
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0x500000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language

                                    Analysis Process: RegAsm.exe PID: 6764 Parent PID: 7072

                                    General

                                    Start time:07:24:43
                                    Start date:28/09/2021
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Imagebase:0xc80000
                                    File size:64616 bytes
                                    MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_BitRAT, Description: Yara detected BitRAT, Source: 00000029.00000002.491911455.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                    Disassembly

                                    Code Analysis

                                    Reset < >